From ea5a0032ebcfdbf695de1a0a805d1ca070b6b3c5 Mon Sep 17 00:00:00 2001
From: Marcus Bohessef <mbohessef@segware.com>
Date: Sat, 7 Feb 2026 11:02:02 -0300
Subject: [PATCH] Ajuste nas migrations

---
 .../internal/services/credentials_service.go  |  5 ++++
 backend/scripts/validate_rsa_key.sh           | 27 +++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 backend/scripts/validate_rsa_key.sh

diff --git a/backend/internal/services/credentials_service.go b/backend/internal/services/credentials_service.go
index 8f7f412..3c631e3 100644
--- a/backend/internal/services/credentials_service.go
+++ b/backend/internal/services/credentials_service.go
@@ -300,6 +300,11 @@ func getRawPrivateKeyBytes() ([]byte, error) {
 
 // BootstrapCredentials checks if credentials are in DB, if not, migrates from Env
 func (s *CredentialsService) BootstrapCredentials(ctx context.Context) error {
+	// If RSA private key is not available, skip migrating env credentials to DB.
+	if _, err := getRawPrivateKeyBytes(); err != nil {
+		fmt.Printf("[CredentialsBootstrap] RSA_PRIVATE_KEY_BASE64 missing or invalid: %v. Skipping ENV->DB credentials migration.\n", err)
+		return nil
+	}
 	// List of services and their env mapping
 	services := map[string]func() interface{}{
 		"stripe": func() interface{} {
diff --git a/backend/scripts/validate_rsa_key.sh b/backend/scripts/validate_rsa_key.sh
new file mode 100644
index 0000000..8f167c3
--- /dev/null
+++ b/backend/scripts/validate_rsa_key.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ -z "${RSA_PRIVATE_KEY_BASE64:-}" ]; then
+  echo "RSA_PRIVATE_KEY_BASE64 is not set"
+  exit 2
+fi
+
+# Try decode base64
+if echo "$RSA_PRIVATE_KEY_BASE64" | base64 -d > /tmp/rsa_key.pem 2>/dev/null; then
+  :
+else
+  # Try replacing literal \n
+  echo "Attempting to replace literal \n and write PEM"
+  printf '%b' "$RSA_PRIVATE_KEY_BASE64" > /tmp/rsa_key.pem
+fi
+
+# Validate with openssl
+if openssl pkey -in /tmp/rsa_key.pem -noout -text >/dev/null 2>&1; then
+  echo "RSA private key is valid PEM"
+  exit 0
+else
+  echo "RSA private key is invalid"
+  echo "Preview (first 20 lines):"
+  sed -n '1,20p' /tmp/rsa_key.pem
+  exit 1
+fi