Fix codeRabbit comments

Author: thivindu

docs/gateway/policies/apikey-authentication.md

@@ -584,8 +584,6 @@ All generated API keys follow a consistent format:
 - **Total Length**: 92 characters
 - **Example**: `apip_b9abae64a955aded2eb700aff88235ce3f7e6a8ca0f2f52ba31f73bcbb960360_jh~cPInvccQ09goMO5-4mQ`
 
-The API key uses a URL-safe character set and does not contain underscores or other special characters that might cause issues in various contexts.
-
 ### API Key Security
 
 The platform implements comprehensive security measures for API key management:

gateway/gateway-controller/pkg/apikeyxds/apikey_snapshot.go

@@ -145,7 +145,6 @@ func (sm *APIKeySnapshotManager) RevokeAPIKey(apiId, apiKeyName string) error {
 		sm.logger.Warn("API key not found for revocation",
 			zap.String("api_id", apiId),
 			zap.String("api_key", apiKeyName))
-		return nil
 	}
 
 	// Update the snapshot to reflect the new state

gateway/gateway-controller/pkg/config/config.go

@@ -1156,7 +1156,7 @@ func (c *Config) validateAPIKeyConfig() error {
 		}
 	}
 	if !isValidAlgorithm {
-		return fmt.Errorf("api_key_hashing.algorithm must be one of: %s, got: %s",
+		return fmt.Errorf("api_key.algorithm must be one of: %s, got: %s",
 			strings.Join(validAlgorithms, ", "), c.GatewayController.APIKey.Algorithm)
 	}
 	return nil

gateway/gateway-controller/pkg/storage/apikey_store.go

@@ -19,20 +19,12 @@
 package storage
 
 import (
-	"crypto/sha256"
-	"crypto/subtle"
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
 	"fmt"
-	"golang.org/x/crypto/bcrypt"
-	"strings"
 	"sync"
 	"sync/atomic"
 
 	"github.com/wso2/api-platform/gateway/gateway-controller/pkg/models"
 	"go.uber.org/zap"
-	"golang.org/x/crypto/argon2"
 )
 
 // APIKeyStore manages API keys in memory with thread-safe operations
@@ -202,140 +194,6 @@ func (s *APIKeyStore) removeFromAPIMapping(apiKey *models.APIKey) {
 	}
 }
 
-// compareAPIKeys compares API keys for external use
-// Returns true if the plain API key matches the hash, false otherwise
-// If hashing is disabled, performs plain text comparison
-func compareAPIKeys(providedAPIKey, storedAPIKey string) bool {
-	if providedAPIKey == "" || storedAPIKey == "" {
-		return false
-	}
-
-	// Check if it's an SHA-256 hash (format: $sha256$<salt_hex>$<hash_hex>)
-	if strings.HasPrefix(storedAPIKey, "$sha256$") {
-		return compareSHA256Hash(providedAPIKey, storedAPIKey)
-	}
-
-	// Check if it's a bcrypt hash (starts with $2a$, $2b$, or $2y$)
-	if strings.HasPrefix(storedAPIKey, "$2a$") ||
-		strings.HasPrefix(storedAPIKey, "$2b$") ||
-		strings.HasPrefix(storedAPIKey, "$2y$") {
-		return compareBcryptHash(providedAPIKey, storedAPIKey)
-	}
-
-	// Check if it's an Argon2id hash
-	if strings.HasPrefix(storedAPIKey, "$argon2id$") {
-		err := compareArgon2id(providedAPIKey, storedAPIKey)
-		return err == nil
-	}
-
-	// If no hash format is detected and hashing is enabled, try plain text comparison as fallback
-	// This handles migration scenarios where some keys might still be stored as plain text
-	return subtle.ConstantTimeCompare([]byte(providedAPIKey), []byte(storedAPIKey)) == 1
-}
-
-// compareSHA256Hash validates an encoded SHA-256 hash and compares it to the provided password.
-// Expected format: $sha256$<salt_hex>$<hash_hex>
-// Returns true if the plain API key matches the hash, false otherwise
-func compareSHA256Hash(apiKey, encoded string) bool {
-	if apiKey == "" || encoded == "" {
-		return false
-	}
-
-	// Parse the hash format: $sha256$<salt_hex>$<hash_hex>
-	parts := strings.Split(encoded, "$")
-	if len(parts) != 4 || parts[1] != "sha256" {
-		return false
-	}
-
-	// Decode salt and hash from hex
-	salt, err := hex.DecodeString(parts[2])
-	if err != nil {
-		return false
-	}
-
-	storedHash, err := hex.DecodeString(parts[3])
-	if err != nil {
-		return false
-	}
-
-	// Compute hash of the provided key with the stored salt
-	hasher := sha256.New()
-	hasher.Write([]byte(apiKey))
-	hasher.Write(salt)
-	computedHash := hasher.Sum(nil)
-
-	// Constant-time comparison
-	return subtle.ConstantTimeCompare(computedHash, storedHash) == 1
-}
-
-// compareBcryptHash validates an encoded bcrypt hash and compares it to the provided password.
-// Returns true if the plain API key matches the hash, false otherwise
-func compareBcryptHash(apiKey, encoded string) bool {
-	if apiKey == "" || encoded == "" {
-		return false
-	}
-
-	// Compare the provided key with the stored bcrypt hash
-	err := bcrypt.CompareHashAndPassword([]byte(encoded), []byte(apiKey))
-	return err == nil
-}
-
-// compareArgon2id parses an encoded Argon2id hash and compares it to the provided password.
-// Expected format: $argon2id$v=19$m=<m>,t=<t>,p=<p>$<salt_b64>$<hash_b64>
-func compareArgon2id(apiKey, encoded string) error {
-	parts := strings.Split(encoded, "$")
-	if len(parts) != 6 || parts[1] != "argon2id" {
-		return fmt.Errorf("invalid argon2id hash format")
-	}
-
-	// parts[2] -> v=19
-	var version int
-	if _, err := fmt.Sscanf(parts[2], "v=%d", &version); err != nil {
-		return err
-	}
-	if version != argon2.Version {
-		return fmt.Errorf("unsupported argon2 version: %d", version)
-	}
-
-	// parts[3] -> m=<m>,t=<t>,p=<p>
-	var mem uint32
-	var iters uint32
-	var threads uint8
-	var t, m, p uint32
-	if _, err := fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &m, &t, &p); err != nil {
-		return err
-	}
-	mem = m
-	iters = t
-	threads = uint8(p)
-
-	// decode salt and hash (try RawStd then Std)
-	salt, err := decodeBase64(parts[4])
-	if err != nil {
-		return err
-	}
-	hash, err := decodeBase64(parts[5])
-	if err != nil {
-		return err
-	}
-
-	derived := argon2.IDKey([]byte(apiKey), salt, iters, mem, threads, uint32(len(hash)))
-	if subtle.ConstantTimeCompare(derived, hash) == 1 {
-		return nil
-	}
-	return errors.New("API key mismatch")
-}
-
-// decodeBase64 decodes a base64 string, trying RawStdEncoding first, then StdEncoding
-func decodeBase64(s string) ([]byte, error) {
-	b, err := base64.RawStdEncoding.DecodeString(s)
-	if err == nil {
-		return b, nil
-	}
-	// try StdEncoding as a fallback
-	return base64.StdEncoding.DecodeString(s)
-}
-
 // GetCompositeKey generates a composite key for storing/retrieving API keys
 func GetCompositeKey(apiId, keyName string) string {
 	return fmt.Sprintf("%s:%s", apiId, keyName)

gateway/policies/api-key-auth/v0.1.0/apikey_test.go

@@ -30,7 +30,7 @@ func generateShortUniqueID() string {
 	randomBytes := make([]byte, 16)
 	_, err := rand.Read(randomBytes)
 	if err != nil {
-		return "defaulttestid123456" // fallback for tests
+		return "defaulttestid123456789" // fallback for tests
 	}
 
 	// Encode as base64url without padding and replace underscores with tildes