chore(deps): update electron to v42 and migrate to async safeStorage

package.json

@@ -112,7 +112,7 @@
     "concurrently": "9.2.1",
     "date-fns": "4.1.0",
     "dotenv": "17.4.2",
-    "electron": "41.5.0",
+    "electron": "42.0.0",
     "electron-builder": "26.8.1",
     "final-form": "5.0.0",
     "graphql": "16.13.2",

src/main/handlers/storage.test.ts

@@ -1,17 +1,28 @@
+import type { SafeStorage } from 'electron';
+import { safeStorage } from 'electron';
+
 import { EVENTS } from '../../shared/events';
 
 import { registerStorageHandlers } from './storage';
 
+type IpcHandler = (
+  event: unknown,
+  ...args: unknown[]
+) => unknown | Promise<unknown>;
+
 const handleMock = vi.fn();
 
 vi.mock('electron', () => ({
   ipcMain: {
     handle: (...args: unknown[]) => handleMock(...args),
   },
   safeStorage: {
-    encryptString: vi.fn((str: string) => Buffer.from(str)),
-    decryptString: vi.fn((buf: Buffer) => buf.toString()),
-  },
+    encryptStringAsync: vi.fn(async (str: string) => Buffer.from(str)),
+    decryptStringAsync: vi.fn(async (buf: Buffer) => ({
+      shouldReEncrypt: false,
+      result: buf.toString(),
+    })),
+  } satisfies Pick<SafeStorage, 'encryptStringAsync' | 'decryptStringAsync'>,
 }));
 
 const logErrorMock = vi.fn();
@@ -23,6 +34,16 @@ vi.mock('../../shared/logger', async (importOriginal) => {
   };
 });
 
+function getHandler(event: string): IpcHandler {
+  const call = handleMock.mock.calls.find(
+    (entry: unknown[]) => entry[0] === event,
+  );
+  if (!call) {
+    throw new Error(`No handler registered for ${event}`);
+  }
+  return call[1] as IpcHandler;
+}
+
 describe('main/handlers/storage.ts', () => {
   describe('registerStorageHandlers', () => {
     it('registers handlers without throwing', () => {
@@ -39,5 +60,65 @@ describe('main/handlers/storage.ts', () => {
       expect(registeredHandlers).toContain(EVENTS.SAFE_STORAGE_ENCRYPT);
       expect(registeredHandlers).toContain(EVENTS.SAFE_STORAGE_DECRYPT);
     });
+
+    it('encrypt handler returns a base64 string', async () => {
+      registerStorageHandlers();
+      const encrypt = getHandler(EVENTS.SAFE_STORAGE_ENCRYPT);
+
+      const result = await encrypt({}, 'plain-token');
+
+      expect(typeof result).toBe('string');
+      expect(result).toBe(Buffer.from('plain-token').toString('base64'));
+    });
+
+    it('decrypt handler returns the unwrapped plaintext string', async () => {
+      registerStorageHandlers();
+      const decrypt = getHandler(EVENTS.SAFE_STORAGE_DECRYPT);
+
+      const ciphertext = Buffer.from('plain-token').toString('base64');
+      const result = await decrypt({}, ciphertext);
+
+      expect(typeof result).toBe('string');
+      expect(result).toBe('plain-token');
+    });
+
+    it('decrypt handler unwraps result when shouldReEncrypt is true', async () => {
+      vi.mocked(safeStorage.decryptStringAsync).mockResolvedValueOnce({
+        shouldReEncrypt: true,
+        result: 'rotated-token',
+      });
+      registerStorageHandlers();
+      const decrypt = getHandler(EVENTS.SAFE_STORAGE_DECRYPT);
+
+      const result = await decrypt({}, 'irrelevant');
+
+      expect(typeof result).toBe('string');
+      expect(result).toBe('rotated-token');
+    });
+
+    it('encrypt → decrypt round-trip preserves the original string', async () => {
+      registerStorageHandlers();
+      const encrypt = getHandler(EVENTS.SAFE_STORAGE_ENCRYPT);
+      const decrypt = getHandler(EVENTS.SAFE_STORAGE_DECRYPT);
+
+      const ciphertext = (await encrypt({}, 'round-trip-token')) as string;
+      const plaintext = await decrypt({}, ciphertext);
+
+      expect(plaintext).toBe('round-trip-token');
+    });
+
+    it('decrypt handler rethrows and logs on safeStorage failure', async () => {
+      const failure = new Error('keychain unavailable');
+      vi.mocked(safeStorage.decryptStringAsync).mockRejectedValueOnce(failure);
+      registerStorageHandlers();
+      const decrypt = getHandler(EVENTS.SAFE_STORAGE_DECRYPT);
+
+      await expect(decrypt({}, 'irrelevant')).rejects.toBe(failure);
+      expect(logErrorMock).toHaveBeenCalledWith(
+        'main:safe-storage-decrypt',
+        expect.any(String),
+        failure,
+      );
+    });
   });
 });

src/main/handlers/storage.ts

@@ -12,16 +12,20 @@ export function registerStorageHandlers(): void {
   /**
    * Encrypt a string using Electron's safeStorage and return the encrypted value as a base64 string.
    */
-  handleMainEvent(EVENTS.SAFE_STORAGE_ENCRYPT, (_, value: string) => {
-    return safeStorage.encryptString(value).toString('base64');
+  handleMainEvent(EVENTS.SAFE_STORAGE_ENCRYPT, async (_, value: string) => {
+    const encrypted = await safeStorage.encryptStringAsync(value);
+    return encrypted.toString('base64');
   });
 
   /**
    * Decrypt a base64-encoded string using Electron's safeStorage and return the decrypted value.
    */
-  handleMainEvent(EVENTS.SAFE_STORAGE_DECRYPT, (_, value: string) => {
+  handleMainEvent(EVENTS.SAFE_STORAGE_DECRYPT, async (_, value: string) => {
     try {
-      return safeStorage.decryptString(Buffer.from(value, 'base64'));
+      const { result } = await safeStorage.decryptStringAsync(
+        Buffer.from(value, 'base64'),
+      );
+      return result;
     } catch (err) {
       logError(
         'main:safe-storage-decrypt',