Add API key authentication foundation #56

Merged

erik merged 1 commit from feat/task-090a180b-api-key-auth-foundation into main 2026-05-22 11:48:56 -05:00

Conversation 1 Commits 1 Files changed 5 +345 -2

erik commented 2026-05-22 11:45:22 -05:00

Owner

Copy link

Summary

• Add api_keys SQLite migration with hash-only API key storage, revocation metadata, and future-compatible scope storage.
• Add API key service for create/list/revoke/verify using Node built-in crypto.
• Add DB-backed bearer validator for protected API routes.
• Add tests for migration, raw-key one-time creation result, list redaction, revocation, invalid keys, and shared bearer auth behavior.

Testing

• make check
• ./scripts/pre-pr.sh
• Manual smoke: DATABASE_PATH=<temp>/slugkit.sqlite npm run db:migrate --workspace @slugkit/template-site

Task: #task-090a180b

## Summary - Add `api_keys` SQLite migration with hash-only API key storage, revocation metadata, and future-compatible scope storage. - Add API key service for create/list/revoke/verify using Node built-in crypto. - Add DB-backed bearer validator for protected API routes. - Add tests for migration, raw-key one-time creation result, list redaction, revocation, invalid keys, and shared bearer auth behavior. ## Testing - `make check` - `./scripts/pre-pr.sh` - Manual smoke: `DATABASE_PATH=<temp>/slugkit.sqlite npm run db:migrate --workspace @slugkit/template-site` Task: #task-090a180b

erik added 1 commit 2026-05-22 11:45:22 -05:00

feat: add API key auth foundation ... a2b674b429

Task: #task-090a180b

erik commented 2026-05-22 11:46:43 -05:00

Author

Owner

Copy link

PR Review: Approved

Summary

Reviewed PR #56 at commit a2b674b. The PR implements the narrowed API key authentication foundation: adds an api_keys migration, hash-only key storage, creation/listing/revocation/verification helpers, a reusable DB-backed bearer validator, and tests proving migration, redaction, revocation, invalid/missing auth failures, and valid protected-route authentication.

Acceptance Criteria

• API key migration applies from an empty SQLite database — covered by migration test and manual db:migrate smoke.
• API key creation returns a raw key once and persists only a hash — createApiKey returns rawKey; DB stores key_hash and metadata only; tests assert raw key is not persisted.
• API key listing never exposes raw keys or hashes — listApiKeys selects metadata columns only; tests assert no rawKey or keyHash.
• API key revocation prevents future authentication — revoked_at excludes keys from verification; tests cover revoked key rejection.
• Valid API keys authenticate protected API requests through shared bearer auth behavior — tested via createBearerAuthMiddleware + createApiKeyValidator.
• Missing, invalid, and revoked API keys fail with the standard API error shape — protected-route tests cover all three.
• Tests cover hashing, one-time raw-key creation result, listing redaction, revocation, and protected-route auth behavior.
• Relevant lint/test checks pass — make check, ./scripts/pre-pr.sh, manual migration smoke, and Forgejo CI passed.

Blocking Issues

None.

Warnings

None.

Verdict

Approved for merge.

## PR Review: Approved ### Summary Reviewed PR #56 at commit `a2b674b`. The PR implements the narrowed API key authentication foundation: adds an `api_keys` migration, hash-only key storage, creation/listing/revocation/verification helpers, a reusable DB-backed bearer validator, and tests proving migration, redaction, revocation, invalid/missing auth failures, and valid protected-route authentication. ### Acceptance Criteria - [x] API key migration applies from an empty SQLite database — covered by migration test and manual `db:migrate` smoke. - [x] API key creation returns a raw key once and persists only a hash — `createApiKey` returns `rawKey`; DB stores `key_hash` and metadata only; tests assert raw key is not persisted. - [x] API key listing never exposes raw keys or hashes — `listApiKeys` selects metadata columns only; tests assert no `rawKey` or `keyHash`. - [x] API key revocation prevents future authentication — `revoked_at` excludes keys from verification; tests cover revoked key rejection. - [x] Valid API keys authenticate protected API requests through shared bearer auth behavior — tested via `createBearerAuthMiddleware` + `createApiKeyValidator`. - [x] Missing, invalid, and revoked API keys fail with the standard API error shape — protected-route tests cover all three. - [x] Tests cover hashing, one-time raw-key creation result, listing redaction, revocation, and protected-route auth behavior. - [x] Relevant lint/test checks pass — `make check`, `./scripts/pre-pr.sh`, manual migration smoke, and Forgejo CI passed. ### Blocking Issues None. ### Warnings None. ### Verdict Approved for merge.

erik referenced this pull request 2026-05-22 11:48:27 -05:00

Add API key authentication foundation #33

erik merged commit 9463c63128 into main 2026-05-22 11:48:56 -05:00

erik referenced this pull request from a commit 2026-05-22 11:48:57 -05:00

Merge pull request 'Add API key authentication foundation' (#56) from feat/task-090a180b-api-key-auth-foundation into main

erik referenced this pull request 2026-05-22 11:53:44 -05:00

Add API key authentication foundation #33

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

activitypub

  

admin

  

api

  

articles

  

auth

  

bug

  

cleanup

  

cli

  

comments

  

compatibility

  

config

  

contacts

  

database

  

deployment

  

design

  

dev-env

  

docs

  

documentation

  

email

  

enhancement

  

feature

  

federation

  

feed

  

homepage

  

implementation

  

integration

  

media

  

openapi

  

priority:high

  

priority:low

  

priority:medium

  

proof

  

public-routes

  

public-ui

  

release

  

safety

  

social

  

sources

  

status:active

  

status:canceled

  

status:done

  

status:inprogress

  

status:waiting

  

syndication

  

tailwind

  

template

  

test

  

web

No labels

activitypub

admin

api

articles

auth

bug

cleanup

cli

comments

compatibility

config

contacts

database

deployment

design

dev-env

docs

documentation

email

enhancement

feature

federation

feed

homepage

implementation

integration

media

openapi

priority:high

priority:low

priority:medium

proof

public-routes

public-ui

release

safety

social

sources

status:active

status:canceled

status:done

status:inprogress

status:waiting

syndication

tailwind

template

test

web

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

erik/slugkit!56

No description provided.