[PM-25458] Add error handling stubs & logging for critical decrypt paths (#16284)

* Add error handling stubs for critical decrypt paths * Fix collection name decrypt * Update docs * address feedback --------- Co-authored-by: Jake Fink <jfink@bitwarden.com>
2025-12-20 10:13:31 +00:00 · 2025-09-09 23:19:00 +09:00
parent 15619c6265
commit 7985487d5b
7 changed files with 73 additions and 16 deletions
--- a/libs/common/src/key-management/crypto/abstractions/encrypt.service.ts
+++ b/libs/common/src/key-management/crypto/abstractions/encrypt.service.ts
@@ -28,6 +28,9 @@ export abstract class EncryptService {

  /**
   * Decrypts an EncString to a string
+   * @throws IMPORTANT: This throws if decryption fails. If decryption failures are expected to happen,
+   * the callsite should log where the failure occurred, and handle it by domain specifc logic (e.g. show a UI error).
+   *
   * @param encString - The EncString containing the encrypted string.
   * @param key - The key to decrypt the value with
   * @returns The decrypted string
@@ -36,10 +39,12 @@ export abstract class EncryptService {
  abstract decryptString(encString: EncString, key: SymmetricCryptoKey): Promise<string>;
  /**
   * Decrypts an EncString to a Uint8Array
+   * @throws IMPORTANT: This throws if decryption fails. If decryption failures are expected to happen,
+   * the callsite should log where the failure occurred, and handle it by domain specifc logic (e.g. show a UI error).
+   *
   * @param encString - The EncString containing the encrypted bytes.
   * @param key - The key to decrypt the value with
   * @returns The decrypted bytes as a Uint8Array
-   * @throws Error if decryption fails
   * @deprecated Bytes are not the right abstraction to encrypt in. Use e.g. key wrapping or file encryption instead
   */
  abstract decryptBytes(encString: EncString, key: SymmetricCryptoKey): Promise<Uint8Array>;
--- a/libs/common/src/key-management/crypto/models/enc-string.ts
+++ b/libs/common/src/key-management/crypto/models/enc-string.ts
@@ -180,9 +180,13 @@ export class EncString {

      const encryptService = Utils.getContainerService().getEncryptService();
      this.decryptedValue = await encryptService.decryptString(this, key);
-      // FIXME: Remove when updating file. Eslint update
-      // eslint-disable-next-line @typescript-eslint/no-unused-vars
    } catch (e) {
+      // eslint-disable-next-line no-console
+      console.error(
+        "[EncString Generic Decrypt] failed to decrypt encstring. Context: " +
+          (context ?? "No context"),
+        e,
+      );
      this.decryptedValue = DECRYPT_ERROR;
    }
    return this.decryptedValue;