linuxfoundation · ulemons · Mar 20, 2026 · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026
diff --git a/backend/src/api/public/index.ts b/backend/src/api/public/index.ts
@@ -4,11 +4,14 @@ import { AUTH0_CONFIG } from '../../conf'
 
 import { errorHandler } from './middlewares/errorHandler'
 import { oauth2Middleware } from './middlewares/oauth2Middleware'
+import { staticApiKeyMiddleware } from './middlewares/staticApiKeyMiddleware'
 import { v1Router } from './v1'
+import { devStatsRouter } from './v1/dev-stats'
 
 export function publicRouter(): Router {
   const router = Router()
 
+  router.use('/v1/dev-stats', staticApiKeyMiddleware(), devStatsRouter())
   router.use('/v1', oauth2Middleware(AUTH0_CONFIG), v1Router())
   router.use(errorHandler)
 

diff --git a/backend/src/api/public/middlewares/staticApiKeyMiddleware.ts b/backend/src/api/public/middlewares/staticApiKeyMiddleware.ts
@@ -0,0 +1,48 @@
+import crypto from 'crypto'
+import type { NextFunction, Request, RequestHandler, Response } from 'express'
+
+import { UnauthorizedError } from '@crowd/common'
+import { findApiKeyByHash, optionsQx, touchApiKeyLastUsed } from '@crowd/data-access-layer'
+
+export function staticApiKeyMiddleware(): RequestHandler {
+  return async (req: Request, _res: Response, next: NextFunction): Promise<void> => {
+    try {
+      const authHeader = req.headers.authorization
+
+      if (!authHeader || !authHeader.startsWith('Bearer ')) {
+        next(new UnauthorizedError('Missing or invalid Authorization header'))
+        return
+      }
+
+      const providedKey = authHeader.slice('Bearer '.length)
+      const keyHash = crypto.createHash('sha256').update(providedKey).digest('hex')
+
+      const qx = optionsQx(req)
+      const apiKey = await findApiKeyByHash(qx, keyHash)
+
+      if (!apiKey) {
+        next(new UnauthorizedError('Invalid API key'))
+        return
+      }
+
+      if (apiKey.revokedAt) {
+        next(new UnauthorizedError('API key has been revoked'))
+        return
+      }
+
+      if (apiKey.expiresAt && apiKey.expiresAt < new Date()) {
+        next(new UnauthorizedError('API key has expired'))
+        return
+      }
+
+      // fire and forget — don't block the request
+      touchApiKeyLastUsed(qx, apiKey.id).catch(() => {})
+
+      req.actor = { id: apiKey.name, type: 'service', scopes: apiKey.scopes }
+
+      next()
+    } catch (err) {
+      next(err)
+    }
+  }
+}
diff --git a/backend/src/api/public/v1/dev-stats/index.ts b/backend/src/api/public/v1/dev-stats/index.ts
@@ -0,0 +1,19 @@
+import { Router } from 'express'
+
+import { createRateLimiter } from '@/api/apiRateLimiter'
+import { requireScopes } from '@/api/public/middlewares/requireScopes'
+import { SCOPES } from '@/security/scopes'
+
+const rateLimiter = createRateLimiter({ max: 60, windowMs: 60 * 1000 })
+
+export function devStatsRouter(): Router {
+  const router = Router()
+
+  router.use(rateLimiter)
+
+  router.post('/affiliations', requireScopes([SCOPES.READ_AFFILIATIONS]), (_req, res) => {
+    res.json({ status: 'ok' })
+  })
+
+  return router
+}
diff --git a/backend/src/database/migrations/U1773938832__add-api-keys-tale.sql b/backend/src/database/migrations/U1773938832__add-api-keys-tale.sql
diff --git a/backend/src/database/migrations/V1773938832__add-api-keys-tale.sql b/backend/src/database/migrations/V1773938832__add-api-keys-tale.sql
@@ -0,0 +1,13 @@
+CREATE TABLE "apiKeys" (
+  "id"          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  "name"        TEXT NOT NULL,
+  "keyHash"     TEXT NOT NULL UNIQUE,
+  "keyPrefix"   TEXT NOT NULL,
+  "scopes"      TEXT[] NOT NULL DEFAULT '{}',
+  "expiresAt"   TIMESTAMPTZ,
+  "lastUsedAt"  TIMESTAMPTZ,
+  "createdById" TEXT,
+  "revokedAt"   TIMESTAMPTZ,
+  "createdAt"   TIMESTAMPTZ NOT NULL DEFAULT now(),
+  "updatedAt"   TIMESTAMPTZ NOT NULL DEFAULT now()
+);
diff --git a/backend/src/security/scopes.ts b/backend/src/security/scopes.ts
@@ -9,6 +9,7 @@ export const SCOPES = {
   WRITE_WORK_EXPERIENCES: 'write:work-experiences',
   READ_PROJECT_AFFILIATIONS: 'read:project-affiliations',
   WRITE_PROJECT_AFFILIATIONS: 'write:project-affiliations',
+  READ_AFFILIATIONS: 'read:affiliations',
 } as const
 
 export type Scope = (typeof SCOPES)[keyof typeof SCOPES]
diff --git a/services/libs/data-access-layer/src/apiKeys/index.ts b/services/libs/data-access-layer/src/apiKeys/index.ts
@@ -0,0 +1,34 @@
+import { QueryExecutor } from '../queryExecutor'
+
+export interface IApiKey {
+  id: string
+  name: string
+  scopes: string[]
+  expiresAt: Date | null
+  revokedAt: Date | null
+}
+
+export async function findApiKeyByHash(
+  qx: QueryExecutor,
+  keyHash: string,
+): Promise<IApiKey | null> {
+  return qx.selectOneOrNone(
+    `
+      SELECT id, name, scopes, "expiresAt", "revokedAt"
+      FROM "apiKeys"
+      WHERE "keyHash" = $(keyHash)
+    `,
+    { keyHash },
+  )
+}
+
+export async function touchApiKeyLastUsed(qx: QueryExecutor, id: string): Promise<void> {
+  await qx.result(
+    `
+      UPDATE "apiKeys"
+      SET "lastUsedAt" = now(), "updatedAt" = now()
+      WHERE id = $(id)
+    `,
+    { id },
+  )
+}
diff --git a/services/libs/data-access-layer/src/index.ts b/services/libs/data-access-layer/src/index.ts
@@ -1,5 +1,6 @@
 export * from './activities'
 export * from './activityRelations'
+export * from './apiKeys'
 export * from './dashboards'
 export * from './members'
 export * from './organizations'