Skip to content

optimize api key queries #215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vernu merged 1 commit into from
Apr 5, 2026
+27 −10
Merged

optimize api key queries #215

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions api/src/auth/auth.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -401,6 +401,27 @@
return this.apiKeyModel.findOne(params)
}

/** Prefer exact masked match (see generateApiKey); fall back to legacy prefix regex. */
async findActiveApiKeyByClientKey(apiKeyString: string) {
const revokedClause = {
$or: [{ revokedAt: null }, { revokedAt: { $exists: false } }],
}
const prefix = apiKeyString.substring(0, 17)
const masked = `${prefix}${'*'.repeat(18)}`
const byMasked = await this.apiKeyModel.findOne({
apiKey: masked,
...revokedClause,
})
if (byMasked) {
return byMasked
}
const regex = new RegExp(`^${prefix}`, 'g')

Check failure

Code scanning / CodeQL

Regular expression injection High

This regular expression is constructed from a
user-provided value
Loading
.
This regular expression is constructed from a
user-provided value
Loading
.
This regular expression is constructed from a
user-provided value
Loading
.
This regular expression is constructed from a
user-provided value
Loading
.
return this.apiKeyModel.findOne({
apiKey: { $regex: regex },
...revokedClause,
})
}

async findApiKeyById(apiKeyId: string) {
return this.apiKeyModel.findById(apiKeyId)
}
Expand Down
7 changes: 2 additions & 5 deletions api/src/auth/guards/auth.guard.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,8 @@ export class AuthGuard implements CanActivate {
)
}
} else if (apiKeyString) {
const regex = new RegExp(`^${apiKeyString.substr(0, 17)}`, 'g')
const apiKey = await this.authService.findApiKey({
apiKey: { $regex: regex },
$or: [{ revokedAt: null }, { revokedAt: { $exists: false } }],
})
const apiKey =
await this.authService.findActiveApiKeyByClientKey(apiKeyString)

if (apiKey && bcrypt.compareSync(apiKeyString, apiKey.hashedApiKey)) {
userId = apiKey.user
Expand Down
7 changes: 2 additions & 5 deletions api/src/auth/guards/optional-auth.guard.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,8 @@ export class OptionalAuthGuard implements CanActivate {
return true
}
} else if (apiKeyString) {
const regex = new RegExp(`^${apiKeyString.substr(0, 17)}`, 'g')
const apiKey = await this.authService.findApiKey({
apiKey: { $regex: regex },
$or: [{ revokedAt: null }, { revokedAt: { $exists: false } }],
})
const apiKey =
await this.authService.findActiveApiKeyByClientKey(apiKeyString)

if (apiKey && bcrypt.compareSync(apiKeyString, apiKey.hashedApiKey)) {
userId = apiKey.user
Expand Down
2 changes: 2 additions & 0 deletions api/src/auth/schemas/api-key.schema.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,5 @@ export class ApiKey {
}

export const ApiKeySchema = SchemaFactory.createForClass(ApiKey)

ApiKeySchema.index({ apiKey: 1 })
Loading