Skip to content

Add a unit test suite for internal/cryptox AES-256-GCM encrypt/decrypt and key parsingΒ #38

Open
Task
#60
Open
Add a unit test suite for internal/cryptox AES-256-GCM encrypt/decrypt and key parsing#38
Task
#60
Assignees
prettyboyvic
Labels
GrantFox OSSGrantFox open-source programMaybe RewardedGrantFox: potentially rewarded contributionOfficial CampaignGrantFox official campaign issuegood-first-issueGood for newcomerssecuritySecurity hardening / audittestingTests and coverage

Description

@Jagadeeshftw
Jagadeeshftw
opened on Jun 18, 2026

πŸ“Œ Description

internal/cryptox/aesgcm.go implements KeyFromB64, EncryptAESGCM, and DecryptAESGCM β€” the routines that protect stored GitHub OAuth tokens at rest β€” yet there is no aesgcm_test.go. This security-critical code is completely untested.

πŸ’‘ Why it matters: The token-encryption primitives guard credentials at rest; a silent regression here could expose tokens or make them undecryptable.

🧩 Requirements and context

  • Test round-trip: Decrypt(Encrypt(x)) == x for various plaintext sizes including empty.
  • Test KeyFromB64 rejects non-32-byte keys and invalid base64.
  • Test that two encryptions of the same plaintext differ (random nonce) but both decrypt.
  • Test tamper detection: flipping a ciphertext byte makes decryption fail (GCM auth).
  • Test decryption of a too-short blob returns an error, not a panic.

Non-functional requirements

  • Must be secure, tested, and documented.
  • Should be efficient and easy to review.

πŸ› οΈ Suggested execution

1. Fork the repo and create a branch

git checkout -b test/cryptox-aesgcm

2. Implement changes

  • Write/modify the relevant source: none (tests only); add GoDoc if gaps found
  • Write comprehensive tests: internal/cryptox/aesgcm_test.go
  • Add documentation: brief package GoDoc on aesgcm.go
  • Include GoDoc comments where behavior is clarified
  • Validate security assumptions: confirm nonce uniqueness and AEAD tamper detection

3. Test and commit

  • Run tests:
go test ./internal/cryptox/... -race
  • Cover edge cases: empty plaintext, short blob, wrong key, tampered ciphertext
  • Include test output and security notes in the PR description.

Example commit message

test(cryptox): cover AES-256-GCM encrypt/decrypt and key parsing

βœ… Acceptance criteria

  • Round-trip and empty-plaintext cases pass
  • Invalid key length and base64 rejected by tests
  • Tamper and short-blob cases return errors, no panics
  • Coverage for internal/cryptox β‰₯ 95%

πŸ”’ Security notes

Verifies AEAD integrity and nonce randomness; tests must not hardcode real production keys.

πŸ“‹ Guidelines

  • Minimum 95% test coverage
  • Clear documentation
  • Timeframe: 96 hours

Metadata

Metadata

Assignees

Labels

GrantFox OSSGrantFox open-source programMaybe RewardedGrantFox: potentially rewarded contributionOfficial CampaignGrantFox official campaign issuegood-first-issueGood for newcomerssecuritySecurity hardening / audittestingTests and coverage

Type

Task

Fields

No fields configured for Task.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions