1 files changed, 17 insertions, 5 deletions

diff --git a/backend/internal/database/cookies.go b/backend/internal/database/cookies.go
index d652b65..3ea21d0 100644
--- a/backend/internal/database/cookies.go
+++ b/backend/internal/database/cookies.go
@@ -98,13 +98,18 @@ ORDER BY expires_at DESC;`, subject, degraded)
 
 func AddCookie(
 	ctx context.Context,
-	exec Executor,
+	exec TransactionExecutor,
 	kms keys.KeyManagementService,
 	subject string,
 	cookie *http.Cookie,
 ) error {
+	tx, err := exec.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
 	// Get the key ID for the user
-	user, err := GetUser(ctx, exec, subject)
+	user, err := GetUser(ctx, tx, subject)
 	if err != nil {
 		return fmt.Errorf("unable to get user: %w", err)
 	}
@@ -113,13 +118,20 @@ func AddCookie(
 	}
 
 	// Get the key
-	key, err := GetKey(ctx, exec, *user.EncryptionKeyID)
+	var keyName string
+	var key []byte
+	err = tx.QueryRowContext(ctx, `
+SELECT kms_key_name, encrypted_key
+FROM keys
+WHERE id = $1;`,
+		*user.EncryptionKeyID,
+	).Scan(&keyName, &key)
 	if err != nil {
 		return fmt.Errorf("unable to get key: %w", err)
 	}
 
 	// Encrypt the token
-	encryptedToken, err := keys.EncryptWithKey(ctx, kms, key.Name, key.Key, []byte(cookie.Value))
+	encryptedToken, err := keys.EncryptWithKey(ctx, kms, keyName, key, []byte(cookie.Value))
 	if err != nil {
 		return fmt.Errorf("unable to encrypt token: %w", err)
 	}
@@ -127,7 +139,7 @@ func AddCookie(
 	// Add the cookie to the database
 	_, err = exec.ExecContext(ctx, `
 INSERT INTO ibd_tokens (token, expires_at, user_subject, encryption_key)
-VALUES ($1, $2, $3, $4)`, encryptedToken, cookie.Expires, subject, key.Id)
+VALUES ($1, $2, $3, $4)`, encryptedToken, cookie.Expires, subject, *user.EncryptionKeyID)
 	if err != nil {
 		return fmt.Errorf("unable to add cookie: %w", err)
 	}