Skip to content

feat: enforce hashed api key auth#234

Open
pq198363-ops wants to merge 1 commit into
Agentpay-Org:mainfrom
pq198363-ops:bounty-33-api-key-auth
Open

feat: enforce hashed api key auth#234
pq198363-ops wants to merge 1 commit into
Agentpay-Org:mainfrom
pq198363-ops:bounty-33-api-key-auth

Conversation

@pq198363-ops

Copy link
Copy Markdown

Closes #33.

Summary

  • add REQUIRE_API_KEY=true enforcement for state-changing routes while leaving GET/HEAD/OPTIONS open
  • store generated tenant API keys by SHA-256 hash with only the 8-character prefix retained for listing/revocation
  • compare tenant/admin credentials with constant-time digest helpers and attach only key metadata to requests
  • require ADMIN_API_KEY for privileged writes, including POST /api/v1/admin/* and API-key creation/revocation
  • document authentication setup and update recognition tests for hashed key metadata

Threat model note

Tenant API keys are returned once at creation and are no longer stored as live secrets in apiKeyStore. GET /api/v1/api-keys returns only prefix/label/createdAt. With REQUIRE_API_KEY=true, normal writes need a tenant key, while admin writes and credential management need the separate ADMIN_API_KEY so a tenant key cannot pause/unpause the backend or mint new tenant keys.

RED evidence

Before implementation, the focused auth test failed because:

  • missing X-API-Key still allowed POST /api/v1/usage with 201 instead of 401
  • apiKeyStore contained the raw generated key
  • POST /api/v1/admin/pause accepted unauthenticated requests with 200 instead of 401

Verification

  • npx prettier --check README.md src/auth/apiKeys.ts src/auth/apiKeys.test.ts src/middleware/index.ts src/routes/apiKeys.ts src/store/state.ts src/types.ts src/apikey-recognition.test.ts src/routes/operational.test.ts
  • npm run lint
  • clean dist/, then npm run build
  • $env:NODE_ENV='test'; node --test dist/*.test.js dist/**/*.test.js
  • git diff --check

Full clean test result: 94 tests, 11 suites, all passed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Enforce API-key authentication on all state-changing endpoints

1 participant