Context

This library is pretty old, and thus the encryption scheme used is slightly outdated. We have a ton of already-encrypted data in our production database, so we need a feature that allows us to support old and new schemes simultaneously.

Things that need to be changeable

1. Cipher type (right now we are stuck on aes-256-cbc)
2. Password hashing (stuck on PKCS5 1.5)

One possible way to do it

We'll have to encode a plaintext "version" alongside our ciphertexts. Since we're using base64, we can safely prefix new payloads with a special character, followed by a version number.

# Old:
U2FsdGVkX19hYmNkZWZnaNP1CILqdQwlmuFn9x/Yr9s=\n

# New:
-v1-U2FsdGVkX19hYmNkZWZnaNP1CILqdQwlmuFn9x/Yr9s=\n

Before decrypting, we'll first see if the ciphertext starts with -.
If it does not start with -, we will decrypt using good ole' aes-256-cbc and PKCS5 1.5.
If it does start with -, we read the version string. We can make up new version strings for any new encryption scheme in the future.

We have a difficulty in a client which uses this library where we had data extracted from the db and passed to this code, only for it to throw an unexpected type exception. This was because the library cannot handle nil as an input.

When on this line, data is nil

It throws a TypeError: no implicit conversion of nil into String, which makes sense in this context but is cryptic in the client application.