Description
Service-to-service callers currently reuse user JWTs. Add a first-class API key system with scopes, expiration, rotation overlap window, and per-key rate limits.
Requirements and context
- Must be secure, tested, and documented
- Should be efficient and easy to review
- Relevant code:
src/middleware/auth.ts, src/db/repositories/
- Keys must be stored hashed; only prefix exposed to admin views
Suggested execution
- Fork the repo and create a branch
git checkout -b feat/api-keys- Implement changes
- Add
api_keys table with hashed secret and scopes
- Add middleware accepting
Authorization: ApiKey ...
- Add admin CRUD with rotation overlap
- Validate security and correctness assumptions
Test and commit
- Run tests
- Cover edge cases
- Scope escalation attempt, rotation overlap, revoked key
- Include test output and notes
Example commit message
feat: scoped API keys with rotation
Guidelines
- Minimum 95 percent test coverage
- Clear documentation
- Timeframe: 96 hours
Description
Service-to-service callers currently reuse user JWTs. Add a first-class API key system with scopes, expiration, rotation overlap window, and per-key rate limits.
Requirements and context
src/middleware/auth.ts,src/db/repositories/Suggested execution
git checkout -b feat/api-keysapi_keystable with hashed secret and scopesAuthorization: ApiKey ...Test and commit
npm testExample commit message
feat: scoped API keys with rotationGuidelines