fix: dashboard decrypts masked_card + accept unknown CLI args + community discussion

TPEmist · TPEmist · commit 4280470b533e · 2026-04-09T18:01:28.000-07:00
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -125,3 +125,15 @@ The `PopBrowserInjector` uses Playwright's `connectOverCDP` for cross-origin ifr
 - A brief note in the PR description confirming you verified the domain is controlled by the payment processor, not a reseller or affiliate
 
 If you have an idea for a feature or a bug fix, please open an issue or submit a Pull Request!
+
+## Open Discussion: masked_card Encryption
+
+Currently, `masked_card` values (e.g., `****-4242`) are encrypted at rest in SQLite using AES-256-GCM. The dashboard API decrypts them before display.
+
+We're seeking community input on whether this encryption is necessary:
+- **Current state**: Masked card values like `****-4242` are encrypted in `pop_state.db` and decrypted on read
+- **Argument for keeping**: Defense-in-depth — even masked data gets encryption
+- **Argument for removing**: `****-4242` is not PCI-sensitive data (PCI DSS explicitly allows truncated PAN display). Encryption adds complexity and caused a dashboard display bug where raw ciphertext was shown instead of the masked value
+- **Note**: Full card numbers are never stored in the database — only the masked form
+
+If you have opinions on this, please open an issue or discussion.
diff --git a/dashboard/server.py b/dashboard/server.py
@@ -125,6 +125,26 @@ def get_seals(self, status_filter=None):
         conn.close()
         
         seals = [dict(row) for row in rows]
+
+        # Decrypt masked_card for display
+        import hashlib, hmac, socket, base64
+        from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+        try:
+            enc_key = hmac.new(b"pop-pay-state-salt", socket.gethostname().encode(), hashlib.sha256).digest()
+            for seal in seals:
+                mc = seal.get("masked_card")
+                if mc:
+                    try:
+                        data = base64.b64decode(mc)
+                        if len(data) >= 28:
+                            nonce, tag, ct = data[:12], data[12:28], data[28:]
+                            aesgcm = AESGCM(enc_key)
+                            seal["masked_card"] = aesgcm.decrypt(nonce, tag + ct, None).decode("utf-8")
+                    except Exception:
+                        pass  # Already plaintext or corrupt
+        except Exception:
+            pass  # cryptography not installed — show raw
+
         self._set_headers()
         self.wfile.write(json.dumps(seals).encode())
 
@@ -196,7 +216,7 @@ def main():
     parser.add_argument("--db", type=str, default=DEFAULT_DB_PATH, help=f"Path to SQLite database (default: {DEFAULT_DB_PATH})")
     parser.add_argument("--no-open", action="store_true", help="Do not open the browser automatically")
     
-    args = parser.parse_args()
+    args, _ = parser.parse_known_args()
     
     server = create_server(args.port, args.db)
     url = f"http://127.0.0.1:{args.port}"
