Avoid reading env variables directly in the token utils

myftija · myftija · commit a52a78f9dc6e · 2025-08-14T11:39:11.000+02:00
diff --git a/apps/webapp/app/services/organizationAccessToken.server.ts b/apps/webapp/app/services/organizationAccessToken.server.ts
@@ -4,6 +4,7 @@ import { z } from "zod";
 import { prisma } from "~/db.server";
 import { logger } from "./logger.server";
 import { decryptToken, encryptToken, hashToken } from "~/utils/tokens";
+import { env } from "~/env.server";
 
 const tokenValueLength = 40;
 //lowercase only, removed 0 and l to avoid confusion
@@ -147,7 +148,7 @@ export async function createOrganizationAccessToken({
   expiresAt,
 }: CreateOrganizationAccessTokenOptions) {
   const token = createToken();
-  const encryptedToken = encryptToken(token);
+  const encryptedToken = encryptToken(token, env.ENCRYPTION_KEY);
 
   const organizationAccessToken = await prisma.organizationAccessToken.create({
     data: {
@@ -199,7 +200,8 @@ function decryptOrganizationAccessToken(organizationAccessToken: OrganizationAcc
   const decryptedToken = decryptToken(
     encryptedData.data.nonce,
     encryptedData.data.ciphertext,
-    encryptedData.data.tag
+    encryptedData.data.tag,
+    env.ENCRYPTION_KEY
   );
   return decryptedToken;
 }
diff --git a/apps/webapp/app/services/personalAccessToken.server.ts b/apps/webapp/app/services/personalAccessToken.server.ts
@@ -4,6 +4,7 @@ import { z } from "zod";
 import { prisma } from "~/db.server";
 import { logger } from "./logger.server";
 import { decryptToken, encryptToken, hashToken } from "~/utils/tokens";
+import { env } from "~/env.server";
 
 const tokenValueLength = 40;
 //lowercase only, removed 0 and l to avoid confusion
@@ -265,7 +266,7 @@ export async function createPersonalAccessToken({
   userId,
 }: CreatePersonalAccessTokenOptions) {
   const token = createToken();
-  const encryptedToken = encryptToken(token);
+  const encryptedToken = encryptToken(token, env.ENCRYPTION_KEY);
 
   const personalAccessToken = await prisma.personalAccessToken.create({
     data: {
@@ -313,7 +314,8 @@ function decryptPersonalAccessToken(personalAccessToken: PersonalAccessToken) {
   const decryptedToken = decryptToken(
     encryptedData.data.nonce,
     encryptedData.data.ciphertext,
-    encryptedData.data.tag
+    encryptedData.data.tag,
+    env.ENCRYPTION_KEY
   );
   return decryptedToken;
 }
diff --git a/apps/webapp/app/utils/tokens.ts b/apps/webapp/app/utils/tokens.ts
@@ -1,9 +1,8 @@
 import nodeCrypto from "node:crypto";
-import { env } from "~/env.server";
 
-export function encryptToken(value: string) {
+export function encryptToken(value: string, key: string) {
   const nonce = nodeCrypto.randomBytes(12);
-  const cipher = nodeCrypto.createCipheriv("aes-256-gcm", env.ENCRYPTION_KEY, nonce);
+  const cipher = nodeCrypto.createCipheriv("aes-256-gcm", key, nonce);
 
   let encrypted = cipher.update(value, "utf8", "hex");
   encrypted += cipher.final("hex");
@@ -17,12 +16,8 @@ export function encryptToken(value: string) {
   };
 }
 
-export function decryptToken(nonce: string, ciphertext: string, tag: string): string {
-  const decipher = nodeCrypto.createDecipheriv(
-    "aes-256-gcm",
-    env.ENCRYPTION_KEY,
-    Buffer.from(nonce, "hex")
-  );
+export function decryptToken(nonce: string, ciphertext: string, tag: string, key: string): string {
+  const decipher = nodeCrypto.createDecipheriv("aes-256-gcm", key, Buffer.from(nonce, "hex"));
 
   decipher.setAuthTag(Buffer.from(tag, "hex"));
 
