Komoot synchronization is not working - secret (password) is encrypted multiple times

[Kami]

Description

I tried to get the Komoot sync working but ran into persistent issues. I kept getting Invalid credentials, and occasionally enabling the integration would also fail with the same error.

After adding some debug logs, I noticed that the Komoot secret (password) was being encrypted multiple times. This was causing the decryption to fail during sync / login.

The same issue likely also exists with other integration (Strava).

Quick Fix

As a temporary workaround, I added a simple check to detect if the secret already looks encrypted:

func LooksLikeEncrypted(s string) bool {
	decoded, err := base64.StdEncoding.DecodeString(s)
	if err != nil {
		return false
	}

	block, err := aes.NewCipher(make([]byte, 32)) // dummy key
	if err != nil {
		return false
	}
	gcm, err := cipher.NewGCM(block)
	if err != nil {
		return false
	}

	nonceSize := gcm.NonceSize()
	return len(decoded) > nonceSize
}

This gets applied here:

diff --git a/db/main.go b/db/main.go
index abcdef1..1234567 100644
--- a/db/main.go
+++ b/db/main.go
@@ func encryptIntegrationSecrets(app core.App, r *core.Record) error {
-            for _, secretKey := range secretKeys {
-                if secret, ok := integration[secretKey].(string); ok && len(secret) > 0 {
+            for _, secretKey := range secretKeys {
+                if secret, ok := integration[secretKey].(string); ok && len(secret) > 0 && !util.LooksLikeEncrypted(secret) {
                     encryptedSecret, err := security.Encrypt([]byte(secret), encryptionKey)
                     if err != nil {
                         return err

This does the trick (for now).

Notes

This isn't a proper fix - just a quick workaround to get sync working.

The root cause likely has to do with how the record is updated and when the secret gets re-encrypted. I'll dig into that in more detail when I get a chance.

I also have some other local changes (like an improved multi-stage Docker build, better debug logging, etc), which I'll try to clean up and PR separately.

Thanks

P.S. Thanks for starting and working on this project.

[huggenknubbel]

i i tried to setup the Komoot sync, i got the message: "failed to setup the strava intergration. "
there is something missmatched.

[Flomp]

Hey there,

Thank you for reporting and the PR @Kami. It turns out that pocketbase changed the way hooks handle the request. I censor the secrets before sending them back to the client to prevent double encryption. With the new hook setup, this did not work, and encrypted data got sent to the client, which in turn sent it to the server, leading to the problem described above.
I hope I fixed the problem with af106d4.

Nonetheless, I think it is a good idea to also prevent this on the server side, so I will have a look at #216 and merge it.

[Flomp]

Fixed in v0.16.1