fix: specify authTagLength in AES-GCM createDecipheriv calls

[NLmejiro]

Summary

Specifies explicit authTagLength: 16 parameter in createDecipheriv calls using AES-256-GCM mode.

Vulnerability

CWE-310 (Cryptographic Issues) — missing authentication tag length specification in GCM mode decryption. Without an explicit expected tag length, an attacker may be able to spoof ciphertexts using a shorter-than-expected authentication tag.

Affected Files

• apps/sim/lib/api-key/crypto.ts
• apps/sim/lib/core/security/encryption.ts
• packages/db/scripts/migrate-block-api-keys-to-byok.ts

Fix

```typescript
// Before
crypto.createDecipheriv('aes-256-gcm', key, iv)

// After
crypto.createDecipheriv('aes-256-gcm', key, iv, { authTagLength: 16 })
```

[vercel]

@NLmejiro is attempting to deploy a commit to the Sim Team on Vercel.

A member of the Team first needs to authorize it.

[cursor]

PR Summary

Medium Risk
Touches cryptography used to decrypt stored secrets/API keys; while the change is small, it can break decryption if any ciphertexts were created with a non-16-byte auth tag or if runtime crypto behavior differs across environments.

Overview
AES-256-GCM decryption is tightened by passing { authTagLength: 16 } into createDecipheriv in the app API-key decryptor, the shared secret decryptor, and the BYOK migration script.

This standardizes the expected GCM auth tag size during decryption to reduce acceptance of malformed/short tags and align behavior across these call sites.

^{Written by Cursor Bugbot for commit 84fe778. This will update automatically on new commits. Configure here.}

[greptile-apps]

Greptile Summary

This PR hardens AES-256-GCM decryption across three files by explicitly passing { authTagLength: 16 } to every createDecipheriv call. Without this option, Node.js's setAuthTag silently accepts authentication tags as short as 4 bytes, which opens the door to GCM tag-truncation/forgery attacks (CWE-310). By fixing the expected length at 16 bytes (128 bits), any ciphertext presented with a shorter tag will now cause setAuthTag to throw, preventing spoofing.

Key points:

• All three changed files are consistent: encryption (createCipheriv) already defaults to a 16-byte tag via getAuthTag(), so decryption enforcing exactly 16 bytes is the correct complement.
• The fix is backward-compatible — all previously encrypted values carry a full 16-byte tag and will continue to decrypt without error.
• The migration script (migrate-block-api-keys-to-byok.ts) carries a copy of the encryption helpers; it is correctly patched in lock-step with the app-level implementations.

Confidence Score: 5/5

This PR is safe to merge — changes are minimal, correct, and strictly additive to security without breaking backward compatibility.

All three changes are identical one-line additions of { authTagLength: 16 } to createDecipheriv calls. The fix is consistent with the encrypt side (which already produces 16-byte tags by default), introduces no new logic paths, and no P0/P1 issues were found.

No files require special attention — all changes are straightforward and correct.

Important Files Changed

Filename	Overview
apps/sim/lib/api-key/crypto.ts	Single-line security fix: adds explicit authTagLength: 16 to createDecipheriv in decryptApiKey, correctly preventing GCM tag-truncation attacks without affecting existing encrypted data.
apps/sim/lib/core/security/encryption.ts	Single-line security fix: adds explicit authTagLength: 16 to createDecipheriv in decryptSecret, consistent with the encryptSecret counterpart which produces a 16-byte tag by default.
packages/db/scripts/migrate-block-api-keys-to-byok.ts	Single-line security fix: mirrors the same authTagLength: 16 hardening in the self-contained migration script's local decryptSecret, keeping it in sync with the app-level implementation.

Sequence Diagram

sequenceDiagram
    participant Caller
    participant Decryptor
    participant NodeCrypto as Node.js crypto

    Caller->>Decryptor: decryptApiKey/decryptSecret(encryptedValue)
    Decryptor->>Decryptor: parse iv, ciphertext, authTag from "iv:ciphertext:authTag"
    Decryptor->>NodeCrypto: createDecipheriv('aes-256-gcm', key, iv, { authTagLength: 16 })
    Note over NodeCrypto: authTagLength: 16 enforces tag must be exactly 16 bytes
    Decryptor->>NodeCrypto: decipher.setAuthTag(authTag)
    Note over NodeCrypto: Throws if authTag.length is not 16
    Decryptor->>NodeCrypto: decipher.update(encrypted) + decipher.final()
    Note over NodeCrypto: final() verifies GCM tag and throws if invalid
    NodeCrypto-->>Decryptor: plaintext
    Decryptor-->>Caller: decrypted plaintext

Loading

_{Reviews (1): Last reviewed commit: "fix: specify authTagLength in AES-GCM de..." | Re-trigger Greptile}