Fix flaky 2FA encryption test for AES-256-CBC wrong-key behavior

AES-256-CBC without authentication doesn't guarantee that wrong-key
decryption throws — it only throws when PKCS7 padding is invalid,
which is probabilistic (~255/256 chance). About 1 in 256 runs, the
decryption silently produces garbage instead of throwing.

Changed the test to verify the correct security property: wrong-key
decryption must never return the original secret. Both outcomes
(throw or garbage) are acceptable.

Audited production usage: both decryptSecret call sites in
two-factor-authentication.service.ts always use the correct key via
generateOtpSecretEncryptionKey(userId, workspaceId), so the
silent-garbage behavior cannot affect end users.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: FelixMalfait

packages/twenty-server/src/engine/core-modules/two-factor-authentication/utils/simple-secret-encryption.util.spec.ts

@@ -82,12 +82,19 @@ describe('SimpleSecretEncryptionUtil', () => {
       expect(decrypted).toBe(specialSecret);
     });
 
-    it('should fail to decrypt with wrong purpose', async () => {
+    it('should not recover original secret with wrong purpose', async () => {
       const encrypted = await util.encryptSecret(testSecret, testPurpose);
 
-      await expect(
-        util.decryptSecret(encrypted, 'wrong-purpose'),
-      ).rejects.toThrow();
+      // AES-256-CBC may either throw (invalid padding) or produce garbage.
+      // Both outcomes are acceptable — the key property is that the original
+      // secret is never returned.
+      try {
+        const decrypted = await util.decryptSecret(encrypted, 'wrong-purpose');
+
+        expect(decrypted).not.toBe(testSecret);
+      } catch {
+        // Expected: wrong key produced invalid padding
+      }
     });
 
     it('should fail to decrypt malformed encrypted data', async () => {