v1.1.0-beta.066 - fix(security): decrypt enc:v2 secret settings on read (ComicVine/Prowlarr/etc. keys broken since beta.058)
๐ Secret settings saved after the GCM migration weren't decrypting on read
- beta.058 moved encryptSecret to AES-256-GCM (enc:v2:), but the read-side auto-decrypt extension in db.ts and the db-init boot-migration guards still only recognized enc:v1: (CBC). So every secret SystemSetting saved since โ cv_api_key, prowlarr_key, metron_pass, smtp_pass, oidc_client_secret, pushover_token, telegram_bot_token, apprise_url โ was stored as enc:v2: and handed to consumers as the raw encrypted blob. On a fresh database (all values v2) the ComicVine key (and the rest) simply never worked; on an existing install, re-saving any secret broke it too. decryptSecret already handled both formats โ only these prefix gates were missed.
- db.ts: the decrypt-on-read extension now decrypts any enc:-prefixed secret-key value (enc:v1: CBC + enc:v2: GCM).
- db-init.ts: the boot-time encrypt-at-rest guards (download-client/hoster creds + SystemSetting secrets) now skip enc:v1:/enc:v2:, so v2 values aren't needlessly re-written every boot.
๐งช Tests
- db: new decryptSettingRow tests โ decrypts v2 + v1 secret-key values, passes plaintext / non-secret keys through, and returns the row unchanged on a decrypt failure.
โ Verification
- tsc clean; eslint . 0 errors; vitest 288 passed (+6)