Creating secrets via API (Node.js/n8n): Secret created but "Decryption Failed" in browser

[MarcGach]

Hello,
I am trying to programmatically create secrets using n8n (Node.js) via the /api/secret endpoint.

The API accepts my payload successfully (I receive the secret ID), but when I open the generated link with the decryptionKey hash, the frontend throws a "Decryption Failed" error or invalid password.

I am trying to replicate the browser's encryption logic server-side. Here is my current configuration in javaScript.

`const crypto = require('crypto');

// --- CONFIGURATION ---
const password = String(items[0].json.mdp_bast || "MonMotDePasseTest");
const title = "Access";

// 1. URL KEY (On reste sur du standard)
let masterKeyBuffer = crypto.randomBytes(32); // 32 bytes = 256 bits direct
let masterKeyString = masterKeyBuffer.toString('base64');
masterKeyString = masterKeyString.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');

// 2. LE SEL (SALT)
// On génère 64 octets, convertis en Hex
const saltBuffer = crypto.randomBytes(64);
const saltString = saltBuffer.toString('hex');

// 3. DÉRIVATION (LA CORRECTION EST ICI)
// HYPOTHÈSE : Le frontend utilise la chaîne 'saltString' (ex: "a1b2...") directement 
// sans la décoder en binaire. On fait donc pareil ici.
const derivedKey = crypto.pbkdf2Sync(
    masterKeyString, 
    saltString,
    100000, 
    32, 
    'sha256'
);

// 4. CHIFFREMENT
function encrypt(text, key) {
    // IV : On reste sur 12 octets (Standard GCM absolu)
    const iv = crypto.randomBytes(12);
    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
    
    const encrypted = Buffer.concat([cipher.update(text, 'utf8'), cipher.final()]);
    const tag = cipher.getAuthTag();

    // ORDRE : [IV] + [Message] + [Tag]
    const finalBuffer = Buffer.concat([iv, encrypted, tag]);

    const payloadObj = {};
    for (let i = 0; i < finalBuffer.length; i++) {
        payloadObj[i] = finalBuffer[i];
    }
    return payloadObj;
}

const secretPayload = encrypt(password, derivedKey);
const titlePayload = encrypt(title, derivedKey);

return {
    json: {
        apiBody: {
            secret: secretPayload,
            title: titlePayload,
            salt: saltString,
            expiresAt: 86400,
            views: 5,
            isBurnable: true
        },
        urlFragment: "decryptionKey=" + masterKeyString
    }
};

`

I am trying to replicate the encryption logic in my script (using AES-256-GCM and PBKDF2).
Could you please confirm the exact parameters expected by the frontend?

Iterations: Is it 100,000?
Salt: Should the salt be passed to PBKDF2 as a Hex string or Bytes?
Payload: Does the secret field expect a raw array of bytes or a specific encoding?

Thanks for your help!

[bjarneo]

Hey.

Here is the code https://github.com/HemmeligOrg/Hemmelig.app/blob/v7/src%2Flib%2Fcrypto.ts

[MarcGach]

Perfect ! Thank you very much ! it works :)