fix(backend): redact api key logging (#1530)

Author: riderx

supabase/functions/_backend/private/delete_failed_version.ts

@@ -20,8 +20,15 @@ app.delete('/', middlewareKey(['all', 'write', 'upload']), async (c) => {
   cloudlog({ requestId: c.get('requestId'), message: 'delete failed version body', body })
   const apikey = c.get('apikey')
   const capgkey = c.get('capgkey') as string
-  cloudlog({ requestId: c.get('requestId'), message: 'apikey', apikey })
-  cloudlog({ requestId: c.get('requestId'), message: 'capgkey', capgkey })
+  if (apikey && typeof apikey === 'object') {
+    cloudlog({
+      requestId: c.get('requestId'),
+      message: 'apikey context',
+      apikeyId: (apikey as { id?: number }).id,
+      userId: (apikey as { user_id?: string }).user_id,
+      mode: (apikey as { mode?: string }).mode,
+    })
+  }
   const { data: _userId, error: _errorUserId } = await supabaseApikey(c, capgkey)
     .rpc('get_user_id', { apikey: capgkey, app_id: body.app_id })
   if (_errorUserId) {

supabase/functions/_backend/private/upload_link.ts

@@ -22,6 +22,13 @@ app.post('/', middlewareKey(['all', 'write', 'upload']), async (c) => {
   cloudlog({ requestId: c.get('requestId'), message: 'post upload link body', body })
   const apikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row']
   const capgkey = c.get('capgkey') as string
+  cloudlog({
+    requestId: c.get('requestId'),
+    message: 'apikey context',
+    apikeyId: apikey.id,
+    userId: apikey.user_id,
+    mode: apikey.mode,
+  })
   const { data: _userId, error: _errorUserId } = await supabaseApikey(c, capgkey)
     .rpc('get_user_id', { apikey: capgkey, app_id: body.app_id })
   if (_errorUserId) {

supabase/functions/_backend/public/device/index.ts

@@ -27,7 +27,13 @@ app.post('/', middlewareKey(['all', 'write']), async (c) => {
   const apikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row']
 
   cloudlog({ requestId: c.get('requestId'), message: 'body', body })
-  cloudlog({ requestId: c.get('requestId'), message: 'apikey', apikey })
+  cloudlog({
+    requestId: c.get('requestId'),
+    message: 'apikey context',
+    apikeyId: apikey.id,
+    userId: apikey.user_id,
+    mode: apikey.mode,
+  })
 
   // Rate limit: max 1 set per second per device+app, and same channel set max once per 60 seconds
   // Note: We check device_id && app_id only (not channel) so op-level rate limiting applies even for invalid requests
@@ -53,7 +59,13 @@ app.get('/', middlewareKey(['all', 'write', 'read']), async (c) => {
   const body = await getBodyOrQuery<DeviceLink>(c)
   const apikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row']
   cloudlog({ requestId: c.get('requestId'), message: 'body', body })
-  cloudlog({ requestId: c.get('requestId'), message: 'apikey', apikey })
+  cloudlog({
+    requestId: c.get('requestId'),
+    message: 'apikey context',
+    apikeyId: apikey.id,
+    userId: apikey.user_id,
+    mode: apikey.mode,
+  })
 
   // Rate limit: max 1 get per second per device+app
   if (body.device_id && body.app_id) {
@@ -78,7 +90,13 @@ app.delete('/', middlewareKey(['all', 'write']), async (c) => {
   const body = await getBodyOrQuery<DeviceLink>(c)
   const apikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row']
   cloudlog({ requestId: c.get('requestId'), message: 'body', body })
-  cloudlog({ requestId: c.get('requestId'), message: 'apikey', apikey })
+  cloudlog({
+    requestId: c.get('requestId'),
+    message: 'apikey context',
+    apikeyId: apikey.id,
+    userId: apikey.user_id,
+    mode: apikey.mode,
+  })
 
   // Rate limit: max 1 delete per second per device+app
   if (body.device_id && body.app_id) {