MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · willchen96/mike · PR #107

fix: remove SUPABASE_SECRET_KEY fallback from encryptionKey()

⛔ closed · #107 · willchen96/mike ← bmersereau/mike · opened 13d ago by bmersereau · closed 11d ago · +1,310-9 across 5 files · ↗ on GitHub

From the PR description

Summary

  • Removes process.env.SUPABASE_SECRET_KEY from the fallback chain in encryptionKey() in backend/src/lib/userApiKeys.ts
  • USER_API_KEYS_ENCRYPTION_SECRET (or its alias API_KEYS_ENCRYPTION_SECRET) is now required; the function throws if neither is set
  • Previously, a missing dedicated encryption secret silently fell back to the JWT verification secret, violating secret isolation (PR #74 / issue #66)

Closes #98 Closes #114 Closes #117 Closes #118

Changes

  • backend/src/lib/userApiKeys.ts - remove SUPABASE_SECRET_KEY from encryptionKey() fallback chain
  • backend/src/lib/__tests__/encryptionKey.test.ts - tests that SUPABASE_SECRET_KEY fallback is gone and dedicated secret is required; vi.mock hoisted to module top-level
  • backend/package.json / backend/package-lock.json - add vitest dev dependency and "test": "vitest run" script
  • backend/vitest.config.ts - include filter scoping tests to src/ to exclude compiled dist/ artifacts

Test plan

  • Unit tests added and passing (3/3)
  • Backend build passes

Our analysis

Require a dedicated encryption secret for user API keys — read the full analysis →

Think the analysis missed something the PR description covers?

Capture this PR into my fork

Download a Markdown prompt that tells Claude how to port every commit in this PR into your working tree. Run it via claude -p < capture-pull-107.md from inside the repo you want the changes in.

⬇ Download capture-pull-107.md