Improve decryption failure message (#24573) (#24575)

Backport #24573 Help some users like #16832 #1851 There are many users reporting similar problem: if the SECRET_KEY mismatches, some operations (like 2FA login) only reports unclear 500 error and unclear "base64 decode error" log （some maintainers ever spent a lot of time on debugging such problem) The SECRET_KEY was not well-designed and it is also a kind of technical debt. Since it couldn't be fixed easily, it's good to add clearer error messages, then at least users could know what the real problem is.
2025-08-14 13:38:28 +00:00 · 2023-05-07 22:12:32 +08:00
parent 6f57be0025
commit 4498a26222
2 changed files with 26 additions and 17 deletions
--- a/modules/secret/secret_test.go
+++ b/modules/secret/secret_test.go
@@ -10,14 +10,22 @@ import (
 )

 func TestEncryptDecrypt(t *testing.T) {
-	var hex string
-	var str string
+	hex, err := EncryptSecret("foo", "baz")
+	assert.NoError(t, err)
+	str, _ := DecryptSecret("foo", hex)
+	assert.Equal(t, "baz", str)

-	hex, _ = EncryptSecret("foo", "baz")
+	hex, err = EncryptSecret("bar", "baz")
+	assert.NoError(t, err)
 	str, _ = DecryptSecret("foo", hex)
-	assert.Equal(t, str, "baz")
+	assert.NotEqual(t, "baz", str)

-	hex, _ = EncryptSecret("bar", "baz")
-	str, _ = DecryptSecret("foo", hex)
-	assert.NotEqual(t, str, "baz")
+	_, err = DecryptSecret("a", "b")
+	assert.ErrorContains(t, err, "invalid hex string")
+
+	_, err = DecryptSecret("a", "bb")
+	assert.ErrorContains(t, err, "the key (maybe SECRET_KEY?) might be incorrect: AesDecrypt ciphertext too short")
+
+	_, err = DecryptSecret("a", "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
+	assert.ErrorContains(t, err, "the key (maybe SECRET_KEY?) might be incorrect: AesDecrypt invalid decrypted base64 string")
 }