From ab31901a20d04a44b97d8a6c4791dd82dd4860f5 Mon Sep 17 00:00:00 2001
From: NicolasCantu <nicolas.cantu@pm.me>
Date: Sun, 26 Oct 2025 02:45:48 +0100
Subject: [PATCH] security: deprecate non-encrypting WebAuthn methods and add
 warnings

---
 src/pages/wallet-setup/wallet-setup.ts         |  2 +-
 src/services/credentials/encryption.service.ts | 15 ++++++++++-----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/pages/wallet-setup/wallet-setup.ts b/src/pages/wallet-setup/wallet-setup.ts
index edfe6e9..b93220a 100644
--- a/src/pages/wallet-setup/wallet-setup.ts
+++ b/src/pages/wallet-setup/wallet-setup.ts
@@ -407,7 +407,7 @@ document.addEventListener('DOMContentLoaded', async () => {
                     console.error('❌ TEST: Failed to retrieve PBKDF2 key for decryption test');
                 } else {
                     console.log('✅ TEST: PBKDF2 key retrieved for decryption test');
-                    
+
                     // Déchiffrer le wallet chiffré (format base64)
                     const decryptedWallet = await encryptionService.decryptWithPasswordBase64(
                         finalVerification.encrypted_wallet,
diff --git a/src/services/credentials/encryption.service.ts b/src/services/credentials/encryption.service.ts
index 53bff90..bbaa8b7 100644
--- a/src/services/credentials/encryption.service.ts
+++ b/src/services/credentials/encryption.service.ts
@@ -265,32 +265,37 @@ export class EncryptionService {
 
 
   /**
-   * Chiffre des credentials avec WebAuthn
+   * WARNING: DEPRECATED - This method does NOT encrypt, only base64 encoding
+   * Use encryptWithPassword or WebAuthn key encryption instead
    */
   async encryptWithWebAuthn(
     credentials: CredentialData,
     credentialId: string
   ): Promise<string> {
+    secureLogger.error('encryptWithWebAuthn is deprecated and does NOT encrypt data', new Error('Use encryptWithPassword or WebAuthn encryption'));
+    
     const data = JSON.stringify({
       spendKey: credentials.spendKey,
       scanKey: credentials.scanKey,
       timestamp: credentials.timestamp
     });
 
-    // Pour l'instant, on utilise un chiffrement simple
-    // Dans une vraie implémentation, on utiliserait la clé publique WebAuthn
+    // WARNING: Only base64 encoding, no encryption - DO NOT USE FOR SENSITIVE DATA
     const encoded = btoa(data);
     return encoded;
   }
 
   /**
-   * Déchiffre des credentials avec WebAuthn
+   * WARNING: DEPRECATED - This method does NOT decrypt, only base64 decoding
+   * Use decryptWithPassword or WebAuthn key decryption instead
    */
   async decryptWithWebAuthn(
     encryptedData: string,
     credentialId: string
   ): Promise<CredentialData> {
-    // Pour l'instant, on utilise un déchiffrement simple
+    secureLogger.error('decryptWithWebAuthn is deprecated and does NOT decrypt data', new Error('Use decryptWithPassword or WebAuthn decryption'));
+    
+    // WARNING: Only base64 decoding, no decryption - DO NOT USE FOR SENSITIVE DATA
     const decoded = atob(encryptedData);
     const data = JSON.parse(decoded);