Fix secret rotation filter on dashboard query

2026-01-09 15:38:03 -05:00 · 2025-12-09 00:02:50 -03:00
parent 3a35e54cd9
commit ec5d740536
6 changed files with 20 additions and 18 deletions
--- a/backend/src/server/routes/v1/dashboard-router.ts
+++ b/backend/src/server/routes/v1/dashboard-router.ts
@@ -963,7 +963,8 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
            search,
            tagSlugs: tags,
            includeTagsInSearch: true,
-            includeMetadataInSearch: true
+            includeMetadataInSearch: true,
+            excludeRotatedSecrets: includeSecretRotations
          });

          if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
@@ -985,7 +986,8 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
                offset: adjustedOffset,
                tagSlugs: tags,
                includeTagsInSearch: true,
-                includeMetadataInSearch: true
+                includeMetadataInSearch: true,
+                excludeRotatedSecrets: includeSecretRotations
              })
            ).secrets;

@@ -993,26 +995,11 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
              rawSecrets.map((secret) => secret.id)
            );

-            const rotationSecretIds =
-              includeSecretRotations && secretRotations?.length
-                ? new Set(
-                    secretRotations.flatMap((rotation) => rotation.secrets.filter(Boolean).map((secret) => secret.id))
-                  )
-                : new Set<string>();
-
-            const filteredSecrets = rawSecrets.filter((secret) => !rotationSecretIds.has(secret.id));
-
-            secrets = filteredSecrets.map((secret) => ({
+            secrets = rawSecrets.map((secret) => ({
              ...secret,
              isEmpty: !secret.secretValue,
              reminder: reminders[secret.id] ?? null
            }));
-
-            if (includeSecretRotations && secretRotations?.length && totalSecretCount && rotationSecretIds.size > 0) {
-              const filteredCount = rawSecrets.filter((secret) => !rotationSecretIds.has(secret.id)).length;
-              const originalCount = rawSecrets.length;
-              totalSecretCount = Math.max(0, totalSecretCount - (originalCount - filteredCount));
-            }
          }
        }
      } catch (error) {
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
@@ -416,6 +416,7 @@ export const secretV2BridgeDALFactory = ({ db, keyStore }: TSecretV2DalArg) => {
      tagSlugs?: string[];
      includeTagsInSearch?: boolean;
      includeMetadataInSearch?: boolean;
+      excludeRotatedSecrets?: boolean;
    }
  ) => {
    try {
@@ -481,6 +482,10 @@ export const secretV2BridgeDALFactory = ({ db, keyStore }: TSecretV2DalArg) => {
        );
      }

+      if (filters?.excludeRotatedSecrets) {
+        void query.whereNull(`${TableName.SecretRotationV2SecretMapping}.secretId`);
+      }
+
      const secrets = await query;

      // @ts-expect-error not inferred by knex
@@ -594,6 +599,11 @@ export const secretV2BridgeDALFactory = ({ db, keyStore }: TSecretV2DalArg) => {
            void bd.whereIn(`${TableName.SecretTag}.slug`, slugs);
          }
        })
+        .where((bd) => {
+          if (filters?.excludeRotatedSecrets) {
+            void bd.whereNull(`${TableName.SecretRotationV2SecretMapping}.secretId`);
+          }
+        })
        .orderBy(
          filters?.orderBy === SecretsOrderBy.Name ? "key" : "id",
          filters?.orderDirection ?? OrderByDirection.ASC
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
@@ -888,6 +888,7 @@ export const secretV2BridgeServiceFactory = ({
    | "tagSlugs"
    | "environment"
    | "search"
+    | "excludeRotatedSecrets"
  >) => {
    const { permission } = await permissionService.getProjectPermission({
      actor,
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts
@@ -50,6 +50,7 @@ export type TGetSecretsDTO = {
  limit?: number;
  search?: string;
  keys?: string[];
+  excludeRotatedSecrets?: boolean;
 } & TProjectPermission;

 export type TGetSecretsMissingReadValuePermissionDTO = Omit<
@@ -362,6 +363,7 @@ export type TFindSecretsByFolderIdsFilter = {
  includeTagsInSearch?: boolean;
  includeMetadataInSearch?: boolean;
  keys?: string[];
+  excludeRotatedSecrets?: boolean;
 };

 export type TGetSecretsRawByFolderMappingsDTO = {
--- a/backend/src/services/secret/secret-service.ts
+++ b/backend/src/services/secret/secret-service.ts
@@ -1154,6 +1154,7 @@ export const secretServiceFactory = ({
    | "search"
    | "includeTagsInSearch"
    | "includeMetadataInSearch"
+    | "excludeRotatedSecrets"
  >) => {
    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);

--- a/backend/src/services/secret/secret-types.ts
+++ b/backend/src/services/secret/secret-types.ts
@@ -214,6 +214,7 @@ export type TGetSecretsRawDTO = {
  keys?: string[];
  includeTagsInSearch?: boolean;
  includeMetadataInSearch?: boolean;
+  excludeRotatedSecrets?: boolean;
 } & TProjectPermission;

 export type TGetSecretAccessListDTO = {