The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 4, 2026 1:37am

PR Summary

High Risk
Changes authentication for all API traffic; keys missing key_hash will fail until backfill is complete.

Overview
API key authentication is now hash-only. authenticateApiKeyFromHeader looks up one row by sha256 of the header and applies scope, expiry, and permission checks; a miss or failed gate returns invalid. The legacy full-table scan + decrypt/compare fallback and the inlined authenticateApiKeyByHash helper are removed.

Removed authenticateApiKey from auth.ts (and its safeCompare usage), along with related unit tests for decrypt-based matching, lifecycle, and security edge cases. Service tests now expect a single DB where and no fallback warn logs.

Operational note: keys without a populated key_hash will no longer authenticate.

^{Reviewed by Cursor Bugbot for commit e4ed38a. Bugbot is set up for automated code reviews on this repo. Configure here.}

Greptile Summary

This PR removes the legacy full-scan+decrypt fallback from authenticateApiKeyFromHeader, making hash-based lookup the only authentication path, and inlines the previously separate authenticateApiKeyByHash helper directly into the main function.

• service.ts: Removes the legacy scan → decrypt → compare fallback loop; the previously private authenticateApiKeyByHash function is inlined directly into authenticateApiKeyFromHeader, trimming ~120 lines.
• auth.ts: Deletes the now-orphaned authenticateApiKey (decrypt-and-compare) export and drops the safeCompare import — all callers already used authenticateApiKeyFromHeader.
• Test files updated to remove fallback-path cases and stale authenticateApiKey mock wiring.

Confidence Score: 5/5

Safe to merge once the key_hash backfill in production is confirmed complete and the legacy warn log count is at zero — both conditions the PR author calls out explicitly.

The inlined logic is a direct lift of the previously tested fast path, no behavioral changes are introduced, all callers already used authenticateApiKeyFromHeader, and the deleted authenticateApiKey export has no remaining references in the codebase.

No files require special attention; all four changed files are straightforward deletions of dead code and their corresponding tests.

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant C as Caller
    participant S as authenticateApiKeyFromHeader
    participant DB as Database
    participant P as Permission Utils

    C->>S: apiKeyHeader, options
    alt no header
        S-->>C: "{success:false, error:"API key required"}"
    end
    alt options.workspaceId set
        S->>DB: getWorkspaceBillingSettings(workspaceId)
        DB-->>S: workspaceSettings (null → "Workspace not found")
    end
    S->>S: "keyHash = sha256(apiKeyHeader)"
    S->>DB: "SELECT WHERE key_hash = keyHash"
    DB-->>S: rows[]
    alt rows empty
        S-->>C: INVALID
    end
    S->>S: scope checks (userId, keyType, expiry, workspaceId)
    alt scope check fails
        S-->>C: INVALID
    end
    alt workspaceId + personal key
        S->>P: getUserEntityPermissions(userId, workspace, workspaceId)
        P-->>S: permission (null → INVALID)
    end
    S-->>C: "{success:true, userId, keyId, keyType, workspaceId}"

_{Reviews (1): Last reviewed commit: "chore(api-key): remove legacy scan+decry..." | Re-trigger Greptile}