feat(api-keys): add workspace level api keys to share with other workspace members, add encryption for api keys (#1323)

* update infra and remove railway

* feat(api-keys): add workspace-level api keys

* encrypt api keys

* Revert "update infra and remove railway"

This reverts commit b23258a.

* reran migrations

* tested workspace keys

* consolidated code

* more consolidation

* cleanup

* consolidate, remove unused code

* add dummy key for ci

* continue with regular path for self-hosted folks that don't have key set

* fix tests

* fix test

* remove tests

* removed ci additions

Author: waleedlatif1

apps/sim/.env.example

@@ -12,7 +12,8 @@ BETTER_AUTH_URL=http://localhost:3000
 NEXT_PUBLIC_APP_URL=http://localhost:3000
 
 # Security (Required)
-ENCRYPTION_KEY=your_encryption_key  # Use `openssl rand -hex 32` to generate
+ENCRYPTION_KEY=your_encryption_key  # Use `openssl rand -hex 32` to generate, used to encrypt environment variables
+INTERNAL_API_SECRET=your_internal_api_secret # Use `openssl rand -hex 32` to generate, used to encrypt internal api routes
 
 # Email Provider (Optional)
 # RESEND_API_KEY=  # Uncomment and add your key from https://resend.com to send actual emails

apps/sim/app/api/jobs/[jobId]/route.ts

@@ -1,12 +1,10 @@
 import { runs } from '@trigger.dev/sdk'
-import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { authenticateApiKeyFromHeader, updateApiKeyLastUsed } from '@/lib/api-key/service'
 import { getSession } from '@/lib/auth'
 import { createLogger } from '@/lib/logs/console/logger'
 import { generateRequestId } from '@/lib/utils'
 import { createErrorResponse } from '@/app/api/workflows/utils'
-import { db } from '@/db'
-import { apiKey as apiKeyTable } from '@/db/schema'
 
 const logger = createLogger('TaskStatusAPI')
 
@@ -27,14 +25,17 @@ export async function GET(
     if (!authenticatedUserId) {
       const apiKeyHeader = request.headers.get('x-api-key')
       if (apiKeyHeader) {
-        const [apiKeyRecord] = await db
-          .select({ userId: apiKeyTable.userId })
-          .from(apiKeyTable)
-          .where(eq(apiKeyTable.key, apiKeyHeader))
-          .limit(1)
-
-        if (apiKeyRecord) {
-          authenticatedUserId = apiKeyRecord.userId
+        const authResult = await authenticateApiKeyFromHeader(apiKeyHeader)
+        if (authResult.success && authResult.userId) {
+          authenticatedUserId = authResult.userId
+          if (authResult.keyId) {
+            await updateApiKeyLastUsed(authResult.keyId).catch((error) => {
+              logger.warn(`[${requestId}] Failed to update API key last used timestamp:`, {
+                keyId: authResult.keyId,
+                error,
+              })
+            })
+          }
         }
       }
     }

apps/sim/app/api/users/me/api-keys/route.ts

@@ -1,9 +1,9 @@
-import { eq } from 'drizzle-orm'
+import { and, eq } from 'drizzle-orm'
 import { nanoid } from 'nanoid'
 import { type NextRequest, NextResponse } from 'next/server'
+import { createApiKey, getApiKeyDisplayFormat } from '@/lib/api-key/auth'
 import { getSession } from '@/lib/auth'
 import { createLogger } from '@/lib/logs/console/logger'
-import { generateApiKey } from '@/lib/utils'
 import { db } from '@/db'
 import { apiKey } from '@/db/schema'
 
@@ -19,7 +19,6 @@ export async function GET(request: NextRequest) {
 
     const userId = session.user.id
 
-    // Fetch all API keys for this user
     const keys = await db
       .select({
         id: apiKey.id,
@@ -30,13 +29,19 @@ export async function GET(request: NextRequest) {
         expiresAt: apiKey.expiresAt,
       })
       .from(apiKey)
-      .where(eq(apiKey.userId, userId))
+      .where(and(eq(apiKey.userId, userId), eq(apiKey.type, 'personal')))
       .orderBy(apiKey.createdAt)
 
-    const maskedKeys = keys.map((key) => ({
-      ...key,
-      key: key.key,
-    }))
+    const maskedKeys = await Promise.all(
+      keys.map(async (key) => {
+        const displayFormat = await getApiKeyDisplayFormat(key.key)
+        return {
+          ...key,
+          key: key.key,
+          displayKey: displayFormat,
+        }
+      })
+    )
 
     return NextResponse.json({ keys: maskedKeys })
   } catch (error) {
@@ -56,33 +61,61 @@ export async function POST(request: NextRequest) {
     const userId = session.user.id
     const body = await request.json()
 
-    // Validate the request
-    const { name } = body
-    if (!name || typeof name !== 'string') {
+    const { name: rawName } = body
+    if (!rawName || typeof rawName !== 'string') {
       return NextResponse.json({ error: 'Invalid request. Name is required.' }, { status: 400 })
     }
 
-    const keyValue = generateApiKey()
+    const name = rawName.trim()
+    if (!name) {
+      return NextResponse.json({ error: 'Name cannot be empty.' }, { status: 400 })
+    }
+
+    const existingKey = await db
+      .select()
+      .from(apiKey)
+      .where(and(eq(apiKey.userId, userId), eq(apiKey.name, name), eq(apiKey.type, 'personal')))
+      .limit(1)
+
+    if (existingKey.length > 0) {
+      return NextResponse.json(
+        {
+          error: `A personal API key named "${name}" already exists. Please choose a different name.`,
+        },
+        { status: 409 }
+      )
+    }
+
+    const { key: plainKey, encryptedKey } = await createApiKey(true)
+
+    if (!encryptedKey) {
+      throw new Error('Failed to encrypt API key for storage')
+    }
 
-    // Insert the new API key
     const [newKey] = await db
       .insert(apiKey)
       .values({
         id: nanoid(),
         userId,
+        workspaceId: null,
         name,
-        key: keyValue,
+        key: encryptedKey,
+        type: 'personal',
         createdAt: new Date(),
         updatedAt: new Date(),
       })
       .returning({
         id: apiKey.id,
         name: apiKey.name,
-        key: apiKey.key,
         createdAt: apiKey.createdAt,
       })
 
-    return NextResponse.json({ key: newKey })
+    return NextResponse.json({
+      key: {
+        ...newKey,
+        key: plainKey,
+      },
+    })
   } catch (error) {
     logger.error('Failed to create API key', { error })
     return NextResponse.json({ error: 'Failed to create API key' }, { status: 500 })

apps/sim/app/api/v1/auth.ts

@@ -1,18 +1,18 @@
-import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
+import { authenticateApiKeyFromHeader, updateApiKeyLastUsed } from '@/lib/api-key/service'
 import { createLogger } from '@/lib/logs/console/logger'
-import { db } from '@/db'
-import { apiKey as apiKeyTable } from '@/db/schema'
 
 const logger = createLogger('V1Auth')
 
 export interface AuthResult {
   authenticated: boolean
   userId?: string
+  workspaceId?: string
+  keyType?: 'personal' | 'workspace'
   error?: string
 }
 
-export async function authenticateApiKey(request: NextRequest): Promise<AuthResult> {
+export async function authenticateV1Request(request: NextRequest): Promise<AuthResult> {
   const apiKey = request.headers.get('x-api-key')
 
   if (!apiKey) {
@@ -23,36 +23,23 @@ export async function authenticateApiKey(request: NextRequest): Promise<AuthResu
   }
 
   try {
-    const [keyRecord] = await db
-      .select({
-        userId: apiKeyTable.userId,
-        expiresAt: apiKeyTable.expiresAt,
-      })
-      .from(apiKeyTable)
-      .where(eq(apiKeyTable.key, apiKey))
-      .limit(1)
+    const result = await authenticateApiKeyFromHeader(apiKey)
 
-    if (!keyRecord) {
+    if (!result.success) {
       logger.warn('Invalid API key attempted', { keyPrefix: apiKey.slice(0, 8) })
       return {
         authenticated: false,
-        error: 'Invalid API key',
+        error: result.error || 'Invalid API key',
       }
     }
 
-    if (keyRecord.expiresAt && keyRecord.expiresAt < new Date()) {
-      logger.warn('Expired API key attempted', { userId: keyRecord.userId })
-      return {
-        authenticated: false,
-        error: 'API key expired',
-      }
-    }
-
-    await db.update(apiKeyTable).set({ lastUsed: new Date() }).where(eq(apiKeyTable.key, apiKey))
+    await updateApiKeyLastUsed(result.keyId!)
 
     return {
       authenticated: true,
-      userId: keyRecord.userId,
+      userId: result.userId!,
+      workspaceId: result.workspaceId,
+      keyType: result.keyType,
     }
   } catch (error) {
     logger.error('API key authentication error', { error })

apps/sim/app/api/v1/middleware.ts

@@ -2,7 +2,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import { createLogger } from '@/lib/logs/console/logger'
 import { RateLimiter } from '@/services/queue/RateLimiter'
-import { authenticateApiKey } from './auth'
+import { authenticateV1Request } from './auth'
 
 const logger = createLogger('V1Middleware')
 const rateLimiter = new RateLimiter()
@@ -21,7 +21,7 @@ export async function checkRateLimit(
   endpoint: 'logs' | 'logs-detail' = 'logs'
 ): Promise<RateLimitResult> {
   try {
-    const auth = await authenticateApiKey(request)
+    const auth = await authenticateV1Request(request)
     if (!auth.authenticated) {
       return {
         allowed: false,