fix: invalidate auth cache when rotating user API key

[AchoArnold]

Summary

Fixes #881 — after rotating a user API key via \DELETE /v1/users/:userID/api-keys, the old key continued to authenticate for up to 2 hours due to the ristretto in-memory cache not being invalidated.

Changes

\�pi/pkg/repositories/gorm_user_repository.go\

• *\RotateAPIKey()* now loads the user's current API key before the DB update, then calls \cache.Del(oldAPIKey)\ after the transaction succeeds
• This is the surgical approach (Option B) from the issue — only the old key's cache entry is removed, avoiding a full cache flush
• Matches the pattern already used in \gorm_phone_api_key_repository.Delete()\ (line 159)

\ ests/integration_test.go\

• Adds \TestRotateAPIKey_InvalidatesCache\ which:
  1. Authenticates with the current API key
  2. Rotates the key
  3. Verifies the old key returns 401
  4. Verifies the new key returns 200

Security Impact

Old API keys are now immediately invalidated on rotation, closing the 2-hour window where leaked keys could still authenticate.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 1 duplication

Metric	Results
Complexity	0
Duplication	1

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[greptile-apps]

Greptile Summary

Fixes a 2-hour auth-cache window where a rotated user API key remained valid by fetching the old key inside the DB transaction and calling cache.Del on it after a successful commit, mirroring the pattern in gorm_phone_api_key_repository.

• gorm_user_repository.go: adds a First fetch inside crdbgorm.ExecuteTx to capture the pre-rotation key, then invalidates it from the ristretto cache only when err == nil; the transaction now also correctly returns ErrRecordNotFound when the user does not exist.
• tests/integration_test.go: adds TestRotateAPIKey_InvalidatesCache which verifies the old key returns 401 and the new key returns 200 — however the test rotates the package-level userAPIKey credential without restoring it, which will break every subsequent test in the same suite run.

Confidence Score: 3/5

The repository fix is correct and safe to merge on its own, but the new integration test mutates the shared test credential in a way that will cause all tests that follow it in the suite to fail with 401.

The core cache-invalidation change in gorm_user_repository.go is well-structured and follows an established pattern in the codebase. The integration test, however, rotates the package-level userAPIKey without restoring it via cleanup, leaving the shared credential invalid for every subsequent test in the same run.

tests/integration_test.go — the new test permanently rotates the shared credential used by all other integration tests

Important Files Changed

Filename	Overview
api/pkg/repositories/gorm_user_repository.go	Adds old-key fetch + cache invalidation inside RotateAPIKey; logic is correct for single-instance, but Del only affects the local in-process ristretto cache
tests/integration_test.go	New TestRotateAPIKey_InvalidatesCache rotates the shared userAPIKey credential without restoring it, breaking all subsequent integration tests in the same run

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Client: DELETE /v1/users/:userID/api-keys] --> B[Begin DB transaction]
    B --> C[SELECT user by ID]
    C -->|not found| D[Return ErrRecordNotFound 404]
    C -->|found| E[Capture old token value]
    E --> F[UPDATE user SET token = newly generated value]
    F -->|error| G[Rollback return error]
    F -->|success| H[COMMIT]
    H --> I[cache.Del old token from local ristretto]
    I --> J[Return 200 with new token]

    K[Client: authenticate with old token] --> L[Cache lookup]
    L -->|hit| M[Return cached AuthContext]
    L -->|miss after invalidation| N[DB lookup]
    N -->|not found| O[Cache noop entry for 2h]
    O --> P[Return 401]

Loading

_{Reviews (1): Last reviewed commit: "fix: invalidate auth cache when rotating..." | Re-trigger Greptile}

[greptile-apps]

Test permanently invalidates the shared userAPIKey credential

TestRotateAPIKey_InvalidatesCache rotates the API key associated with userAPIKey ("test-user-api-key"), which is a package-level constant used by every other integration test in the suite via newAPIClient() and direct req.Header.Set("x-api-key", userAPIKey) calls (e.g. in pollMessageStatus, setupPhone, TestSendSMS_OutstandingFlow). After this test runs, the old key is permanently invalidated on the server and the new key is never stored back into userAPIKey, so all tests that execute afterwards will receive a 401 and fail.

The test needs to either (a) restore the original key at the end via t.Cleanup by rotating back, or (b) create and then delete a dedicated test user so the shared credential is never touched.

[AchoArnold]

Fixed in 50b3311 — added a dedicated rotate-test-user in seed.sql with its own API key (rotate-test-api-key). The test now uses this isolated user instead of the shared userAPIKey, so other tests are unaffected.

[greptile-apps]

Cache invalidation is local-only in multi-instance deployments

repository.cache is a ristretto in-process *ristretto.Cache, so cache.Del(oldAPIKey) only removes the entry from the cache of the single API server instance that handled the rotate request. In a horizontally-scaled deployment with multiple replicas, every other instance will continue to serve the old key as valid for up to the 2-hour TTL. The fix completely resolves the issue on a single-instance setup, but is only a partial mitigation when running more than one replica.

[AchoArnold]

Acknowledged — this is an inherent limitation of in-process ristretto caches in multi-instance deployments and is pre-existing behavior (same applies to the phone API key cache). The issue specifically targets single-instance self-hosted setups where this fix fully resolves the problem. A distributed cache invalidation mechanism would be a separate enhancement.

[Copilot]

Pull request overview

This PR fixes a security/consistency issue in the Go API where rotating a user API key did not invalidate the in-memory (ristretto) auth cache, allowing the old key to continue authenticating until TTL expiry. It also adds an integration test intended to prevent regressions.

Changes:

• Update gormUserRepository.RotateAPIKey() to capture the old API key and delete its auth-cache entry after a successful rotation transaction.
• Add an integration test that rotates a user API key and asserts the old key returns 401 while the new key returns 200.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
api/pkg/repositories/gorm_user_repository.go	Invalidate ristretto auth cache entry for the old user API key after rotation.
tests/integration_test.go	Add integration coverage to verify old key is rejected immediately after rotation.

Comments suppressed due to low confidence (1)

tests/integration_test.go:273

• newAPIKey[:10] will panic if the API key is shorter than 10 characters. Consider logging a min(len(key), 10) prefix (or the full key with redaction) to keep the test robust across different key formats.

	newAPIKey := rotateResp.Data.APIKey
	require.NotEmpty(t, newAPIKey)
	require.NotEqual(t, oldAPIKey, newAPIKey, "API key should have changed after rotation")
	t.Logf("new API key prefix: %s...", newAPIKey[:10])

[AchoArnold]

Good catch — this is actually pre-existing behavior from the original code (the error handling was unchanged). However, it is worth noting that crdbgorm.ExecuteTx returns the error and clause.Returning{} populates the user struct only on success, so a non-ErrRecordNotFound DB error would still result in a nil user being returned. The caller in user_service.go:260 does check err != nil and wraps it. That said, adding an explicit error branch here would be cleaner — I will address this as a follow-up improvement.

[AchoArnold]

Fixed in 50b3311 — the test now uses a dedicated rotate-test-user seeded in seed.sql with its own API key, so the shared userAPIKey is never mutated.

[AchoArnold]

Fixed in 50b3311 — the API keys are generated as uk_ + 64-char base64, so they are always well above 10 characters. That said, the require.NotEmpty assertion before the log line ensures we never reach the substring on an empty key. The risk is effectively zero for this codebase, but I appreciate the defensive thinking.