Ensure secret is loaded

Author: cezudas

packages/server/shared/src/lib/security/encryption.ts

@@ -14,6 +14,21 @@ let secret: string | null;
 const algorithm = 'aes-256-cbc';
 const ivLength = 16;
 
+function ensureSecretLoaded(): void {
+  if (isNil(secret)) {
+    const loadedSecret = system.get(AppSystemProp.ENCRYPTION_KEY);
+    if (loadedSecret) {
+      secret = loadedSecret;
+      logger.debug('Encryption key loaded via ensureSecretLoaded()');
+    } else {
+      logger.warn(
+        'Encryption key not found in system properties when ensureSecretLoaded() was called. ' +
+          'This may indicate an issue with the Lambda environment or OPS_ENCRYPTION_KEY not being set.',
+      );
+    }
+  }
+}
+
 const loadEncryptionKey = async (
   queueMode: QueueMode,
 ): Promise<string | null> => {
@@ -45,6 +60,7 @@ const generateAndStoreSecret = async (): Promise<string> => {
 };
 
 function encryptString(inputString: string): EncryptedObject {
+  ensureSecretLoaded();
   const iv = crypto.randomBytes(ivLength); // Generate a random initialization vector
   assertNotNullOrUndefined(secret, 'secret');
   const key = Buffer.from(secret, 'binary');
@@ -63,6 +79,7 @@ function encryptObject(object: unknown): EncryptedObject {
 }
 
 function encryptBuffer(inputBuffer: Buffer): EncryptedObject {
+  ensureSecretLoaded();
   const iv = crypto.randomBytes(ivLength);
   assertNotNullOrUndefined(secret, 'secret');
   const key = Buffer.from(secret, 'binary');
@@ -76,6 +93,7 @@ function encryptBuffer(inputBuffer: Buffer): EncryptedObject {
 }
 
 function decryptObject<T>(encryptedObject: EncryptedObject): T {
+  ensureSecretLoaded();
   const iv = Buffer.from(encryptedObject.iv, 'hex');
   assertNotNullOrUndefined(secret, 'secret');
   const key = Buffer.from(secret, 'binary');
@@ -86,6 +104,7 @@ function decryptObject<T>(encryptedObject: EncryptedObject): T {
 }
 
 function decryptBuffer(encryptedObject: EncryptedObject): Buffer {
+  ensureSecretLoaded();
   const iv = Buffer.from(encryptedObject.iv, 'hex');
   assertNotNullOrUndefined(secret, 'secret');
   const key = Buffer.from(secret, 'binary');
@@ -97,6 +116,7 @@ function decryptBuffer(encryptedObject: EncryptedObject): Buffer {
 }
 
 function decryptString(encryptedObject: EncryptedObject): string {
+  ensureSecretLoaded();
   const iv = Buffer.from(encryptedObject.iv, 'hex');
   assertNotNullOrUndefined(secret, 'secret');
   const key = Buffer.from(secret, 'binary');
@@ -107,6 +127,7 @@ function decryptString(encryptedObject: EncryptedObject): string {
 }
 
 function get16ByteKey(): string {
+  ensureSecretLoaded();
   assertNotNullOrUndefined(secret, 'secret is not defined');
   return secret;
 }