fix: validate encrypted token payload sizes

[saurabhhhcodes]

Summary

• closes fix : add validation for encrypted token payload lengths #442
• validates encrypted token IVs as exactly 12 bytes / 24 hex characters before AES-GCM decipher creation
• rejects encrypted payloads that are non-hex, odd-length, or shorter than the 16-byte auth tag
• adds focused node:test coverage for malformed IVs, short payloads, and valid token round-trips

Validation

• node --test test/crypto.test.js test/check-deps.test.js
• npm run type-check
• npm run lint (passes with existing warnings in BadgeSection.tsx and CommitTimeChart.tsx)
• git diff --check

Note

npm run build compiles successfully, then stops during page-data collection because local Supabase environment variables are not configured (supabaseUrl is required).

[vercel]

@saurabhhhcodes is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[saurabhhhcodes]

This one looks merge-ready from the checks side.

Current status I see:

• CI Type check, Lint, Build, Dependency audit are green
• Playwright smoke tests are green
• GitGuardian is green
• auto type labels already added type:bug and type:testing

For scoring before merge, could a maintainer please add gssoc:approved plus the appropriate difficulty/quality labels? Since this validates encrypted token payload boundaries and includes test coverage, I think level:intermediate + quality:clean would be reasonable if it matches your review.

[Priyanshu-byte-coder]

Merge conflict — rebase on main to resolve. Crypto validation logic is correct; once conflict is cleared this can merge immediately.

[saurabhhhcodes]

Rebased onto latest main and resolved the src/lib/crypto.ts conflict by keeping the stricter encrypted-token validation while preserving upstream's latest surrounding changes.

Validation after the merge:

• node --test test/crypto.test.js test/check-deps.test.js
• npm run type-check
• npm run lint (passes with existing non-blocking warnings in unrelated components)
• git diff --check
• npm run build compiles successfully, then still stops at page-data collection because local Supabase env is missing (supabaseUrl is required), same local env blocker as before.

This should clear the merge conflict you flagged.

[saurabhhhcodes]

Thanks for the quick review earlier. I fixed the remaining Playwright smoke failure after the rebase as well.

Root cause: the dashboard E2E token was being encoded with an explicit salt: "next-auth.session-token", but the server-side getServerSession(authOptions) path decodes the JWT with the default NextAuth key derivation. That made the test cookie undecryptable, so /dashboard redirected away and the dashboard widgets never rendered.

What changed:

• removed the extra Playwright token salt so the injected next-auth.session-token matches the app's real NextAuth decode path
• kept the production auth-bypass removal from latest main intact
• left the actual token validation fix unchanged

Validation run locally:

• npm run type-check
• npm run lint (passes with existing image/hook warnings)
• PORT=4317 PLAYWRIGHT_BASE_URL=http://127.0.0.1:4317 npm run test:e2e -- e2e/dashboard-widgets.spec.js --reporter=list -> 3 passed
• git diff --check

This should clear the remaining smoke-test blocker on the PR now.

[saurabhhhcodes]

Synced the branch with latest main again after the new workflow-only commits landed upstream. There were no code conflicts; the merge only brought in the new star-request workflow files from upstream.

Validation after sync:

• npm run type-check
• npm run lint (passes with the existing unrelated image/hook warnings)
• PORT=4317 PLAYWRIGHT_BASE_URL=http://127.0.0.1:4317 npm run test:e2e -- e2e/dashboard-widgets.spec.js --reporter=list -> 3 passed
• git diff --check

This should clear the branch-behind blocker again.