decryptString miste purpose-param → cPanel-token decryptie returnde null #90

New issue

Closed

opened 2026-05-26 18:23:27 +00:00 by jesse-a · 1 comment

jesse-a commented 2026-05-26 18:23:27 +00:00

Owner

Copy link

Severity: HIGH

In src/lib/cpanel.ts was decryptString(auth.tokenEncrypted) aangeroepen zonder het verplichte purpose-argument. De HKDF-keyderivation faalde stilzwijgend, decryptString returnde null, en de Authorization: cpanel user:null werd naar cPanel gestuurd → 401 op elke UAPI-call. Alle cPanel-flows waren stuk.

Niet ontdekt bij build omdat typescript.ignoreBuildErrors: true in next.config.ts staat.

Fix: decryptString(auth.tokenEncrypted, 'cpanel-api-token') + null-check met sprekende error.

Files: src/lib/cpanel.ts

**Severity: HIGH** In `src/lib/cpanel.ts` was `decryptString(auth.tokenEncrypted)` aangeroepen zonder het verplichte `purpose`-argument. De HKDF-keyderivation faalde stilzwijgend, `decryptString` returnde `null`, en de `Authorization: cpanel user:null` werd naar cPanel gestuurd → 401 op elke UAPI-call. Alle cPanel-flows waren stuk. Niet ontdekt bij build omdat `typescript.ignoreBuildErrors: true` in next.config.ts staat. **Fix**: `decryptString(auth.tokenEncrypted, 'cpanel-api-token')` + null-check met sprekende error. **Files**: src/lib/cpanel.ts

jesse-a added the

fixed

security

severity-high

labels 2026-05-26 18:23:27 +00:00

jesse-a commented 2026-05-26 18:23:27 +00:00

Author

Owner

Copy link

Opgelost in commit 77bf537.

Opgelost in commit 77bf537.

jesse-a closed this issue 2026-05-26 18:23:28 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

v1.0.0

v0.11

v0.10

v0.9

v0.8

v0.7

v0.6

v0.5

Labels

Clear labels   

deferred

Known issue, deferred

  

fixed

Resolved

  

security

Security review finding

  

severity-high

High severity

  

severity-low

Low severity

  

severity-medium

Medium severity

No labels

deferred

fixed

security

severity-high

severity-low

severity-medium

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

jesse-a/OpenCRM#90

No description provided.