Description
The gateway auth flow in src/middleware/gatewayApiKeyAuth.ts performs prefix-based lookup before a timing-safe full-key hash compare, but there is no database guarantee that key prefixes are unique among active keys. This backend task adds the constraint/index and tests so prefix collisions cannot cause ambiguous lookups.
Requirements and Context
- Add a migration introducing a unique index on active (non-revoked)
api_keys prefixes.
- Verify
src/repositories/apiKeyRepository.ts lookups rely on the indexed column.
- Add constraint tests using
pg-mem.
- Must be secure, tested, and documented
- Should be efficient and easy to review
Suggested Execution
- Fork the repo and create a branch
git checkout -b task/api-key-prefix-unique-index
- Implement changes
migrations/0006_api_key_prefix_unique.sql — partial unique indexsrc/repositories/apiKeyRepository.ts — confirm lookup path- Add a constraint regression test
- Test and commit
npm test -- src/repositories/apiKeyRepository.test.ts- Cover edge cases
- Include test output and notes in the PR
Example commit message
task: enforce unique active api_key prefixes
Acceptance Criteria
Guidelines
- Minimum 90% test coverage with Jest
- Clear documentation and inline comments
- Timeframe: 96 hours
Description
The gateway auth flow in
src/middleware/gatewayApiKeyAuth.tsperforms prefix-based lookup before a timing-safe full-key hash compare, but there is no database guarantee that key prefixes are unique among active keys. This backend task adds the constraint/index and tests so prefix collisions cannot cause ambiguous lookups.Requirements and Context
api_keysprefixes.src/repositories/apiKeyRepository.tslookups rely on the indexed column.pg-mem.Suggested Execution
migrations/0006_api_key_prefix_unique.sql— partial unique indexsrc/repositories/apiKeyRepository.ts— confirm lookup pathnpm test -- src/repositories/apiKeyRepository.test.tsExample commit message
Acceptance Criteria
Guidelines