fix(api): invalidate all team's api keys (#2274)

* fix: invalidate all api keys

* fix: type

Author: jakubno

packages/api/internal/handlers/admin_kill_team_sandboxes.go

@@ -19,6 +19,13 @@ func (a *APIStore) PostAdminTeamsTeamIDSandboxesKill(c *gin.Context, teamID uuid
 	ctx, span := tracer.Start(ctx, "admin-kill-team-sandboxes")
 	defer span.End()
 
+	err := a.authService.InvalidateTeamCache(ctx, teamID)
+	if err != nil {
+		logger.L().Error(ctx, "Failed to invalidate auth cache for team",
+			logger.WithTeamID(teamID.String()),
+			zap.Error(err))
+	}
+
 	logger.L().Info(ctx, "Admin killing all sandboxes for team", logger.WithTeamID(teamID.String()))
 
 	// Get all running sandboxes for the team
@@ -68,6 +75,13 @@ func (a *APIStore) PostAdminTeamsTeamIDSandboxesKill(c *gin.Context, teamID uuid
 		return
 	}
 
+	// Invalidate auth cache for this team so subsequent requests re-check against DB
+	if err := a.authService.InvalidateTeamCache(ctx, teamID); err != nil {
+		logger.L().Error(ctx, "Failed to invalidate auth cache for team",
+			logger.WithTeamID(teamID.String()),
+			zap.Error(err))
+	}
+
 	logger.L().Info(ctx, "Completed killing team sandboxes",
 		zap.String("teamID", teamID.String()),
 		zap.Int64("killed", killedCount.Load()),

packages/auth/pkg/auth/auth_store.go

@@ -96,3 +96,7 @@ func (s *AuthStoreImpl) GetTeamByIDAndUserID(ctx context.Context, userID uuid.UU
 func (s *AuthStoreImpl) GetUserIDByHashedAccessToken(ctx context.Context, hashedToken string) (uuid.UUID, error) {
 	return s.authDB.Read.GetUserIDFromAccessToken(ctx, hashedToken)
 }
+
+func (s *AuthStoreImpl) GetTeamAPIKeyHashes(ctx context.Context, teamID uuid.UUID) ([]string, error) {
+	return s.authDB.Read.GetTeamAPIKeyHashes(ctx, teamID)
+}

packages/auth/pkg/auth/cache.go

@@ -38,6 +38,11 @@ func (c *AuthCache[T]) GetOrSet(ctx context.Context, key string, dataCallback fu
 	return c.cache.GetOrSet(ctx, key, dataCallback)
 }
 
+// Invalidate removes a single entry from the cache by key.
+func (c *AuthCache[T]) Invalidate(key string) {
+	c.cache.Delete(key)
+}
+
 // Close stops the cache's background refresh goroutines.
 func (c *AuthCache[T]) Close(ctx context.Context) error {
 	return c.cache.Close(ctx)

packages/auth/pkg/auth/service.go

@@ -22,6 +22,7 @@ type AuthStore[T TeamItem] interface {
 	GetTeamByHashedAPIKey(ctx context.Context, hashedKey string) (T, error)
 	GetTeamByIDAndUserID(ctx context.Context, userID uuid.UUID, teamID string) (T, error)
 	GetUserIDByHashedAccessToken(ctx context.Context, hashedToken string) (uuid.UUID, error)
+	GetTeamAPIKeyHashes(ctx context.Context, teamID uuid.UUID) ([]string, error)
 }
 
 // AuthService encapsulates the cache, store, and JWT secrets for auth validation.
@@ -196,6 +197,20 @@ func (s *AuthService[T]) ValidateSupabaseTeam(ctx context.Context, ginCtx *gin.C
 	return result, nil
 }
 
+// InvalidateTeamCache queries the team's API key hashes and removes their cached entries.
+func (s *AuthService[T]) InvalidateTeamCache(ctx context.Context, teamID uuid.UUID) error {
+	hashes, err := s.store.GetTeamAPIKeyHashes(ctx, teamID)
+	if err != nil {
+		return fmt.Errorf("failed to get team API key hashes: %w", err)
+	}
+
+	for _, hash := range hashes {
+		s.teamCache.Invalidate(hash)
+	}
+
+	return nil
+}
+
 // Close stops the underlying cache's background refresh goroutines.
 func (s *AuthService[T]) Close(ctx context.Context) error {
 	return s.teamCache.Close(ctx)

packages/db/pkg/auth/queries/get_team_api_key_hashes.sql.go

@@ -0,0 +1,4 @@
+-- name: GetTeamAPIKeyHashes :many
+SELECT tak.api_key_hash
+FROM "public"."team_api_keys" tak
+WHERE tak.team_id = @team_id;