fix: enforce encrypted data validation to prevent plaintext exposure

rui-typelets · rui-typelets · commit 1436fa8826e9 · 2025-09-25T13:31:37.000-04:00
diff --git a/src/lib/api/api.ts b/src/lib/api/api.ts
@@ -336,6 +336,24 @@ class ClerkEncryptedApiService {
       );
     }
 
+    // CRITICAL SECURITY CHECK: Ensure no unencrypted title/content is being sent
+    if (notePayload.title && notePayload.title !== "[ENCRYPTED]") {
+      throw new SecureError(
+        'Attempted to send unencrypted title in note creation',
+        'Security violation: unencrypted data detected',
+        'CRYPTO_001',
+        'critical'
+      );
+    }
+    if (notePayload.content && notePayload.content !== "[ENCRYPTED]") {
+      throw new SecureError(
+        'Attempted to send unencrypted content in note creation',
+        'Security violation: unencrypted data detected',
+        'CRYPTO_001',
+        'critical'
+      );
+    }
+
     const apiNote = await this.request<ApiNote>('/notes', {
       method: 'POST',
       body: JSON.stringify(notePayload),
@@ -405,6 +423,24 @@ class ClerkEncryptedApiService {
       }
     });
 
+    // CRITICAL SECURITY CHECK: Ensure no unencrypted title/content is being sent
+    if (cleanedUpdates.title && cleanedUpdates.title !== "[ENCRYPTED]") {
+      throw new SecureError(
+        'Attempted to send unencrypted title in note update',
+        'Security violation: unencrypted data detected',
+        'CRYPTO_001',
+        'critical'
+      );
+    }
+    if (cleanedUpdates.content && cleanedUpdates.content !== "[ENCRYPTED]") {
+      throw new SecureError(
+        'Attempted to send unencrypted content in note update',
+        'Security violation: unencrypted data detected',
+        'CRYPTO_001',
+        'critical'
+      );
+    }
+
     const requestBody = JSON.stringify(cleanedUpdates);
 
     const apiNote = await this.request<ApiNote>(`/notes/${id}`, {
