You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,6 +8,7 @@ This changelog is used as the base for GitHub Release notes.
8
8
9
9
-[new] PRO: `sensitive-fields:rekey` — re-encrypts sensitive field values from an old `APP_KEY` to the current one (supports `--old-key`, `--form`, `--dry-run`)
10
10
-[new] PRO: per-form permission granularity — `view decrypted {form-handle} sensitive fields` grants access to a single form; the global `view decrypted sensitive fields` acts as a wildcard (backward-compatible)
11
+
-[new] CP error toast on decrypt failure — shown once per form per hour when a sensitive field cannot be decrypted (e.g. after an APP_KEY rotation); suppressed in CLI context
Copy file name to clipboardExpand all lines: README.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -112,7 +112,7 @@ Go to **CP → Tools → Addons → Sensitive Form Fields → Settings**:
112
112
-**Pro, authorized** — decrypts and returns plain text
113
113
-**Pro, unauthorized** — returns the configured mask string
114
114
3. Values already prefixed with `enc:v1:` are never double-encrypted.
115
-
4. If decryption fails (e.g. after `APP_KEY` rotation), the raw ciphertext is returned and a warning is logged.
115
+
4. If decryption fails (e.g. after `APP_KEY` rotation), the raw ciphertext is returned, a warning is logged, and an error toast is shown in the CP (once per form per hour to avoid notification spam).
Copy file name to clipboardExpand all lines: docs/OVERVIEW.md
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -60,7 +60,7 @@ tests/
60
60
- Checks the current user's permission (`view decrypted sensitive fields`).
61
61
-**Authorized**: strips `enc:v1:` prefix and decrypts the value.
62
62
-**Unauthorized**: replaces the value with the mask string (default `••••••`).
63
-
4. If decryption fails (e.g. key rotation), returns raw ciphertext and logs a warning.
63
+
4. If decryption fails (e.g. key rotation), returns raw ciphertext, logs a warning, and dispatches a CP error toast to the current user (HTTP context only; deduplicated to once per form per hour via `Cache::add`).
Copy file name to clipboardExpand all lines: docs/PLAN.md
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -172,14 +172,16 @@ Edition is detected via the **Statamic Editions API**: `Addon::edition()` reads
172
172
173
173
## Tests
174
174
175
-
### Unit (FieldEncryptorTest, 7 tests)
175
+
### Unit (FieldEncryptorTest, 9 tests)
176
176
1. Encrypts value with marker prefix
177
177
2. Decrypts back to plaintext
178
178
3. No double encryption
179
179
4. Failed decrypt returns raw + logs warning
180
180
5. isEncrypted detects prefix
181
181
6. mask returns configured value
182
182
7. decrypt returns non-encrypted as-is
183
+
8. Failed decrypt does not dispatch toast in console context
184
+
9. Failed decrypt without context does not dispatch toast in console context
183
185
184
186
### Feature (SensitiveFieldsTest, 12 tests)
185
187
1. Sensitive field stored encrypted
@@ -243,11 +245,11 @@ Larger teams need per-form control (e.g. HR form vs. contact form handled by dif
243
245
244
246
---
245
247
246
-
### [FREE/PRO] CP notification on decrypt failure — Planned
248
+
### [FREE/PRO] CP notification on decrypt failure — Implemented
247
249
248
-
Currently, decryption failures (e.g. after an unrecovered APP_KEY rotation) are only logged via `Log::warning`. A Statamic CP notification dispatched to super admins would make data corruption visible without requiring log monitoring.
250
+
Decryption failures are now surfaced in the CP as an error toast in addition to the existing `Log::warning`.
249
251
250
-
Implementation sketch:
251
-
-Hook into the existing `catch (\Throwable)`path in `FieldEncryptor::decrypt()`.
252
-
-Dispatch a Statamic `Notification` to super admins (or use a Statamic flash/CP alert).
253
-
-Add a rate-limit or deduplication guard to avoid notification spam.
252
+
-`FieldEncryptor::decrypt()` accepts an optional `string $context` parameter (form handle) for deduplication.
253
+
-In HTTP context, `Cache::add('sffields.decrypt_failure_notified.{context}', true, 3600)`is used as an atomic set-if-not-exists guard — at most one toast per form per hour.
254
+
-`Toast::error()` is skipped entirely when `app()->runningInConsole()` is true (commands, queue workers).
255
+
-`DecryptingSubmissionRepository` passes the form handle as `$context` when calling `decrypt()`.
'permission_form_description' => 'Allow viewing decrypted values of sensitive fields in this form only',
14
14
15
+
'decrypt_failure_toast' => 'One or more sensitive field values could not be decrypted. Your APP_KEY may have changed. Use sensitive-fields:rekey (Pro) to recover.',
16
+
15
17
'settings_enabled_display' => 'Enabled',
16
18
'settings_enabled_instructions' => 'Enable or disable field encryption.',
0 commit comments