🔑 feat: Base64 Google Service Keys and Reliable Private Key Formats (danny-avila#8385)

danny-avila · openbiocure · commit ed3af49c476a · 2025-07-13T18:44:45.000+03:00
diff --git a/packages/api/src/utils/key.test.ts b/packages/api/src/utils/key.test.ts
@@ -94,4 +94,89 @@ describe('loadServiceKey', () => {
     const result = await loadServiceKey(JSON.stringify(invalidServiceKey));
     expect(result).toEqual(invalidServiceKey); // It returns the object as-is, validation is minimal
   });
+
+  it('should handle escaped newlines in private key from AWS Secrets Manager', async () => {
+    const serviceKeyWithEscapedNewlines = {
+      ...mockServiceKey,
+      private_key: '-----BEGIN PRIVATE KEY-----\\ntest-key\\n-----END PRIVATE KEY-----',
+    };
+    const jsonString = JSON.stringify(serviceKeyWithEscapedNewlines);
+
+    const result = await loadServiceKey(jsonString);
+    expect(result).not.toBeNull();
+    expect(result?.private_key).toBe(
+      '-----BEGIN PRIVATE KEY-----\ntest-key\n-----END PRIVATE KEY-----',
+    );
+  });
+
+  it('should handle double-escaped newlines in private key', async () => {
+    // When you have \\n in JavaScript, JSON.stringify converts it to \\\\n
+    // But we want to test the case where the JSON string contains \\n (single backslash + n)
+    const serviceKeyWithEscapedNewlines = {
+      ...mockServiceKey,
+      private_key: '-----BEGIN PRIVATE KEY-----\\ntest-key\\n-----END PRIVATE KEY-----',
+    };
+    // This will create a JSON string where the private_key contains literal \n (backslash-n)
+    const jsonString = JSON.stringify(serviceKeyWithEscapedNewlines);
+
+    const result = await loadServiceKey(jsonString);
+    expect(result).not.toBeNull();
+    expect(result?.private_key).toBe(
+      '-----BEGIN PRIVATE KEY-----\ntest-key\n-----END PRIVATE KEY-----',
+    );
+  });
+
+  it('should handle private key without any newlines', async () => {
+    const serviceKeyWithoutNewlines = {
+      ...mockServiceKey,
+      private_key: '-----BEGIN PRIVATE KEY-----test-key-----END PRIVATE KEY-----',
+    };
+    const jsonString = JSON.stringify(serviceKeyWithoutNewlines);
+
+    const result = await loadServiceKey(jsonString);
+    expect(result).not.toBeNull();
+    expect(result?.private_key).toBe(
+      '-----BEGIN PRIVATE KEY-----\ntest-key\n-----END PRIVATE KEY-----',
+    );
+  });
+
+  it('should not modify private key that already has proper formatting', async () => {
+    const jsonString = JSON.stringify(mockServiceKey);
+
+    const result = await loadServiceKey(jsonString);
+    expect(result).not.toBeNull();
+    expect(result?.private_key).toBe(mockServiceKey.private_key);
+  });
+
+  it('should handle base64 encoded service key', async () => {
+    const jsonString = JSON.stringify(mockServiceKey);
+    const base64Encoded = Buffer.from(jsonString).toString('base64');
+
+    const result = await loadServiceKey(base64Encoded);
+    expect(result).not.toBeNull();
+    expect(result).toEqual(mockServiceKey);
+  });
+
+  it('should handle base64 encoded service key with escaped newlines', async () => {
+    const serviceKeyWithEscapedNewlines = {
+      ...mockServiceKey,
+      private_key: '-----BEGIN PRIVATE KEY-----\\ntest-key\\n-----END PRIVATE KEY-----',
+    };
+    const jsonString = JSON.stringify(serviceKeyWithEscapedNewlines);
+    const base64Encoded = Buffer.from(jsonString).toString('base64');
+
+    const result = await loadServiceKey(base64Encoded);
+    expect(result).not.toBeNull();
+    expect(result?.private_key).toBe(
+      '-----BEGIN PRIVATE KEY-----\ntest-key\n-----END PRIVATE KEY-----',
+    );
+  });
+
+  it('should handle invalid base64 strings gracefully', async () => {
+    // This looks like base64 but isn't valid
+    const invalidBase64 = 'SGVsbG8gV29ybGQ='; // "Hello World" in base64, not valid JSON
+
+    const result = await loadServiceKey(invalidBase64);
+    expect(result).toBeNull();
+  });
 });
diff --git a/packages/api/src/utils/key.ts b/packages/api/src/utils/key.ts
@@ -29,8 +29,20 @@ export async function loadServiceKey(keyPath: string): Promise<GoogleServiceKey
 
   let serviceKey: unknown;
 
+  // Check if it's base64 encoded (common pattern for storing in env vars)
+  if (keyPath.trim().match(/^[A-Za-z0-9+/]+=*$/)) {
+    try {
+      const decoded = Buffer.from(keyPath.trim(), 'base64').toString('utf-8');
+      // Try to parse the decoded string as JSON
+      serviceKey = JSON.parse(decoded);
+    } catch {
+      // Not base64 or not valid JSON after decoding, continue with other methods
+      // Silent failure - not critical
+    }
+  }
+
   // Check if it's a stringified JSON (starts with '{')
-  if (keyPath.trim().startsWith('{')) {
+  if (!serviceKey && keyPath.trim().startsWith('{')) {
     try {
       serviceKey = JSON.parse(keyPath);
     } catch (error) {
@@ -39,15 +51,15 @@ export async function loadServiceKey(keyPath: string): Promise<GoogleServiceKey
     }
   }
   // Check if it's a URL
-  else if (/^https?:\/\//.test(keyPath)) {
+  else if (!serviceKey && /^https?:\/\//.test(keyPath)) {
     try {
       const response = await axios.get(keyPath);
       serviceKey = response.data;
     } catch (error) {
       logger.error(`Failed to fetch the service key from URL: ${keyPath}`, error);
       return null;
     }
-  } else {
+  } else if (!serviceKey) {
     // It's a file path
     try {
       const absolutePath = path.isAbsolute(keyPath) ? keyPath : path.resolve(keyPath);
@@ -75,5 +87,30 @@ export async function loadServiceKey(keyPath: string): Promise<GoogleServiceKey
     return null;
   }
 
-  return serviceKey as GoogleServiceKey;
+  // Fix private key formatting if needed
+  const key = serviceKey as GoogleServiceKey;
+  if (key.private_key && typeof key.private_key === 'string') {
+    // Replace escaped newlines with actual newlines
+    // When JSON.parse processes "\\n", it becomes "\n" (single backslash + n)
+    // When JSON.parse processes "\n", it becomes an actual newline character
+    key.private_key = key.private_key.replace(/\\n/g, '\n');
+
+    // Also handle the String.raw`\n` case mentioned in Stack Overflow
+    key.private_key = key.private_key.split(String.raw`\n`).join('\n');
+
+    // Ensure proper PEM format
+    if (!key.private_key.includes('\n')) {
+      // If no newlines are present, try to format it properly
+      const privateKeyMatch = key.private_key.match(
+        /^(-----BEGIN [A-Z ]+-----)(.*)(-----END [A-Z ]+-----)$/,
+      );
+      if (privateKeyMatch) {
+        const [, header, body, footer] = privateKeyMatch;
+        // Add newlines after header and before footer
+        key.private_key = `${header}\n${body}\n${footer}`;
+      }
+    }
+  }
+
+  return key;
 }
