fix: improve decryption logic in BedrockAccountService to handle both encrypted and plaintext AWS credentials

2026-01-23 17:44:49 +00:00 · 2025-08-07 01:02:26 +08:00
parent e553734e42
commit 3dc0b7ff4f
1 changed files with 20 additions and 13 deletions
--- a/src/services/bedrockAccountService.js
+++ b/src/services/bedrockAccountService.js
@@ -340,15 +340,9 @@ class BedrockAccountService {
        throw new Error('Invalid encrypted data format');
      }
-      // 检查必要字段
+      // 检查是否为加密格式 (有 encrypted 和 iv 字段)
-      if (!encryptedData.encrypted || !encryptedData.iv) {
+      if (encryptedData.encrypted && encryptedData.iv) {
-        logger.error('❌ 缺少加密数据字段:', {
+        // 加密数据 - 进行解密
          hasEncrypted: !!encryptedData.encrypted,
          hasIv: !!encryptedData.iv
        });
        throw new Error('Missing encrypted data fields');
      }
        const key = crypto.createHash('sha256').update(config.security.encryptionKey).digest();
        const iv = Buffer.from(encryptedData.iv, 'hex');
        const decipher = crypto.createDecipheriv(this.ENCRYPTION_ALGORITHM, key, iv);
@@ -357,6 +351,19 @@ class BedrockAccountService {
        decrypted += decipher.final('utf8');
        return JSON.parse(decrypted);
      } else if (encryptedData.accessKeyId) {
        // 纯文本数据 - 直接返回 (向后兼容)
        logger.warn('⚠️ 发现未加密的AWS凭证，建议更新账户以启用加密');
        return encryptedData;
      } else {
        // 既不是加密格式也不是有效的凭证格式
        logger.error('❌ 缺少加密数据字段:', {
          hasEncrypted: !!encryptedData.encrypted,
          hasIv: !!encryptedData.iv,
          hasAccessKeyId: !!encryptedData.accessKeyId
        });
        throw new Error('Missing encrypted data fields or valid credentials');
      }
    } catch (error) {
      logger.error('❌ AWS凭证解密失败', error);
      throw new Error('Credentials decryption failed');