Summary

Make password decryption with broken keys more reliable.

Review Request #14855 — Created Feb. 25, 2026 and submitted Feb. 25, 2026, 10:04 p.m.

Information

Owner

david

Repository

Review Board

Branch

release-7.x

Bugs

Depends On

Reviewers

Groups

reviewboard

People

Description

I've been seeing inconsistent results for
RepositoryTests.test_password_decryption_failed, which tests that we
don't crash when the SECRET_KEY has been mistakenly changed and stored
passwords cannot be decrypted. While this works most of the time by
properly catching the decode error, occasionally the random IV used
during AES-CFB causes the decoded result to be valid(ish) unicode. These
almost always result in unprintable characters, however.

This change adds a step to decrypt_password to check if the result is
printable, and if not, raise a ValueError. This should make it so this
test (and handling of the situation in production) is much more
reliable.

Testing Done

Ran unit tests.

Commits

Summary	ID
Make password decryption with broken keys more reliable. I've been seeing inconsistent results for 'RepositoryTests.test_password_decryption_failed`, which tests that we don't crash when the `SECRET_KEY` has been mistakenly changed and stored passwords cannot be decrypted. While this works most of the time by properly catching the decode error, occasionally the random IV used during AES-CFB causes the decoded result to be valid(ish) unicode. These almost always result in unprintable characters, however. This change adds a step to `decrypt_password` to check if the result is printable, and if not, raise a `ValueError`. This should make it so this test (and handling of the situation in production) is much more reliable. Testing Done: Ran unit tests.	a109fe2e1964d1c2f065107a32b4cdcdd39755b3

Summary

Make password decryption with broken keys more reliable.

I've been seeing inconsistent results for 'RepositoryTests.test_password_decryption_failed`, which tests that we don't crash when the `SECRET_KEY` has been mistakenly changed and stored passwords cannot be decrypted. While this works *most* of the time by properly catching the decode error, occasionally the random IV used during AES-CFB causes the decoded result to be valid(ish) unicode. These almost always result in unprintable characters, however. This change adds a step to `decrypt_password` to check if the result is printable, and if not, raise a `ValueError`. This should make it so this test (and handling of the situation in production) is much more reliable. Testing Done: Ran unit tests.

a109fe2e1964d1c2f065107a32b4cdcdd39755b3

Issues

Description	From	Last Updated
Won't this ValueError message just get swallowed when we catch it in Repository.password. Should we pass the error message to …	maubin	Feb. 25, 2026, 9:42 p.m.

flake8 passed.

JSHint passed.

The issue has been dropped. Show all issues

Won't this ValueError message just get swallowed when we catch it in Repository.password. Should we pass the error message to the log there?

david Feb. 25, 2026, 9:42 p.m.

It's true it will get swallowed there, but we have special handling around that that provides errors to the user. decrypt_password is used in a bunch of other places, though.

Ship it!

```
Ship It!
```

Status:: Completed
Change Summary:: Pushed to release-7.x (a9285c8)