Skip to content

Fix/decryption section for workflows #577

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Nov 14, 2025
Merged

Fix/decryption section for workflows #577

merged 12 commits into from
Nov 14, 2025

Conversation

@clairekinde11
Copy link
Contributor

@clairekinde11 clairekinde11 commented Sep 28, 2025
edited by coderabbitai bot
Loading

New code snippet and decrypt section for workflows.

Summary by CodeRabbit

  • Documentation
    • Added a new "Workflow encryption key" guide covering concepts, how to generate/manage per-workflow keys, encryption/decryption flow, key lifecycle (add/update/activate/deactivate/delete), UI guidance, and a practical decryption example with configuration notes.
    • Removed the previous duplicate "Workflow encryption key" page and updated related links to point to the consolidated guide.

clairekinde11 and others added 7 commits September 11, 2025 16:30
@clairekinde11
New section: decryption
357448d
@clairekinde11 @coderabbitai
Apply suggestion from @coderabbitai[bot]
0eff0c9 
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@clairekinde11
Add .NET code snippet for workflow payload decryption
43055bf 
- Added comprehensive WorkflowPayloadDecryptor class
- Included AES-GCM decryption implementation
- Added ASP.NET Core controller example
- Included configuration management examples
- Added proper error handling and data models
@clairekinde11
Delete src/content/docs/workflows/manage-workflows/workflow-encryptio…
e61394e 
…n-key.mdx

Delete from this PR
@clairekinde11
Create decrypt-keys-workflow.mdx
b35cd39 
New topic - accidentally deleted
@clairekinde11
Delete src/content/docs/workflows/manage-workflows/decrypt-keys-workf…
2766d58 
…low.mdx
@clairekinde11
Create encrypt-decrypt-workflows.mdx
c0da735
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Sep 28, 2025
edited
Loading

Walkthrough

Adds a new documentation page encrypt-decrypt-workflows.mdx, removes the old workflow-encryption-key.mdx page, and updates a link in the secure-fetch binding doc to reference the new page. The new page documents per-workflow AES‑256‑GCM keys, key management steps, secureFetch flow, and a .NET decryption example.

Changes

Cohort / File(s) Summary of Changes
Added: New docs page
src/content/docs/workflows/manage-workflows/encrypt-decrypt-workflows.mdx		 New documentation introducing workflow encryption keys, secureFetch encryption flow, key lifecycle actions (add/activate/deactivate/delete), UI guidance, and a .NET AES‑GCM decryption example (Base64 format: nonce
Removed: Old docs page
src/content/docs/workflows/manage-workflows/workflow-encryption-key.mdx		 Deleted the prior "workflow-encryption-key" documentation and its front matter; deprecated older guidance and step‑by‑step UI instructions.
Modified: Binding doc link
src/content/docs/workflows/bindings/secure-fetch-binding.mdx		 Updated an ai_summary reference link to point to the new encryption docs path (/workflows/manage-workflows/encrypt-decrypt-workflows/).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Client as Workflow Client
  participant Kinde as Kinde Workflows
  participant Service as Backend Service

  rect rgb(236,248,255)
    Note over Client,Kinde: Client uses secureFetch (encryption enabled)
    Client->>Kinde: secureFetch(payload)
    Kinde->>Kinde: Encrypt body (AES‑GCM: nonce|tag|ciphertext) → Base64
    Kinde->>Service: POST encrypted payload
  end

  rect rgb(240,255,240)
    Service->>Service: Decode Base64, extract nonce/tag/ciphertext, decrypt with active key
    alt Decryption succeeds
      Service-->>Kinde: 2xx response
      Kinde-->>Client: Success
    else Decryption fails
      Service-->>Kinde: 4xx/5xx error
      Kinde-->>Client: Error
    end
  end

  Note over Kinde: Keys can be added/updated/activated/deactivated/deleted via Workflows UI
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • Pay brief attention to the updated link in secure-fetch-binding.mdx to ensure no other references remain pointing to the deleted path.
  • Verify front matter and metadata on the new page follow site conventions.

Poem

I twitch my ears at keys anew,
Encrypt and hop where bytes go through.
Nonce and tag, a Base64 song,
AES‑GCM hums all night long.
I nibble bugs and then I sigh—workflows safe, carrot pie.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title refers to fixing/adding a decryption section for workflows, which aligns with the main change of reorganizing and consolidating workflow encryption/decryption documentation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch Fix/Decryption-section-for-workflows

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Sep 28, 2025
edited
Loading

Deploying kinde-docs-preview with  Cloudflare Pages  Cloudflare Pages

Latest commit: 2432a1b
Status: ✅  Deploy successful!
Preview URL: https://9dfea226.kinde-docs-preview.pages.dev
Branch Preview URL: https://fix-decryption-section-for-w.kinde-docs-preview.pages.dev

View logs

coderabbitai[bot]
coderabbitai bot reviewed Sep 28, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d88d65d and c0da735.

📒 Files selected for processing (2)
  • src/content/docs/workflows/manage-workflows/encrypt-decrypt-workflows.mdx (1 hunks)
  • src/content/docs/workflows/manage-workflows/workflow-encryption-key.mdx (0 hunks)
💤 Files with no reviewable changes (1)
  • src/content/docs/workflows/manage-workflows/workflow-encryption-key.mdx

src/content/docs/workflows/manage-workflows/encrypt-decrypt-workflows.mdx
Comment on lines +67 to +172
using System;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;

public class WorkflowPayloadDecryptor
{
private readonly byte[] _encryptionKey;

public WorkflowPayloadDecryptor(string base64EncryptionKey)
{
_encryptionKey = Convert.FromBase64String(base64EncryptionKey);
}

public string DecryptPayload(string encryptedPayload)
{
try
{
// Step 1: Base64 decode the incoming payload
byte[] encryptedData = Convert.FromBase64String(encryptedPayload);

// Step 2: Parse the payload structure
// The payload contains: nonce (12 bytes) + tag (16 bytes) + ciphertext
const int nonceLength = 12;
const int tagLength = 16;

if (encryptedData.Length < nonceLength + tagLength)
{
throw new ArgumentException("Invalid encrypted payload structure");
}

// Extract components
byte[] nonce = new byte[nonceLength];
byte[] tag = new byte[tagLength];
byte[] ciphertext = new byte[encryptedData.Length - nonceLength - tagLength];

Array.Copy(encryptedData, 0, nonce, 0, nonceLength);
Array.Copy(encryptedData, nonceLength, tag, 0, tagLength);
Array.Copy(encryptedData, nonceLength + tagLength, ciphertext, 0, ciphertext.Length);

// Step 3: Decrypt using AES-GCM
using (var aesGcm = new AesGcm(_encryptionKey))
{
byte[] decryptedBytes = new byte[ciphertext.Length];
aesGcm.Decrypt(nonce, ciphertext, tag, decryptedBytes);

// Convert decrypted bytes to string
return Encoding.UTF8.GetString(decryptedBytes);
}
}
catch (Exception ex)
{
throw new InvalidOperationException("Failed to decrypt workflow payload", ex);
}
}
}

// Example usage in an ASP.NET Core controller
[ApiController]
[Route("api/[controller]")]
public class WorkflowController : ControllerBase
{
private readonly WorkflowPayloadDecryptor _decryptor;

public WorkflowController(IConfiguration configuration)
{
// Get the encryption key from configuration
string encryptionKey = configuration["KindeWorkflowEncryptionKey"];
_decryptor = new WorkflowPayloadDecryptor(encryptionKey);
}

[HttpPost("webhook")]
public async Task<IActionResult> HandleWorkflowWebhook()
{
try
{
// Read the encrypted payload from the request body
using var reader = new StreamReader(Request.Body);
string encryptedPayload = await reader.ReadToEndAsync();

// Decrypt the payload
string decryptedJson = _decryptor.DecryptPayload(encryptedPayload);

// Parse the decrypted JSON
var workflowData = JsonSerializer.Deserialize<WorkflowData>(decryptedJson);

// Process the decrypted data
// ... your business logic here ...

return Ok(new { message = "Workflow payload processed successfully" });
}
catch (Exception ex)
{
return BadRequest(new { error = "Failed to process workflow payload", details = ex.Message });
}
}
}

// Example data model for the decrypted payload
public class WorkflowData
{
public string UserId { get; set; }
public string EventType { get; set; }
public Dictionary<string, object> Data { get; set; }
}
```
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add the missing using directives so the sample compiles.

The C# snippet references StreamReader, ControllerBase, IConfiguration, Task<IActionResult>, and Dictionary<string, object>, but the code block only imports core namespaces. Without the matching using statements (System.IO, System.Collections.Generic, System.Threading.Tasks, Microsoft.AspNetCore.Mvc, Microsoft.Extensions.Configuration), readers copying the sample will hit compile errors. Please prepend the snippet with the full set of namespaces (or annotate them inline) so the example builds cleanly.

🤖 Prompt for AI Agents 
In src/content/docs/workflows/manage-workflows/encrypt-decrypt-workflows.mdx
around lines 67 to 172, the C# sample is missing required using directives which
cause compile errors for StreamReader, Dictionary, Task<IActionResult>,
ControllerBase and IConfiguration; prepend the file’s code block with the
following usings: System.IO, System.Collections.Generic, System.Threading.Tasks,
Microsoft.AspNetCore.Mvc, and Microsoft.Extensions.Configuration (keeping the
existing System, System.Security.Cryptography, System.Text, and System.Text.Json
lines) so the sample compiles cleanly.

alex72508
alex72508 approved these changes Nov 14, 2025
View reviewed changes
Copy link
Contributor

@alex72508 alex72508 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good. Fixed up a reference to the encryption keys that was added in another pull request.

@gitguardian
Copy link

gitguardian bot commented Nov 14, 2025

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
21029323 Triggered Generic High Entropy Secret 71dcde2 scripts/generate-llms-txt-sections.js View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secret safely. Learn here the best practices.
  3. Revoke and rotate this secret.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

coderabbitai[bot]
coderabbitai bot reviewed Nov 14, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

♻️ Duplicate comments (1)
src/content/docs/workflows/manage-workflows/encrypt-decrypt-workflows.mdx (1)

71-176: Add missing using statements so the C# sample compiles.

The code block references ControllerBase, ApiController, Route, HttpPost, IConfiguration, Task<IActionResult>, StreamReader, and Dictionary but lacks the required imports. Readers copying this example will hit compile errors.

Add these using statements before the class declarations:

 using System;
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
+using System.Collections.Generic;
+using System.IO;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Configuration;
🧹 Nitpick comments (2)
src/content/docs/workflows/manage-workflows/encrypt-decrypt-workflows.mdx (2)

64-66: Reduce sentence repetition for smoother prose.

The three numbered steps (lines 64–66) all begin with "In [technology]," making the text feel repetitive. Consider varying the sentence structure while preserving clarity.

Example revision:

 1. In Base64, decode the incoming payload.
-2. In AES-GCM, decrypt the decoded data using your workflow's active encryption key (the one you created in the Kinde dashboard).
-3. In .NET, for example, use the `System.Security.Cryptography.AesGcm` class for decryption.
+2. Decrypt the decoded data using AES-GCM with your workflow's active encryption key (created in the Kinde dashboard).
+3. For .NET, use the `System.Security.Cryptography.AesGcm` class for decryption.

202-202: Hyphenate compound adjective "three-dot menu".

Multiple instances use "three dots menu," but when a compound adjective precedes a noun, it should be hyphenated: "three-dot menu."

Apply these changes:

-7. When you are ready to update the key in your code, select the three dots menu on the new key, then select **Activate**.
+7. When you are ready to update the key in your code, select the three-dot menu on the new key, then select **Activate**.

-   1. Select the three dots menu on the active key.
+   1. Select the three-dot menu on the active key.

-   1. Select the three dots menu on the inactive key. An inactive key shows no status.
+   1. Select the three-dot menu on the inactive key. An inactive key shows no status.

-3. Next to an inactive key, select the three dots menu.
+3. Next to an inactive key, select the three-dot menu.

Also applies to: 213-213, 217-217, 227-227

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 30e196e and 6efa8cc.

📒 Files selected for processing (2)
  • src/content/docs/workflows/bindings/secure-fetch-binding.mdx (1 hunks)
  • src/content/docs/workflows/manage-workflows/encrypt-decrypt-workflows.mdx (1 hunks)
🧰 Additional context used
🪛 LanguageTool
src/content/docs/workflows/manage-workflows/encrypt-decrypt-workflows.mdx

[style] ~66-~66: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...you created in the Kinde dashboard). 3. In .NET, for example, use the `System.Secu...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

[grammar] ~202-~202: Use a hyphen to join words.
Context: ...e the key in your code, select the three dots menu on the new key, then select **...

(QB_NEW_EN_HYPHEN)

[grammar] ~213-~213: Use a hyphen to join words.
Context: ...te an active key: 1. Select the three dots menu on the active key. 2. Selec...

(QB_NEW_EN_HYPHEN)

[grammar] ~217-~217: Use a hyphen to join words.
Context: ... deactivated key: 1. Select the three dots menu on the inactive key. An inacti...

(QB_NEW_EN_HYPHEN)

[grammar] ~227-~227: Use a hyphen to join words.
Context: ...ext to an inactive key, select the three dots menu. 4. Select Delete key. A c...

(QB_NEW_EN_HYPHEN)

🔇 Additional comments (1)
src/content/docs/workflows/bindings/secure-fetch-binding.mdx (1)

33-33: Link update correctly points to the new documentation page.

The updated reference to /workflows/manage-workflows/encrypt-decrypt-workflows/ aligns with the migration from the old documentation structure and ensures the binding documentation remains properly linked.

@alex72508 alex72508 merged commit a57a8b2 into main Nov 14, 2025
5 checks passed
@alex72508 alex72508 deleted the Fix/Decryption-section-for-workflows branch November 14, 2025 02:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@alex72508 alex72508 alex72508 approved these changes

@DaveOrDead DaveOrDead Awaiting requested review from DaveOrDead

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@clairekinde11 @alex72508