Skip to content

fix: keep apiKey encrypted in refresh operation (#13063) #13177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 29, 2025
Merged

fix: keep apiKey encrypted in refresh operation (#13063) #13177

merged 1 commit into from
Jul 29, 2025

Conversation

contip
Copy link
Contributor

@contip contip commented Jul 15, 2025

What?

Prevents decrypted apiKey from being saved back to database on the auth refresh operation.

Why?

References issue #13063: refreshing a token for a logged-in user decrypted apiKey and wrote it back in plaintext, corrupting the user record.

How?

The user is now fetched with db.findOne instead of findByID, preserving the encryption of the key when saved back to the database using db.updateOne. The user record is then re-fetched using findByID, allowing for the decrypted key to be provided in the response.

Tests

  • ✅ keeps apiKey encrypted in DB after refresh
  • ✅ returns user with decrypted apiKey after refresh

Fixes #13063

@contip contip force-pushed the fix/refresh-keeps-apiKey-encrypted branch from 91b6997 to c76b5c2 Compare July 15, 2025 17:23
@contip contip changed the title fix(auth): keep apiKey encrypted in refresh operation (#13063) fix: keep apiKey encrypted in refresh operation (#13063) Jul 15, 2025
@andershermansen
Copy link
Contributor

andershermansen commented Jul 28, 2025
edited
Loading

@contip I created a PR in your repo to simplify this fix. It just leaves out the ...user and just updates the session. I think that fix is simpler and avoids the double find. See https://github.com/contip/payload/pull/1/files

Removed as this does not work with drizzle/sql, only for mongodb.

@andershermansen andershermansen mentioned this pull request Jul 28, 2025
Closed
@contip
Copy link
Contributor Author

contip commented Jul 28, 2025

@contip I created a PR in your repo to simplify this fix. It just leaves out the ...user and just updates the session. I think that fix is simpler and avoids the double find. See https://github.com/contip/payload/pull/1/files

Removed as this does not work with drizzle/sql, only for mongodb.

Yes, I noticed the issue with db.updateOne when looking at this initially, which is why I had to do it like this. I wish this would get reviewed, as this issue affects my production app!

@DanRibbens DanRibbens enabled auto-merge (squash) July 29, 2025 19:24
@DanRibbens DanRibbens disabled auto-merge July 29, 2025 20:27
@DanRibbens DanRibbens merged commit b1fa76e into payloadcms:main Jul 29, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DanRibbens DanRibbens DanRibbens approved these changes

@JarrodMFlesch JarrodMFlesch JarrodMFlesch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Invalid initialization vector when set Api Key on user
4 participants
@contip @andershermansen @DanRibbens @JarrodMFlesch