@abir-taheerchecks…abir/double-encrypt-connected-accounts → master16 files · +1025 −27review: @rohanprabhureview: @sarthakreview: @acsrujanreview: @lingalarahul7review: @anshugarg15updated 3w agoAdds a second encryption layer (using CONNECTED_ACCOUNT_ENCRYPTION_KEY) around connected account credential data that is already encrypted with ENCRYPTION_KEY. This is a direct response to the security incident on 2026-05-21 where the staging admin endpoint exposed decrypted OAuth tokens.
Context: PR #10117 introduces the connectedAccountSecurityProvider and the double-encrypt/decrypt logic at the application layer. This PR adds the database migration and progressive re-encryption tooling to migrate the existing ~4.6M rows.
1. Prisma schema — isDoubleEncrypted boolean column on ConnectedAccounts (maps to is_double_encrypted)
2. Liquibase migration v91 (up.ts / down.ts):
is_double_encrypted BOOLEAN NOT NULL DEFAULT false columnidx_connected_accounts_not_double_encrypted on (id) WHERE is_double_encrypted = false for efficient batch cursor queries3. Progressive re-encryption script (re-encrypt.ts):
is_double_encrypted = false in batchesis_double_encrypted = trueSELECT ... FOR UPDATE SKIP LOCKED for safe concurrencyBATCH_SIZE (default 100), CONCURRENCY (default 4), DRY_RUN# Run the column migration first
doppler run --project hermes --config prd -- pnpm turbo db:migrate
# Then run progressive re-encryption (can run multiple instances)
doppler run --project hermes --config prd -- bun run \
packages/db/liquibase/migrations/v91_double_encrypt_connected_accounts/re-encrypt.ts
# With custom settings
BATCH_SIZE=200 CONCURRENCY=8 doppler run --project hermes --config prd -- bun run \
packages/db/liquibase/migrations/v91_double_encrypt_connected_accounts/re-encrypt.ts
# Dry run first
DRY_RUN=true doppler run --project hermes --config prd -- bun run \
packages/db/liquibase/migrations/v91_double_encrypt_connected_accounts/re-encrypt.ts
Write path (PR #10117):
plaintext → encrypt(ENCRYPTION_KEY) → encrypt(CONNECTED_ACCOUNT_ENCRYPTION_KEY) → store
Read path (PR #10117):
stored → try decrypt(CONNECTED_ACCOUNT_ENCRYPTION_KEY)
→ if success: decrypt(ENCRYPTION_KEY) → plaintext (double-encrypted row)
→ if fail: decrypt(ENCRYPTION_KEY) → plaintext (legacy single-encrypted row)
Migration path (this PR):
stored(single) → verify decrypt(ENCRYPTION_KEY) works
→ encrypt(stored_ciphertext, CONNECTED_ACCOUNT_ENCRYPTION_KEY) → store + set flag
The is_double_encrypted column prevents triple-encrypting rows that were already migrated.
🤖 Generated with Claude Code
The latest updates on your projects. Learn more about Vercel for GitHub.
| Project | Deployment | Actions | Updated (UTC) |
|---|---|---|---|
| debby |  Ignored | Preview | May 21, 2026 3:15pm |
Based on git blame analysis of 6 file(s):
| Contributor | Contribution | Files |
|---|---|---|
| Abir Taheer | 33% | 6 |
| sarahsimionescu | 13% | 2 |
| Zen | 10% | 2 |
| Himanshu Dixit | 7% | 2 |
| lingalarahul7 | 7% | 2 |
Recommend Zen and sarahsimionescu.
Zen edited changelog-root.json today and has recent familiarity with the Liquibase changelogs in this repo, so they can quickly validate the changelog integration. sarahsimionescu recently edited schema.prisma and can review Prisma/schema compatibility and any migration impacts.
🤖 Based on git blame with recency weighting (recent edits count more).
