From d2041b8f4edc1246472376633b82e364b448e7a2 Mon Sep 17 00:00:00 2001
From: Luis Gomez <luis@bird.com>
Date: Thu, 4 Jun 2026 11:55:16 +0200
Subject: [PATCH] Redact encryption master key value from config validation
 error messages

---
 lib/config.js | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/config.js b/lib/config.js
index 1c3fcd6..8d76a78 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -40,10 +40,10 @@ function Config(options) {
       throw new Error("encryptionMasterKey must be a string")
     }
     if (options.encryptionMasterKey.length !== 32) {
+      // Security: never include the key value in the error message — the key is a
+      // secret and error messages can propagate to logs, error trackers, or HTTP responses.
       throw new Error(
-        "encryptionMasterKey must be 32 bytes long, but the string '" +
-          options.encryptionMasterKey +
-          "' is " +
+        "encryptionMasterKey must be 32 bytes long, but the provided key is " +
           options.encryptionMasterKey.length +
           " bytes long"
       )
@@ -63,10 +63,10 @@ function Config(options) {
 
     const decodedKey = Buffer.from(options.encryptionMasterKeyBase64, "base64")
     if (decodedKey.length !== 32) {
+      // Security: never include the key value in the error message — the key is a
+      // secret and error messages can propagate to logs, error trackers, or HTTP responses.
       throw new Error(
-        "encryptionMasterKeyBase64 must decode to 32 bytes, but the string " +
-          options.encryptionMasterKeyBase64 +
-          "' decodes to " +
+        "encryptionMasterKeyBase64 must decode to 32 bytes, but the provided key decodes to " +
           decodedKey.length +
           " bytes"
       )