fix(shared): validate SOURCEBOT_ENCRYPTION_KEY length (#1305)

brendan-kellam · claude · web-flow · commit 4ec87e1cc721 · 2026-06-12T13:06:04.000-07:00
* fix(shared): validate SOURCEBOT_ENCRYPTION_KEY is 32 chars The key is used directly as a 32-byte AES-256-CBC key. Validate its length at startup so a misconfigured key fails fast with an actionable message instead of a RangeError deep in an encryption call. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs: add CHANGELOG entry for #1305 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * test(shared): use a real 32-char SOURCEBOT_ENCRYPTION_KEY The test value was named "...-32-characters!" but was actually 34 chars, which now fails the length validation. Replace it with a true 32-character value. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added the ability to configure email code and credentials login from the security settings. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
 - Added a list of configured SSO providers from the security settings. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
 
+### Fixed
+- Validated that `SOURCEBOT_ENCRYPTION_KEY` is exactly 32 characters at startup, failing fast with an actionable message instead of a runtime encryption error. [#1305](https://github.com/sourcebot-dev/sourcebot/pull/1305)
+
 ## [5.0.2] - 2026-06-11
 
 ### Changed
diff --git a/packages/shared/src/env.server.ts b/packages/shared/src/env.server.ts
@@ -337,7 +337,13 @@ const options = {
         PERMISSION_SYNC_REPO_DRIVEN_ENABLED: booleanSchema.default('true'),
         EXPERIMENT_ASK_GH_ENABLED: booleanSchema.default('false'),
 
-        SOURCEBOT_ENCRYPTION_KEY: z.string(),
+        // Used as the key for AES-256-CBC encryption (@see shared/src/crypto.ts).
+        // The key is read as ASCII (1 char = 1 byte), so AES-256's 32-byte key
+        // requirement means this must be exactly 32 characters. Generate one with
+        // `openssl rand -base64 24` (24 random bytes => a 32-character base64 string).
+        SOURCEBOT_ENCRYPTION_KEY: z.string().length(32, {
+            message: "SOURCEBOT_ENCRYPTION_KEY must be exactly 32 characters (a 256-bit AES key). Generate one with `openssl rand -base64 24`.",
+        }),
         SOURCEBOT_INSTALL_ID: z.string().default("unknown"),
         SOURCEBOT_LIGHTHOUSE_URL: z.string().url().default("https://deployments.sourcebot.dev"),
 
diff --git a/packages/shared/vitest.config.ts b/packages/shared/vitest.config.ts
@@ -11,7 +11,7 @@ export default defineConfig({
             SOURCEBOT_PUBLIC_KEY_PATH: '/tmp/test-key',
             NODE_ENV: 'test',
             CONFIG_PATH: '/tmp/test-config.json',
-            SOURCEBOT_ENCRYPTION_KEY: 'test-encryption-key-32-characters!',
+            SOURCEBOT_ENCRYPTION_KEY: 'test-encryption-key-32chars-pad!',
             SOURCEBOT_LIGHTHOUSE_URL: 'http://localhost:3003',
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ export default defineConfig({`
`11`	`11`	`SOURCEBOT_PUBLIC_KEY_PATH: '/tmp/test-key',`
`12`	`12`	`NODE_ENV: 'test',`
`13`	`13`	`CONFIG_PATH: '/tmp/test-config.json',`
`14`		`- SOURCEBOT_ENCRYPTION_KEY: 'test-encryption-key-32-characters!',`
	`14`	`+ SOURCEBOT_ENCRYPTION_KEY: 'test-encryption-key-32chars-pad!',`
`15`	`15`	`SOURCEBOT_LIGHTHOUSE_URL: 'http://localhost:3003',`
`16`	`16`	`}`
`17`	`17`	`}`