fix(api): wrap encryptSecret in try/catch to return proper JSON error (GRO-441)

fix(api): wrap encryptSecret in try/catch to return proper JSON error (GRO-441)

apps/api/src/index.ts

@@ -167,6 +167,7 @@ api.route("/impersonation", impersonationRouter);
 api.route("/admin/settings", settingsRouter);
 api.route("/admin/auth-provider", authProviderRouter);
 api.route("/admin/seed", adminSeedRouter);
+api.route("/admin/auth-provider", authProviderRouter);
 api.route("/search", searchRouter);
 
 const port = Number(process.env.PORT ?? 3000);

apps/api/src/lib/auth.ts

@@ -179,7 +179,7 @@ export async function initAuth(): Promise<void> {
             },
           ],
         }),
-      ],
+            ],
       session: {
         expiresIn: 60 * 60 * 24 * 7, // 7 days
         updateAge: 60 * 60 * 24, // 1 day

apps/api/src/routes/authProvider.ts

@@ -69,22 +69,34 @@ authProviderRouter.put(
     const db = getDb();
     const body = c.req.valid("json");
 
-    const encryptedSecret = encryptSecret(body.clientSecret);
+let encryptedSecret: string;
+    try {
+      encryptedSecret = encryptSecret(body.clientSecret);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Unknown error";
+      return c.json({ error: `Failed to encrypt client secret: ${message}` }, 500);
+    }
 
     // Upsert: delete existing rows then insert atomically
-    const [row] = await db.transaction(async (tx) => {
+    let row: typeof authProviderConfig.$inferSelect | undefined;
-      await tx.delete(authProviderConfig);
+    try {
-      return tx.insert(authProviderConfig).values({
+      [row] = await db.transaction(async (tx) => {
-        providerId: body.providerId,
+        await tx.delete(authProviderConfig);
-        displayName: body.displayName,
+        return tx.insert(authProviderConfig).values({
-        issuerUrl: body.issuerUrl,
+          providerId: body.providerId,
-        internalBaseUrl: body.internalBaseUrl ?? null,
+          displayName: body.displayName,
-        clientId: body.clientId,
+          issuerUrl: body.issuerUrl,
-        clientSecret: encryptedSecret,
+          internalBaseUrl: body.internalBaseUrl ?? null,
-        scopes: body.scopes,
+          clientId: body.clientId,
-        enabled: true,
+          clientSecret: encryptedSecret,
-      }).returning();
+          scopes: body.scopes,
-    });
+          enabled: true,
+        }).returning();
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Unknown error";
+      return c.json({ error: `Failed to persist auth provider config: ${message}` }, 500);
+    }
 
     if (!row) return c.json({ error: "Failed to create auth provider config" }, 500);
 

packages/db/src/index.ts

@@ -3,8 +3,8 @@ import postgres from "postgres";
 import * as schema from "./schema.js";
 
 export * from "./schema.js";
-export { and, asc, desc, eq, exists, gte, gt, ilike, inArray, lt, lte, ne, or, sql } from "drizzle-orm";
 export { encryptSecret, decryptSecret } from "./crypto.js";
+export { and, asc, desc, eq, exists, gte, gt, ilike, inArray, lt, lte, ne, or, sql } from "drizzle-orm";
 
 let _db: ReturnType<typeof drizzle> | null = null;