♻️ refactor(utils): enhance encryption key handling

- add base64 and hashlib imports for key derivation
- improve key validation to accept passphrase or full key
- handle exceptions during Fernet key creation for robustness

app/utils.py

@@ -1,3 +1,5 @@
+import base64
+import hashlib
 import os
 import secrets
 from typing import Optional
@@ -10,11 +12,17 @@ _ENC_KEY = os.getenv("ENCRYPTION_KEY")
 _f = None
 
 if _ENC_KEY:
-    # If the key is already a valid Fernet key string, use it directly.
+    try:
-    # Otherwise you could do more validation/derivation, but for now we assume a proper key.
+        key_str = _ENC_KEY.strip()
-    _f = Fernet(
+        # Accept either a full Fernet key or derive one from an arbitrary passphrase.
-        _ENC_KEY.encode() if not _ENC_KEY.strip().endswith("=") else _ENC_KEY
+        if len(key_str) >= 44 and key_str.endswith("="):
-    )
+            fernet_key = key_str.encode()
+        else:
+            digest = hashlib.sha256(key_str.encode("utf-8")).digest()
+            fernet_key = base64.urlsafe_b64encode(digest)
+        _f = Fernet(fernet_key)
+    except Exception:
+        _f = None
 
 
 def can_encrypt() -> bool: