[PM-25458] Add error handling stubs & logging for critical decrypt paths (#16284)

* Add error handling stubs for critical decrypt paths

* Fix collection name decrypt

* Update docs

* address feedback

---------

Co-authored-by: Jake Fink <jfink@bitwarden.com>

libs/common/src/auth/services/token.service.ts

@@ -314,12 +314,18 @@ export class TokenService implements TokenServiceAbstraction {
       );
     }
 
-    const decryptedAccessToken = await this.encryptService.decryptString(
-      encryptedAccessToken,
-      accessTokenKey,
-    );
+    try {
+      const decryptedAccessToken = await this.encryptService.decryptString(
+        encryptedAccessToken,
+        accessTokenKey,
+      );
+      return decryptedAccessToken;
+    } catch (e) {
+      // Note: This should be replaced by the owning team with appropriate, domain-specific behavior.
 
-    return decryptedAccessToken;
+      this.logService.error("[TokenService] Error decrypting access token", e);
+      throw e;
+    }
   }
 
   /**

libs/common/src/key-management/crypto/abstractions/encrypt.service.ts

@@ -28,6 +28,9 @@ export abstract class EncryptService {
 
   /**
    * Decrypts an EncString to a string
+   * @throws IMPORTANT: This throws if decryption fails. If decryption failures are expected to happen,
+   * the callsite should log where the failure occurred, and handle it by domain specifc logic (e.g. show a UI error).
+   *
    * @param encString - The EncString containing the encrypted string.
    * @param key - The key to decrypt the value with
    * @returns The decrypted string
@@ -36,10 +39,12 @@ export abstract class EncryptService {
   abstract decryptString(encString: EncString, key: SymmetricCryptoKey): Promise<string>;
   /**
    * Decrypts an EncString to a Uint8Array
+   * @throws IMPORTANT: This throws if decryption fails. If decryption failures are expected to happen,
+   * the callsite should log where the failure occurred, and handle it by domain specifc logic (e.g. show a UI error).
+   *
    * @param encString - The EncString containing the encrypted bytes.
    * @param key - The key to decrypt the value with
    * @returns The decrypted bytes as a Uint8Array
-   * @throws Error if decryption fails
    * @deprecated Bytes are not the right abstraction to encrypt in. Use e.g. key wrapping or file encryption instead
    */
   abstract decryptBytes(encString: EncString, key: SymmetricCryptoKey): Promise<Uint8Array>;

libs/common/src/key-management/crypto/models/enc-string.ts

@@ -180,9 +180,13 @@ export class EncString {
 
       const encryptService = Utils.getContainerService().getEncryptService();
       this.decryptedValue = await encryptService.decryptString(this, key);
-      // FIXME: Remove when updating file. Eslint update
-      // eslint-disable-next-line @typescript-eslint/no-unused-vars
     } catch (e) {
+      // eslint-disable-next-line no-console
+      console.error(
+        "[EncString Generic Decrypt] failed to decrypt encstring. Context: " +
+          (context ?? "No context"),
+        e,
+      );
       this.decryptedValue = DECRYPT_ERROR;
     }
     return this.decryptedValue;

libs/common/src/vault/models/domain/folder.ts

@@ -50,7 +50,14 @@ export class Folder extends Domain {
     const folderView = new FolderView();
     folderView.id = this.id;
     folderView.revisionDate = this.revisionDate;
-    folderView.name = await encryptService.decryptString(this.name, key);
+    try {
+      folderView.name = await encryptService.decryptString(this.name, key);
+    } catch (e) {
+      // Note: This should be replaced by the owning team with appropriate, domain-specific behavior.
+      // eslint-disable-next-line no-console
+      console.error("[Folder] Error decrypting folder", e);
+      throw e;
+    }
     return folderView;
   }