fix: specify authTagLength on createCipheriv calls for AES-GCM consistency

Complements #3881 by adding explicit authTagLength: 16 to the encrypt
side as well, ensuring both cipher and decipher specify the tag length.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/lib/api-key/crypto.ts

@@ -36,7 +36,7 @@ export async function encryptApiKey(apiKey: string): Promise<{ encrypted: string
   }
 
   const iv = randomBytes(16)
-  const cipher = createCipheriv('aes-256-gcm', key, iv)
+  const cipher = createCipheriv('aes-256-gcm', key, iv, { authTagLength: 16 })
   let encrypted = cipher.update(apiKey, 'utf8', 'hex')
   encrypted += cipher.final('hex')
 

apps/sim/lib/core/security/encryption.ts

@@ -21,7 +21,7 @@ export async function encryptSecret(secret: string): Promise<{ encrypted: string
   const iv = randomBytes(16)
   const key = getEncryptionKey()
 
-  const cipher = createCipheriv('aes-256-gcm', key, iv)
+  const cipher = createCipheriv('aes-256-gcm', key, iv, { authTagLength: 16 })
   let encrypted = cipher.update(secret, 'utf8', 'hex')
   encrypted += cipher.final('hex')
 

packages/db/scripts/migrate-block-api-keys-to-byok.ts

@@ -125,7 +125,7 @@ function getEncryptionKeyBuffer(): Buffer {
 async function encryptSecret(secret: string): Promise<string> {
   const iv = randomBytes(16)
   const key = getEncryptionKeyBuffer()
-  const cipher = createCipheriv('aes-256-gcm', key, iv)
+  const cipher = createCipheriv('aes-256-gcm', key, iv, { authTagLength: 16 })
   let encrypted = cipher.update(secret, 'utf8', 'hex')
   encrypted += cipher.final('hex')
   const authTag = cipher.getAuthTag()