Skip to content

fix(secret-v2-bridge): move/delete personal overrides when moving shared secrets#6078

Open
PuneetKumar1790 wants to merge 2 commits intoInfisical:mainfrom
PuneetKumar1790:fix/move-personal-overrides-4627
Open

fix(secret-v2-bridge): move/delete personal overrides when moving shared secrets#6078
PuneetKumar1790 wants to merge 2 commits intoInfisical:mainfrom
PuneetKumar1790:fix/move-personal-overrides-4627

Conversation

@PuneetKumar1790
Copy link
Copy Markdown

@PuneetKumar1790 PuneetKumar1790 commented Apr 17, 2026
edited
Loading

Context

Fixes data integrity issue where personal overrides could be left orphaned when moving shared secrets (#4627).

Additionally addresses conflict handling when destination already has personal overrides for the same keys (raised by code review).

What changed

  1. Personal override move/delete behavior:

    • Added DAL helper to move personal overrides by key from source folder to destination folder.
    • Added DAL helper to delete personal overrides by key from source folder.
    • Updated moveSecrets to:
      • Move personal overrides to destination if destination is directly updated
      • Delete source personal overrides if destination is approval-gated (prevents orphans)

  2. Conflict resolution:

    • When moving source personal overrides to destination, destination overrides for the same keys are deleted first
    • This prevents duplicate override rows and maintains the one-override-per-user/key invariant
    • Ensures source overrides replace pre-existing destination overrides

  3. Tests:

    • Added focused unit tests for override move/delete behavior
    • Added test case for destination conflict scenario
    • Added scenario tests documenting expected behavior across different approval policy paths

Steps to verify the change

  • node --max-old-space-size=8192 ./node_modules/.bin/eslint --ext ts src/services/secret-v2-bridge/secret-v2-bridge-dal.ts src/services/secret-v2-bridge/secret-v2-bridge-service.ts src/services/secret-v2-bridge/secret-v2-bridge-move-overrides.test.ts --max-warnings 0
  • npm run -s test:unit -- src/services/secret-v2-bridge/secret-v2-bridge-move-overrides.test.ts

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format
  • Tested locally
  • Updated docs (if needed)
  • Updated CLAUDE.md files (if needed)
  • Read the contributing guide

claude[bot]
claude Bot reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

@maidul98
Copy link
Copy Markdown
Collaborator

maidul98 commented Apr 17, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ad7148eb62

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
Comment on lines +1189 to +1191
})
.whereIn("key", secretKeys)
.update({ folderId: destinationFolderId })
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Handle override key/user conflicts when moving folders

When moveSecrets overwrites into a destination that already has personal overrides for the same key/user, this bulk update({ folderId: destinationFolderId }) blindly relocates source overrides and can create duplicate personal rows in the destination folder. That violates the one-override-per-user/key assumption used by secret resolution (the priority map only keys by key-folder and will pick one personal row based on query order), so users can see stale or nondeterministic override values after a move. Please resolve destination conflicts (e.g., upsert or delete/replace per key + userId) before updating folder IDs.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Author

@PuneetKumar1790 PuneetKumar1790 Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Handle override key/user conflicts when moving folders

When moveSecrets overwrites into a destination that already has personal overrides for the same key/user, this bulk update({ folderId: destinationFolderId }) blindly relocates source overrides and can create duplicate personal rows in the destination folder. That violates the one-override-per-user/key assumption used by secret resolution (the priority map only keys by key-folder and will pick one personal row based on query order), so users can see stale or nondeterministic override values after a move. Please resolve destination conflicts (e.g., upsert or delete/replace per key + userId) before updating folder IDs.

Useful? React with 👍 / 👎.

Thanks for catching this! I've addressed the conflict scenario in the latest commits.

What I added:

  • When moving source personal overrides to destination, destination overrides for the same keys are now deleted first
  • This prevents creating duplicate override rows and maintains the one-override-per-user/key invariant
  • Added a test case verifying this conflict resolution behavior

Changes:

  • movePersonalOverrides now deletes conflicting destination overrides before moving source ones
  • New test: "should delete conflicting destination overrides before moving source overrides"

All tests pass and lint is clean. The fix ensures source overrides safely replace any pre-existing destination overrides without creating duplicates.

@PuneetKumar1790
fix(secret-v2-bridge): resolve destination conflicts when moving pers…
48fb908 
…onal overrides

When moving source personal overrides to destination, delete any existing
destination overrides for the same keys first. This prevents creating duplicate
personal override rows and maintains the one-override-per-user/key invariant
used by secret resolution logic.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@claude claude[bot] claude[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PuneetKumar1790 @maidul98