fix(db): generate unique random salt per encryptSecret call (GRO-453) #225

Merged

groombook-engineer[bot] merged 1 commits from fix/gro-454-test-schema into main

2026-04-04 22:22:51 +00:00

Author	SHA1	Message	Date
Paperclip	78a6758349	fix(db): generate unique random salt per encryptSecret call (GRO-453) Use a 16-byte random salt per encryption instead of the fixed "groombook-auth-provider-config" salt. This prevents identical plaintexts from producing identical ciphertexts, closing the timing/anagram security gap identified in GRO-452. New format: salt:iv:ciphertext:authTag (all base64). Legacy format (iv:ciphertext:authTag) is still accepted for backward-compatible decryption of existing stored values. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 21:37:30 +00:00

Author

SHA1

Message

Date

Paperclip

78a6758349

fix(db): generate unique random salt per encryptSecret call (GRO-453)

Use a 16-byte random salt per encryption instead of the fixed
"groombook-auth-provider-config" salt. This prevents identical
plaintexts from producing identical ciphertexts, closing the
timing/anagram security gap identified in GRO-452.

New format: salt:iv:ciphertext:authTag (all base64).
Legacy format (iv:ciphertext:authTag) is still accepted for
backward-compatible decryption of existing stored values.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-04-04 21:37:30 +00:00

fix(db): generate unique random salt per encryptSecret call (GRO-453) #225

1 Commits