* fix(backfill): stop backfill_encryption double-encoding json/jsonb columns
security:backfill_encryption's plaintext fallback reads jsonb columns via
read_attribute_before_type_cast, which returns the JSON text; assigning
that String to the encrypted setter encrypts the text itself, so the
column thereafter decrypts to a String instead of the original
Array/Hash. Parse the raw value for json/jsonb columns before handing it
to the encryptor. Adds a regression test that fails on main.
Fixes#2611
* fix(backfill): gate backfill on nil-ness so empty values get encrypted
Addresses the Codex review comment on #2615: empty values ({}, [], \"\")
are plaintext that needs encrypting, but the present? gates skipped them,
leaving data the encrypted getters raise on once keys are live. Several
payload columns default to {}. Also applies the same nil-gate to
backfill_sessions user_agent (same idiom; precautionary). Regression
test added.
* docs(security): scope note - backfill doesn't fix any existing double-encoding
Per review: rows corrupted by the pre-fix task decrypt successfully to a
String, so this task cannot distinguish them from legitimately stored
strings; auto-repair would risk mangling valid data for a bounded, shrinking
cohort. Document the limitation and point affected operators at the manual
recovery script in #2611. Also adopt column.type over sql_type substring
matching (review nitpick); behaviour unchanged.
* refactor: rename `raw_investments_payload` to `raw_holdings_payload`
- Update references and models to use consistent naming.
- Adjust migrations, tests, and encryption setup accordingly.
* fix: improve safety when accessing raw_holdings_payload keys
- Use `dig` with safe navigation to prevent potential nil errors.
- Add support for decryption from the old column name `raw_investments_payload`.
- Adjust related methods and calculations for consistency.
---------
Co-authored-by: luckyPipewrench <luckypipewrench@proton.me>
* Initial sec
* Update PII fields
* FIX add tests
* FIX safely read plaintext data on rake backfill
* Update user.rb
* FIX tests
* encryption_ready? block
* Test conditional to encryption on
---------
Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>