refactor: move encryption key coercion into crypto.ts

brendan-kellam · claude · brendan-kellam · commit 45aac21b6a60 · 2026-06-16T19:18:46.000-07:00
Move the 33-zeros -&gt; 32-zeros default key normalization out of the env
schema and into encrypt()/decrypt() in crypto.ts, where the key is
actually used. SOURCEBOT_ENCRYPTION_KEY is now a plain string in the env
schema.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/shared/src/crypto.ts b/packages/shared/src/crypto.ts
@@ -15,8 +15,17 @@ const generateIV = (): Buffer => {
     return crypto.randomBytes(ivLength);
 };
 
+// @hack in our docker-compose.yml, we mistakenly used an encryption key with
+// _33_ zeros. As a hacky mechanism to fix peoples deployments without requiring
+// them to update their encryption key, we look for keys with this pattern and
+// coerce them into _32_ zeros (AES-256 requires a 32-byte key).
+// @see https://github.com/sourcebot-dev/sourcebot/commit/e30e75e7af96308b3b063bb3aed8369f5b15aa2e
+const coerceEncryptionKey = (key: string): string => {
+    return key === "0".repeat(33) ? "0".repeat(32) : key;
+};
+
 export function encrypt(text: string): { iv: string; encryptedData: string } {
-    const encryptionKey = Buffer.from(env.SOURCEBOT_ENCRYPTION_KEY, 'ascii');
+    const encryptionKey = Buffer.from(coerceEncryptionKey(env.SOURCEBOT_ENCRYPTION_KEY), 'ascii');
 
     const iv = generateIV();
     const cipher = crypto.createCipheriv(algorithm, encryptionKey, iv);
@@ -28,7 +37,7 @@ export function encrypt(text: string): { iv: string; encryptedData: string } {
 }
 
 export function decrypt(iv: string, encryptedText: string): string {
-    const encryptionKey = Buffer.from(env.SOURCEBOT_ENCRYPTION_KEY, 'ascii');
+    const encryptionKey = Buffer.from(coerceEncryptionKey(env.SOURCEBOT_ENCRYPTION_KEY), 'ascii');
 
     const ivBuffer = Buffer.from(iv, 'hex');
     const encryptedBuffer = Buffer.from(encryptedText, 'hex');
diff --git a/packages/shared/src/env.server.ts b/packages/shared/src/env.server.ts
@@ -341,18 +341,8 @@ const options = {
         // The key is read as ASCII (1 char = 1 byte), so AES-256's 32-byte key
         // requirement means this must be exactly 32 characters. Generate one with
         // `openssl rand -base64 24` (24 random bytes => a 32-character base64 string).
-        SOURCEBOT_ENCRYPTION_KEY: z.preprocess(
-            // @hack in our docker-compose.yml, we mistakenly used a
-            // encryption key with _33_ zeros. As a hacky mechanism to
-            // fix peoples deployments without requiring them to update
-            // their encryption key, we look for keys with this pattern
-            // and coerce them into _32_ zeros.
-            // @see https://github.com/sourcebot-dev/sourcebot/commit/e30e75e7af96308b3b063bb3aed8369f5b15aa2e
-            (value) => value === "0".repeat(33) ? "0".repeat(32) : value,
-            z.string().length(32, {
-                message: "SOURCEBOT_ENCRYPTION_KEY must be exactly 32 characters (a 256-bit AES key). Generate one with `openssl rand -base64 24`.",
-            }),
-        ),
+        // @note: the key is normalized in shared/src/crypto.ts before use.
+        SOURCEBOT_ENCRYPTION_KEY: z.string(),
         SOURCEBOT_INSTALL_ID: z.string().default("unknown"),
         SOURCEBOT_LIGHTHOUSE_URL: z.string().url().default("https://deployments.sourcebot.dev"),
 
