From f8f94c1f5eb5311f484dea1ed0854919407e7d9f Mon Sep 17 00:00:00 2001
From: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
Date: Thu, 29 Jan 2026 11:40:08 +0100
Subject: [PATCH] fix(naisapi/auth): return appropriate error when encountering
 old data in keyring

---
 internal/keyring/keyring.go       | 13 +++++++++++--
 internal/naisapi/auth/oidcuser.go |  2 +-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/internal/keyring/keyring.go b/internal/keyring/keyring.go
index e9f29cff..36afc874 100644
--- a/internal/keyring/keyring.go
+++ b/internal/keyring/keyring.go
@@ -6,6 +6,7 @@ package keyring
 import (
 	"encoding/base64"
 	"errors"
+	"fmt"
 	"time"
 
 	"github.com/zalando/go-keyring"
@@ -16,7 +17,10 @@ const (
 	keyringUser = "nais-user"
 )
 
-var ErrSecretNotFound = errors.New("secret not found in keyring")
+var (
+	ErrSecretNotFound = errors.New("secret not found in keyring")
+	ErrInvalidData    = errors.New("invalid data stored in keyring")
+)
 
 type TimeoutError struct {
 	message string
@@ -55,7 +59,12 @@ func GetBytes() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	return base64.StdEncoding.DecodeString(encoded)
+
+	bytes, err := base64.StdEncoding.DecodeString(encoded)
+	if err != nil {
+		return nil, fmt.Errorf("%w: decode base64: %+v", ErrInvalidData, err)
+	}
+	return bytes, nil
 }
 
 func Set(value string) error {
diff --git a/internal/naisapi/auth/oidcuser.go b/internal/naisapi/auth/oidcuser.go
index 969eb864..ce6b778a 100644
--- a/internal/naisapi/auth/oidcuser.go
+++ b/internal/naisapi/auth/oidcuser.go
@@ -44,7 +44,7 @@ func (u *oidcUser) Refresh(ctx context.Context) (*oidcUser, error) {
 func getOIDCUser(ctx context.Context) (*oidcUser, error) {
 	encryptionKey, err := keyring.GetBytes()
 	if err != nil {
-		if errors.Is(err, keyring.ErrSecretNotFound) {
+		if errors.Is(err, keyring.ErrSecretNotFound) || errors.Is(err, keyring.ErrInvalidData) {
 			return nil, ErrNeedsOIDCLogin
 		}
 		return nil, fmt.Errorf("get encryption key: %w", err)