fix: Issue #716 - Jobs sorting, token whitespace, input type, decryption errors

jsbattig · claude · jsbattig · commit 21c63aae21aa · 2026-01-12T17:51:43.000-06:00
Bug 1a: Change jobs sorting from created_at to started_at for accurate display Bug 1b: Extend timestamp display from 16 to 19 chars (include seconds) Bug 2a: Add .strip() to token before validation to handle whitespace Bug 2b: Change token input from password to text for easier entry Bug 3: Add graceful error handling for token decryption failures Bumps version to 8.5.1 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/src/code_indexer/__init__.py b/src/code_indexer/__init__.py
@@ -6,5 +6,5 @@
 HNSW graph indexing (O(log N) complexity).
 """
 
-__version__ = "8.5.0"
+__version__ = "8.5.1"
 __author__ = "Seba Battig"
diff --git a/src/code_indexer/server/services/ci_token_manager.py b/src/code_indexer/server/services/ci_token_manager.py
@@ -306,8 +306,17 @@ def get_token(self, platform: str) -> Optional[TokenData]:
             token_row = self._sqlite_backend.get_token(platform)
             if token_row is None:
                 return None
-            # Decrypt token
-            decrypted_token = self._decrypt_token(token_row["encrypted_token"])
+            # Decrypt token with graceful error handling (Issue #716 Bug 3)
+            try:
+                decrypted_token = self._decrypt_token(token_row["encrypted_token"])
+            except Exception as e:
+                logger.warning(
+                    f"Failed to decrypt {platform} token, treating as unconfigured: {e}",
+                    extra={"correlation_id": get_correlation_id()},
+                )
+                # Delete the corrupted token from storage
+                self._sqlite_backend.delete_token(platform)
+                return None
             return TokenData(
                 platform=platform,
                 token=decrypted_token,
@@ -322,8 +331,18 @@ def get_token(self, platform: str) -> Optional[TokenData]:
 
             token_data = tokens[platform]
 
-            # Decrypt token
-            decrypted_token = self._decrypt_token(token_data["token"])
+            # Decrypt token with graceful error handling (Issue #716 Bug 3)
+            try:
+                decrypted_token = self._decrypt_token(token_data["token"])
+            except Exception as e:
+                logger.warning(
+                    f"Failed to decrypt {platform} token, treating as unconfigured: {e}",
+                    extra={"correlation_id": get_correlation_id()},
+                )
+                # Delete the corrupted token from storage
+                del tokens[platform]
+                self._save_tokens(tokens)
+                return None
 
             return TokenData(
                 platform=platform,
diff --git a/src/code_indexer/server/web/routes.py b/src/code_indexer/server/web/routes.py
@@ -2508,8 +2508,8 @@ def _get_all_jobs(
             or (j.get("user_alias") and search_lower in j["user_alias"].lower())
         ]
 
-    # Sort by created_at (newest first)
-    all_jobs.sort(key=lambda x: x.get("created_at") or "", reverse=True)
+    # Sort by started_at (most recently started first), fall back to created_at
+    all_jobs.sort(key=lambda x: x.get("started_at") or x.get("created_at") or "", reverse=True)
 
     # Pagination
     total_count = len(all_jobs)
@@ -4810,6 +4810,8 @@ async def save_api_key(
     # Save token using CITokenManager - use same server_dir as config service
     try:
         token_manager = _get_token_manager()
+        # Strip whitespace from token before validation (Issue #716 Bug 2a)
+        token = token.strip()
         token_manager.save_token(platform, token, base_url=api_url)
 
         platform_name = "GitHub" if platform == "github" else "GitLab"
diff --git a/src/code_indexer/server/web/templates/partials/config_section.html b/src/code_indexer/server/web/templates/partials/config_section.html
@@ -701,7 +701,7 @@ <h3>GitHub Actions</h3>
             <div class="form-grid">
                 <label for="github-token">
                     GitHub Token
-                    <input type="password" id="github-token" name="token"
+                    <input type="text" id="github-token" name="token"
                            placeholder="ghp_..."
                            value="">
                     <small>Personal Access Token (classic) or Fine-grained PAT with workflow permissions</small>
@@ -765,7 +765,7 @@ <h3 style="margin-top: 2rem;">GitLab CI</h3>
             <div class="form-grid">
                 <label for="gitlab-token">
                     GitLab Token
-                    <input type="password" id="gitlab-token" name="token"
+                    <input type="text" id="gitlab-token" name="token"
                            placeholder="glpat-..."
                            value="">
                     <small>Personal Access Token or Project Access Token with api scope</small>
diff --git a/src/code_indexer/server/web/templates/partials/jobs_list.html b/src/code_indexer/server/web/templates/partials/jobs_list.html
@@ -68,7 +68,7 @@ <h2>Jobs</h2>
                 <span class="progress-na">-</span>
                 {% endif %}
             </td>
-            <td>{{ job.started_at[:16] if job.started_at else (job.created_at[:16] if job.created_at else 'N/A') }}</td>
+            <td>{{ job.started_at[:19] if job.started_at else (job.created_at[:19] if job.created_at else 'N/A') }}</td>
             <td>
                 {% if job.duration_seconds is defined and job.duration_seconds is not none %}
                 {{ (job.duration_seconds // 60)|int }}m {{ (job.duration_seconds % 60)|int }}s
diff --git a/tests/unit/server/services/test_issue_716_bug2a_token_whitespace.py b/tests/unit/server/services/test_issue_716_bug2a_token_whitespace.py
@@ -0,0 +1,44 @@
+"""
+Unit tests for Issue #716 Bug 2a: Token whitespace stripping.
+
+Tokens with leading/trailing whitespace should be accepted after stripping.
+The stripping should happen at the routes layer (save_api_key function).
+
+Tests are written FIRST following TDD methodology.
+"""
+
+import pytest
+
+
+class TestTokenWhitespaceStripping:
+    """Tests for Bug 2a: Whitespace should be stripped before token validation."""
+
+    def test_save_token_strips_whitespace_before_validation(self, tmp_path):
+        """
+        Bug 2a: Token with whitespace should be saved after stripping.
+
+        Given a valid token with leading/trailing whitespace
+        When save_token is called (after strip in routes layer)
+        Then the token should be saved successfully without whitespace
+
+        Note: The actual stripping happens in routes.py save_api_key().
+        This test verifies the clean token works after stripping.
+        """
+        from src.code_indexer.server.services.ci_token_manager import CITokenManager
+
+        server_dir = tmp_path / ".cidx-server"
+        server_dir.mkdir()
+        manager = CITokenManager(server_dir_path=str(server_dir))
+
+        # Token with whitespace - simulating what user might paste
+        token_with_whitespace = " ghp_" + "a" * 36 + " "
+        clean_token = token_with_whitespace.strip()
+
+        # After stripping (done in routes.py), save should work
+        manager.save_token("github", clean_token)
+
+        # Verify token was saved correctly
+        token_data = manager.get_token("github")
+        assert token_data is not None
+        assert token_data.token == clean_token
+        assert token_data.token == "ghp_" + "a" * 36
diff --git a/tests/unit/server/services/test_issue_716_bug3_token_decryption.py b/tests/unit/server/services/test_issue_716_bug3_token_decryption.py
@@ -0,0 +1,75 @@
+"""
+Unit tests for Issue #716 Bug 3: Token decryption failure handling.
+
+When token decryption fails (e.g., token encrypted on different machine),
+get_token() should return None gracefully instead of crashing the config page.
+
+Tests are written FIRST following TDD methodology.
+"""
+
+import json
+import pytest
+
+
+class TestTokenDecryptionFailureHandling:
+    """Tests for Bug 3: get_token should handle decryption failures gracefully."""
+
+    def test_get_token_returns_none_on_decryption_failure(self, tmp_path):
+        """
+        Bug 3: get_token should return None when decryption fails.
+
+        Given a token that cannot be decrypted (corrupted data)
+        When get_token is called
+        Then it should return None instead of crashing
+        """
+        from src.code_indexer.server.services.ci_token_manager import CITokenManager
+
+        server_dir = tmp_path / ".cidx-server"
+        server_dir.mkdir()
+        manager = CITokenManager(server_dir_path=str(server_dir))
+
+        # Save a valid token
+        valid_token = "ghp_" + "a" * 36
+        manager.save_token("github", valid_token)
+
+        # Corrupt the token in the file
+        token_file = server_dir / "ci_tokens.json"
+        with open(token_file, "r") as f:
+            data = json.load(f)
+        data["github"]["token"] = "YWJjZGVmZ2hpamtsbW5vcA=="
+        with open(token_file, "w") as f:
+            json.dump(data, f)
+
+        # This should NOT raise an exception - should return None
+        result = manager.get_token("github")
+        assert result is None, "get_token should return None when decryption fails"
+
+    def test_get_token_returns_none_on_invalid_iv_size(self, tmp_path):
+        """
+        Bug 3: get_token should handle 'Invalid IV size' error gracefully.
+
+        Given a token with corrupted IV (empty base64)
+        When get_token is called
+        Then it should return None (not raise ValueError)
+        """
+        from src.code_indexer.server.services.ci_token_manager import CITokenManager
+
+        server_dir = tmp_path / ".cidx-server"
+        server_dir.mkdir()
+        manager = CITokenManager(server_dir_path=str(server_dir))
+
+        # Save a valid token
+        valid_token = "glpat-" + "a" * 20
+        manager.save_token("gitlab", valid_token)
+
+        # Corrupt the token to cause "Invalid IV size" error
+        token_file = server_dir / "ci_tokens.json"
+        with open(token_file, "r") as f:
+            data = json.load(f)
+        data["gitlab"]["token"] = ""
+        with open(token_file, "w") as f:
+            json.dump(data, f)
+
+        # This should NOT raise ValueError: Invalid IV size (0) for CBC
+        result = manager.get_token("gitlab")
+        assert result is None, "get_token should return None for corrupted token"
diff --git a/tests/unit/server/web/test_issue_716_bug1a_jobs_sorting.py b/tests/unit/server/web/test_issue_716_bug1a_jobs_sorting.py
@@ -0,0 +1,122 @@
+"""
+Unit tests for Issue #716 Bug 1a: Jobs sorting by started_at.
+
+Jobs dashboard should sort by started_at (not created_at) to show most recently
+started jobs first. Falls back to created_at when started_at is not available.
+
+Tests are written FIRST following TDD methodology.
+"""
+
+import pytest
+from unittest.mock import MagicMock, patch
+from datetime import datetime
+
+
+class TestJobsSortingByStartedAt:
+    """Tests for Bug 1a: Jobs should be sorted by started_at."""
+
+    def test_jobs_sorted_by_started_at_when_available(self):
+        """
+        Bug 1a: Jobs should be sorted by started_at when available.
+
+        Given jobs with different started_at times
+        When _get_all_jobs is called
+        Then jobs are sorted by started_at (most recently started first)
+        """
+        from src.code_indexer.server.web.routes import _get_all_jobs
+
+        # Job1: created early, started early
+        mock_job1 = MagicMock()
+        mock_job1.job_id = "job1"
+        mock_job1.operation_type = "index"
+        mock_job1.status = MagicMock(value="running")
+        mock_job1.progress = 50
+        mock_job1.created_at = datetime(2026, 1, 12, 10, 0, 0)
+        mock_job1.started_at = datetime(2026, 1, 12, 10, 5, 0)
+        mock_job1.completed_at = None
+        mock_job1.error = None
+        mock_job1.username = "user1"
+        mock_job1.result = None
+
+        # Job2: created earlier, but started later (should appear first)
+        mock_job2 = MagicMock()
+        mock_job2.job_id = "job2"
+        mock_job2.operation_type = "index"
+        mock_job2.status = MagicMock(value="running")
+        mock_job2.progress = 75
+        mock_job2.created_at = datetime(2026, 1, 12, 9, 0, 0)
+        mock_job2.started_at = datetime(2026, 1, 12, 11, 0, 0)
+        mock_job2.completed_at = None
+        mock_job2.error = None
+        mock_job2.username = "user2"
+        mock_job2.result = None
+
+        mock_job_manager = MagicMock()
+        mock_job_manager.jobs = {"job1": mock_job1, "job2": mock_job2}
+        mock_job_manager._lock = MagicMock()
+        mock_job_manager._lock.__enter__ = MagicMock(return_value=None)
+        mock_job_manager._lock.__exit__ = MagicMock(return_value=None)
+
+        with patch(
+            "src.code_indexer.server.web.routes._get_background_job_manager",
+            return_value=mock_job_manager
+        ):
+            jobs, total, pages = _get_all_jobs()
+
+        assert len(jobs) == 2
+        # job2 started later (11:00), should be first
+        assert jobs[0]["job_id"] == "job2"
+        assert jobs[1]["job_id"] == "job1"
+
+    def test_jobs_fallback_to_created_at_when_no_started_at(self):
+        """
+        Bug 1a: Jobs without started_at should use created_at for sorting.
+
+        Given jobs where some have no started_at
+        When _get_all_jobs is called
+        Then those jobs use created_at for sorting
+        """
+        from src.code_indexer.server.web.routes import _get_all_jobs
+
+        # Job1: queued (no started_at), created at 10:00
+        mock_job1 = MagicMock()
+        mock_job1.job_id = "job1"
+        mock_job1.operation_type = "index"
+        mock_job1.status = MagicMock(value="queued")
+        mock_job1.progress = 0
+        mock_job1.created_at = datetime(2026, 1, 12, 10, 0, 0)
+        mock_job1.started_at = None
+        mock_job1.completed_at = None
+        mock_job1.error = None
+        mock_job1.username = "user1"
+        mock_job1.result = None
+
+        # Job2: queued (no started_at), created at 11:00 (should be first)
+        mock_job2 = MagicMock()
+        mock_job2.job_id = "job2"
+        mock_job2.operation_type = "index"
+        mock_job2.status = MagicMock(value="queued")
+        mock_job2.progress = 0
+        mock_job2.created_at = datetime(2026, 1, 12, 11, 0, 0)
+        mock_job2.started_at = None
+        mock_job2.completed_at = None
+        mock_job2.error = None
+        mock_job2.username = "user2"
+        mock_job2.result = None
+
+        mock_job_manager = MagicMock()
+        mock_job_manager.jobs = {"job1": mock_job1, "job2": mock_job2}
+        mock_job_manager._lock = MagicMock()
+        mock_job_manager._lock.__enter__ = MagicMock(return_value=None)
+        mock_job_manager._lock.__exit__ = MagicMock(return_value=None)
+
+        with patch(
+            "src.code_indexer.server.web.routes._get_background_job_manager",
+            return_value=mock_job_manager
+        ):
+            jobs, total, pages = _get_all_jobs()
+
+        assert len(jobs) == 2
+        # job2 created later (11:00), should be first
+        assert jobs[0]["job_id"] == "job2"
+        assert jobs[1]["job_id"] == "job1"
