Fix: Stale api keys no longer display on the page once revoked

[Vchen7629]

Summary

Fixes #1877, Updates the opensearch query to only fetch non revoked (revoked = False) api keys so the frontend recieves only non-revoked keys to display.

Demo (Before)

screen-capture.6.webm

Demo (After)

screen-capture.7.webm

Changes

• updates api_key_service.py list_keys opensearch query to also filter for keys that have revoked set to false
• Added a unit test to verify that query is sent correctly

Summary by CodeRabbit

• Bug Fixes
  • API key listing now returns only active keys, excluding revoked ones.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 39dffd13-6c34-4366-952e-7f24a935ec9b

📥 Commits

Reviewing files that changed from the base of the PR and between 14b1646 and b964f8a.

📒 Files selected for processing (2)

• src/services/api_key_service.py
• tests/unit/test_api_key_service.py

---

Walkthrough

APIKeyService.list_keys is updated to filter out revoked API keys by replacing the single user_id term filter in the OpenSearch query with a bool query that additionally requires revoked: False. The docstring is updated accordingly, and a new async unit test verifies the query structure and that only non-revoked keys are returned.

Changes

Revoked key filter in list_keys

Layer / File(s)	Summary
list_keys query fix and test src/services/api_key_service.py, tests/unit/test_api_key_service.py	OpenSearch query changed from a user_id-only term filter to a bool must query combining user_id and revoked: False. Docstring updated to reflect active-only return. New async test mocks the search response and asserts the returned list excludes revoked keys and that the query contains both term filters.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested labels

bug

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main issue: preventing revoked API keys from displaying on the page, which matches the primary code change.
Linked Issues check	✅ Passed	The PR successfully implements the fix for issue #1877 by filtering out revoked keys in the list_keys function and includes tests to validate the behavior.
Out of Scope Changes check	✅ Passed	All changes are scoped to fixing issue #1877: API key service filtering and corresponding unit tests with no extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[NishadA05]

I checked out this PR locally and tested the API key flow.

Manual test:

Started OpenRAG from this PR branch.
Created a new API key.
Confirmed the new key appeared in the API keys list.
Revoked the key.
Refreshed/reopened the API keys page.
Confirmed the revoked key no longer appeared.

I also reviewed the diff, and filtering revoked API keys out at the service query level makes sense for this issue since the frontend should only receive active keys to display.

Looks good.

[Vchen7629]

Superseeded by #1925