From 77906bc8170e2a8bc318f7445e11564a3352a965 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?dni=20=E2=9A=A1?= <office@dnilabs.com>
Date: Fri, 30 May 2025 17:49:11 +0200
Subject: [PATCH] feat: more verbose aes decrypt function (#3177)

---
 lnbits/utils/crypto.py | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/lnbits/utils/crypto.py b/lnbits/utils/crypto.py
index c8506f29..f093181d 100644
--- a/lnbits/utils/crypto.py
+++ b/lnbits/utils/crypto.py
@@ -56,10 +56,11 @@ class AESCipher:
         return data + (chr(length) * length).encode()
 
     def unpad(self, data: bytes) -> bytes:
-        _last = data[-1]
-        if isinstance(_last, int):
-            return data[:-_last]
-        return data[: -ord(_last)]
+        padding = data[-1]
+        # Ensure padding is within valid range else there is no padding
+        if padding <= 0 or padding >= self.block_size:
+            return data
+        return data[:-padding]
 
     def derive_iv_and_key(
         self, salt: bytes, output_len: int = 32 + 16
@@ -94,13 +95,16 @@ class AESCipher:
         try:
             decrypted_bytes = aes.decrypt(encrypted_bytes)
         except Exception as exc:
-            raise ValueError("Decryption error: could not decrypt") from exc
+            raise ValueError("Could not decrypt payload") from exc
 
         unpadded = self.unpad(decrypted_bytes)
         if len(unpadded) == 0:
-            raise ValueError("Decryption error: unpadding failed")
+            raise ValueError("Unpadding resulted in empty data.")
 
-        return unpadded.decode()
+        try:
+            return unpadded.decode()
+        except UnicodeDecodeError as exc:
+            raise ValueError("Decryption resulted in invalid UTF-8 data.") from exc
 
     def encrypt(self, message: bytes, urlsafe: bool = False) -> str:
         """