fix double encryption issue - only encrypt on save, not on set

paperscissors · paperscissors · commit 796786c52a40 · 2025-07-29T14:00:06.000-04:00
diff --git a/src/Encryptable.php b/src/Encryptable.php
@@ -49,8 +49,11 @@ protected function encryptAttributes()
         
         foreach ($this->getEncryptableAttributes() as $attribute) {
             if (isset($this->attributes[$attribute]) && ! empty($this->attributes[$attribute])) {
-                // Use the field-specific encryption that handles character limits
-                $this->attributes[$attribute] = $this->encryptValueForStorage($this->attributes[$attribute], $databaseHasLimits);
+                // Only encrypt if the value is not already encrypted
+                if (!$this->isValueEncrypted($this->attributes[$attribute])) {
+                    // Use the field-specific encryption that handles character limits
+                    $this->attributes[$attribute] = $this->encryptValueForStorage($this->attributes[$attribute], $databaseHasLimits);
+                }
             }
         }
     }
@@ -114,7 +117,19 @@ protected function encryptValueForStorage($value, $databaseHasLimits = false)
      */
     protected function decryptValue($value)
     {
-        return $this->getEncryptionService()->decrypt($value);
+        $decrypted = $this->getEncryptionService()->decrypt($value);
+        
+        // Check if the decrypted value is still encrypted (double encryption scenario)
+        if (is_string($decrypted) && $this->isValueEncrypted($decrypted)) {
+            try {
+                return $this->getEncryptionService()->decrypt($decrypted);
+            } catch (\Exception $e) {
+                // If second decryption fails, return the first decryption result
+                return $decrypted;
+            }
+        }
+        
+        return $decrypted;
     }
     
     /**
@@ -155,8 +170,7 @@ public function __get($key)
     
     /**
      * Dynamically set attributes.
-     * Ensures attributes are correctly marked for encryption when set through
-     * notification or other dynamic methods.
+     * Ensures attributes are stored as plain text when set, to be encrypted on save.
      *
      * @param  string  $key
      * @param  mixed  $value
@@ -169,18 +183,9 @@ public function __set($key, $value)
             return parent::__set($key, $value);
         }
         
-        // Set the attribute as normal
+        // Set the attribute as normal - do NOT encrypt here
+        // Encryption should only happen on save via the saving event
         parent::__set($key, $value);
-        
-        // If the attribute should be encrypted, make sure it's encrypted
-        $encryptableAttributes = $this->getEncryptableAttributes();
-        
-        if (in_array($key, $encryptableAttributes) && isset($this->attributes[$key]) && !empty($value)) {
-            // Don't double-encrypt - only encrypt if the value is not already encrypted
-            if (!$this->isValueEncrypted($value)) {
-                $this->attributes[$key] = $this->encryptValue($value);
-            }
-        }
     }
     
     /**
diff --git a/tests/Unit/EncryptableTest.php b/tests/Unit/EncryptableTest.php
@@ -391,6 +391,98 @@ public function testDecryptionWorksForRelationshipLoadedModels()
         $this->assertEquals('123 Main Street', $array['street_1']);
         $this->assertEquals('Apt 4B', $array['street_2']);
     }
+
+    public function testDoubleEncryptionDecryption()
+    {
+        // Create a test table
+        $this->app['db']->connection()->getSchemaBuilder()->create('test_models', function ($table) {
+            $table->increments('id');
+            $table->text('address')->nullable();
+            $table->timestamps();
+        });
+
+        $encryptionService = $this->app->make(EncryptionService::class);
+        
+        // Use reflection to access compact encryption
+        $reflection = new \ReflectionClass($encryptionService);
+        $compactEncryptMethod = $reflection->getMethod('compactEncrypt');
+        $compactEncryptMethod->setAccessible(true);
+
+        // Create a double-encrypted scenario:
+        // 1. First encrypt with Laravel standard encryption
+        // 2. Then encrypt that result with compact encryption
+        $originalValue = '123 Main Street';
+        $firstEncryption = $encryptionService->encrypt($originalValue); // Laravel standard
+        $doubleEncrypted = $compactEncryptMethod->invokeArgs($encryptionService, [$firstEncryption]); // Compact of encrypted
+        
+        // Manually insert into database with double encryption
+        $id = $this->app['db']->connection()->table('test_models')->insertGetId([
+            'address' => $doubleEncrypted,
+            'created_at' => now(),
+            'updated_at' => now(),
+        ]);
+
+        // Retrieve using Eloquent - this should handle double decryption
+        $model = TestEncryptableModel::find($id);
+        
+        // Check that the value is properly decrypted (should handle double encryption)
+        $this->assertEquals($originalValue, $model->address);
+        
+        // Verify the raw database value is the double encrypted value
+        $rawData = $this->app['db']->connection()->table('test_models')->where('id', $id)->first();
+        $this->assertTrue(strpos($rawData->address, 'c:') === 0);
+        $this->assertNotEquals($originalValue, $rawData->address);
+    }
+
+    public function testSingleEncryptionOnSaveOnly()
+    {
+        // Create a test table
+        $this->app['db']->connection()->getSchemaBuilder()->create('test_models', function ($table) {
+            $table->increments('id');
+            $table->text('email')->nullable();
+            $table->text('phone')->nullable();
+            $table->timestamps();
+        });
+
+        // Create a new model
+        $model = new TestEncryptableModel();
+        
+        // Set values - these should NOT be encrypted yet
+        $model->email = 'test@example.com';
+        $model->phone = '123-456-7890';
+        
+        // Check that the values are still plain text before save
+        $this->assertEquals('test@example.com', $model->email);
+        $this->assertEquals('123-456-7890', $model->phone);
+        
+        // Check the raw attributes are also plain text
+        $this->assertEquals('test@example.com', $model->getAttributes()['email']);
+        $this->assertEquals('123-456-7890', $model->getAttributes()['phone']);
+        
+        // Now save the model - this should encrypt the values
+        $model->save();
+        
+        // After save, when accessed, they should still return the original values
+        $this->assertEquals('test@example.com', $model->email);
+        $this->assertEquals('123-456-7890', $model->phone);
+        
+        // But the raw database should be encrypted
+        $rawData = $this->app['db']->connection()->table('test_models')->where('id', $model->id)->first();
+        $this->assertNotEquals('test@example.com', $rawData->email);
+        $this->assertNotEquals('123-456-7890', $rawData->phone);
+        
+        // And they should be detectable as encrypted
+        $reflection = new \ReflectionClass($model);
+        $method = $reflection->getMethod('isValueEncrypted');
+        $method->setAccessible(true);
+        $this->assertTrue($method->invokeArgs($model, [$rawData->email]));
+        $this->assertTrue($method->invokeArgs($model, [$rawData->phone]));
+        
+        // Retrieve a fresh instance and verify decryption works
+        $freshModel = TestEncryptableModel::find($model->id);
+        $this->assertEquals('test@example.com', $freshModel->email);
+        $this->assertEquals('123-456-7890', $freshModel->phone);
+    }
 }
 
 class TestEncryptableModel extends Model
