Bug Report
Summary
GitHub OAuth access tokens are currently being persisted unencrypted in the database.
Additionally, the GitHub connect flow crashes at runtime due to a call to a non-existent encryption decorator.
Root Cause
utils/encryption.ts exports standalone encrypt and decrypt utilities, but the application never registers them as a Fastify decorator (app.encryption).
As a result:
Impact
Security
OAuth access tokens are stored as plaintext in the database, exposing live GitHub credentials if the database is compromised.
Reliability
The GitHub account connect flow crashes at runtime for all users.
Consistency
follow.ts already imports decrypt() directly from the utility module, indicating direct utility imports were the intended pattern.
Affected Files
apps/backend/src/routes/auth.tsapps/backend/src/routes/connect.ts
Proposed Fix
Import and use encrypt() directly from utils/encryption.ts in both routes instead of relying on a non-existent app.encryption decorator.
Benefits
- Ensures OAuth tokens are encrypted before persistence
- Fixes runtime crashes in GitHub connect flow
- Aligns implementation with existing
follow.ts usage pattern
- Minimal and low-risk change
I would like to work on this issue as a GSSoC 2026 contributor.
Bug Report
Summary
GitHub OAuth access tokens are currently being persisted unencrypted in the database.
Additionally, the GitHub connect flow crashes at runtime due to a call to a non-existent encryption decorator.
Root Cause
utils/encryption.tsexports standaloneencryptanddecryptutilities, but the application never registers them as a Fastify decorator (app.encryption).As a result:
routes/auth.tssilently falls back to storing plaintext tokensroutes/connect.tscrashes with:Impact
Security
OAuth access tokens are stored as plaintext in the database, exposing live GitHub credentials if the database is compromised.
Reliability
The GitHub account connect flow crashes at runtime for all users.
Consistency
follow.tsalready importsdecrypt()directly from the utility module, indicating direct utility imports were the intended pattern.Affected Files
apps/backend/src/routes/auth.tsapps/backend/src/routes/connect.tsProposed Fix
Import and use
encrypt()directly fromutils/encryption.tsin both routes instead of relying on a non-existentapp.encryptiondecorator.Benefits
follow.tsusage patternI would like to work on this issue as a GSSoC 2026 contributor.