From 4cd96a74ffde9bd214e49f143b29e795bc30fee7 Mon Sep 17 00:00:00 2001 From: Bilal Godil Date: Tue, 9 Sep 2025 13:36:31 -0700 Subject: [PATCH] remove client side encryption for connection strings --- .../latest/integrations/neon/projects/connection/route.tsx | 2 +- .../api/latest/integrations/neon/projects/provision/route.tsx | 2 +- apps/backend/src/prisma-client.tsx | 2 +- .../api/v1/integrations/neon/projects/provision.test.ts | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apps/backend/src/app/api/latest/integrations/neon/projects/connection/route.tsx b/apps/backend/src/app/api/latest/integrations/neon/projects/connection/route.tsx index b3a74eba2..4551b8072 100644 --- a/apps/backend/src/app/api/latest/integrations/neon/projects/connection/route.tsx +++ b/apps/backend/src/app/api/latest/integrations/neon/projects/connection/route.tsx @@ -47,7 +47,7 @@ export const POST = createSmartRouteHandler({ const uuidConnectionStrings: Record = {}; const store = await stackServerApp.getDataVaultStore('neon-connection-strings'); - const secret = getEnvVariable('STACK_SERVER_SECRET'); + const secret = "no client side encryption"; for (const c of req.body.connection_strings) { const uuid = generateUuid(); await store.setValue(uuid, c.connection_string, { secret }); diff --git a/apps/backend/src/app/api/latest/integrations/neon/projects/provision/route.tsx b/apps/backend/src/app/api/latest/integrations/neon/projects/provision/route.tsx index e4da9689f..f3549d8ac 100644 --- a/apps/backend/src/app/api/latest/integrations/neon/projects/provision/route.tsx +++ b/apps/backend/src/app/api/latest/integrations/neon/projects/provision/route.tsx @@ -41,7 +41,7 @@ export const POST = createSmartRouteHandler({ if (hasNeonConnections) { const store = await stackServerApp.getDataVaultStore('neon-connection-strings'); - const secret = getEnvVariable('STACK_SERVER_SECRET'); + const secret = "no client side encryption"; for (const c of req.body.connection_strings!) { const uuid = generateUuid(); diff --git a/apps/backend/src/prisma-client.tsx b/apps/backend/src/prisma-client.tsx index 91d0933d1..c613d8f83 100644 --- a/apps/backend/src/prisma-client.tsx +++ b/apps/backend/src/prisma-client.tsx @@ -55,7 +55,7 @@ async function resolveNeonConnectionString(entry: string): Promise { return entry; } const store = await stackServerApp.getDataVaultStore('neon-connection-strings'); - const secret = getEnvVariable('STACK_SERVER_SECRET'); + const secret = "no client side encryption"; const value = await store.getValue(entry, { secret }); if (!value) throw new Error('No Neon connection string found for UUID'); return value; diff --git a/apps/e2e/tests/backend/endpoints/api/v1/integrations/neon/projects/provision.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/integrations/neon/projects/provision.test.ts index 441963b87..e5bae559e 100644 --- a/apps/e2e/tests/backend/endpoints/api/v1/integrations/neon/projects/provision.test.ts +++ b/apps/e2e/tests/backend/endpoints/api/v1/integrations/neon/projects/provision.test.ts @@ -282,12 +282,12 @@ it("can provision with a Neon connection string when provided via env (optional) method: "POST", accessType: "server", body: { - hashed_key: await hashKey("23-wuNpik0gIW4mruTz25rbIvhuuvZFrLOLtL7J4tyo", sourceOfTruth.connectionStrings.main), + hashed_key: await hashKey("no client side encryption", sourceOfTruth.connectionStrings.main), }, }); expect(getConnectionResponse.status).toBe(200); const connectionString = await decryptValue( - "23-wuNpik0gIW4mruTz25rbIvhuuvZFrLOLtL7J4tyo", + "no client side encryption", sourceOfTruth.connectionStrings.main, getConnectionResponse.body.encrypted_value );