feat(kms): bulk export private keys #6083
Merged
Claude / Claude Code Review
completed
Apr 17, 2026 in 9m 46s
Code review found 2 important issues
Found 5 candidates, confirmed 2. See review comments for details.
Details
| Severity | Count |
|---|---|
| 🔴 Important | 2 |
| 🟡 Nit | 0 |
| 🟣 Pre-existing | 0 |
| Severity | File:Line | Issue |
|---|---|---|
| 🔴 Important | backend/src/services/cmek/cmek-service.ts:352-371 |
N+1 DB queries for public key derivation in bulkGetPrivateKeys |
| 🔴 Important | frontend/src/pages/kms/OverviewPage/components/CmekTable.tsx:186-205 |
handleBulkExport: mutateAsync outside try-catch causes silent failure on API error |
Annotations
Check failure on line 371 in backend/src/services/cmek/cmek-service.ts
claude / Claude Code Review
N+1 DB queries for public key derivation in bulkGetPrivateKeys
In `bulkGetPrivateKeys()`, for each asymmetric key `kmsService.getPublicKey({ kmsId: key.id })` is called inside `Promise.all`, and each call issues a separate `kmsDAL.findByIdWithAssociatedKms(kmsId)` DB round-trip — up to 100 extra queries for a full bulk export. Since `getBulkKeyMaterial()` already returns the decrypted private key in `materialEntry.keyMaterial`, the public key can be derived directly via `signingService(key.encryptionAlgorithm as AsymmetricKeyAlgorithm).getPublicKeyFromPriva
Check failure on line 205 in frontend/src/pages/kms/OverviewPage/components/CmekTable.tsx
claude / Claude Code Review
handleBulkExport: mutateAsync outside try-catch causes silent failure on API error
In `handleBulkExport()`, `bulkExportMutation.mutateAsync()` is called outside the try-catch block, so any API error (4xx/5xx, network failure, permission denied) propagates as an unhandled promise rejection and the user sees no error feedback. Move the `mutateAsync` call inside the try block so API failures are caught and surfaced via `createNotification`.
Loading