Merge PR #261: feature/api-keys-endpoints

Author: Calebux

backend/migrations/20260329120000_add_api_key_auth_fields.sql

@@ -0,0 +1,10 @@
+-- Add fields for API key auth, scopes, and usage tracking
+alter table public.api_keys
+  add column if not exists key_hash text,
+  add column if not exists scopes text[] default '{}' not null,
+  add column if not exists revoked boolean default false not null,
+  add column if not exists last_used_at timestamptz,
+  add column if not exists request_count integer default 0 not null;
+
+alter table public.api_keys
+  add constraint if not exists api_keys_key_hash_unique unique(key_hash);

backend/src/index.ts

@@ -22,6 +22,7 @@ import auditRoutes from './routes/audit';
 import webhookRoutes from './routes/webhooks';
 import complianceRoutes from './routes/compliance';
 import tagsRoutes from './routes/tags';
+import apiKeysRoutes from './routes/api-keys';
 import { createExchangeRatesRouter } from './routes/exchange-rates';
 import { ExchangeRateService } from './services/exchange-rate/exchange-rate-service';
 import { FiatRateProvider } from './services/exchange-rate/fiat-provider';
@@ -76,6 +77,7 @@ app.get('/health', (req, res) => {
 });
 
 // API Routes
+app.use('/api/keys', apiKeysRoutes);
 app.use('/api/subscriptions', subscriptionRoutes);
 app.use('/api/risk-score', riskScoreRoutes);
 app.use('/api/simulation', simulationRoutes);

backend/src/middleware/auth.ts

@@ -1,3 +1,4 @@
+import crypto from 'crypto';
 import { Request, Response, NextFunction } from 'express';
 import { supabase } from '../config/database';
 import logger from '../config/logger';
@@ -11,27 +12,112 @@ export interface AuthenticatedRequest extends Request {
     id: string;
     email: string;
     role: UserRole;
+    email?: string;
+    authMethod?: 'jwt' | 'api_key';
+    scopes?: string[];
   };
 }
 
+const API_KEY_SCOPES = new Set([
+  'subscriptions:read',
+  'subscriptions:write',
+  'webhooks:write',
+  'analytics:read',
+]);
+
+export function requireScope(requiredScope: string | string[]) {
+  const requiredScopes = Array.isArray(requiredScope) ? requiredScope : [requiredScope];
+
+  return (req: AuthenticatedRequest, res: Response, next: NextFunction): void => {
+    if (!req.user) {
+      res.status(401).json({ error: 'Unauthorized', message: 'Authentication required' });
+      return;
+    }
+
+    if (req.user.authMethod === 'api_key') {
+      const keyScopes = req.user.scopes || [];
+      const missing = requiredScopes.filter((scope) => !keyScopes.includes(scope));
+
+      if (missing.length > 0) {
+        res.status(403).json({
+          error: 'Forbidden',
+          message: `API key missing required scopes: ${missing.join(', ')}`,
+        });
+        return;
+      }
+    }
+
+    next();
+  };
+}
+
+async function authenticateWithApiKey(
+  req: AuthenticatedRequest,
+  res: Response,
+  next: NextFunction,
+): Promise<boolean> {
+  const apiKey = req.headers['x-api-key'] as string;
+
+  if (!apiKey) {
+    return false;
+  }
+
+  const hash = crypto.createHash('sha256').update(apiKey).digest('hex');
+
+  const { data: keyRecord, error } = await supabase
+    .from('api_keys')
+    .select('user_id, scopes, revoked, last_used_at, request_count')
+    .eq('key_hash', hash)
+    .eq('revoked', false)
+    .single();
+
+  if (error || !keyRecord) {
+    res.status(401).json({ error: 'Invalid API key' });
+    return true;
+  }
+
+  // Update last_used_at and request_count
+  await supabase
+    .from('api_keys')
+    .update({
+      last_used_at: new Date().toISOString(),
+      request_count: (keyRecord.request_count ?? 0) + 1,
+    })
+    .eq('key_hash', hash);
+
+  req.user = {
+    id: keyRecord.user_id,
+    authMethod: 'api_key',
+    scopes: Array.isArray(keyRecord.scopes) ? keyRecord.scopes : [],
+  };
+
+  setRequestUserId(keyRecord.user_id);
+  next();
+  return true;
+}
+
 /**
  * Authentication middleware
- * Supports both JWT tokens (Bearer) and HTTP-only cookies
+ * Supports API key (x-api-key) and JWT tokens (Bearer and cookie)
  */
 export async function authenticate(
   req: AuthenticatedRequest,
   res: Response,
-  next: NextFunction
+  next: NextFunction,
 ): Promise<void> {
   try {
+    const apiKeyAttempted = await authenticateWithApiKey(req, res, next);
+    if (apiKeyAttempted) {
+      return;
+    }
+
     // Try to get token from Authorization header (Bearer token)
     const authHeader = req.headers.authorization;
     let token: string | null = null;
 
     if (authHeader && authHeader.startsWith('Bearer ')) {
       token = authHeader.substring(7);
     } else if (req.cookies?.authToken) {
-      // Fallback to cookie-based auth
       token = req.cookies.authToken;
     }
 
@@ -64,6 +150,8 @@ export async function authenticate(
       id: user.id,
       email: user.email || '',
       role,
+      authMethod: 'jwt',
+      scopes: Array.from(API_KEY_SCOPES),
     };
     setRequestUserId(user.id);
     Sentry.setUser({ id: user.id, email: user.email });
@@ -86,9 +174,14 @@ export async function authenticate(
 export async function optionalAuthenticate(
   req: AuthenticatedRequest,
   res: Response,
-  next: NextFunction
+  next: NextFunction,
 ): Promise<void> {
   try {
+    const apiKeyAttempted = await authenticateWithApiKey(req, res, next);
+    if (apiKeyAttempted) {
+      return;
+    }
+
     const authHeader = req.headers.authorization;
     let token: string | null = null;
 
@@ -108,6 +201,8 @@ export async function optionalAuthenticate(
           id: user.id,
           email: user.email || '',
           role,
+          authMethod: 'jwt',
+          scopes: Array.from(API_KEY_SCOPES),
         };
         setRequestUserId(user.id);
         Sentry.setUser({ id: user.id, email: user.email });
@@ -121,3 +216,4 @@ export async function optionalAuthenticate(
     next();
   }
 }
+

backend/src/routes/api-keys.ts

@@ -0,0 +1,179 @@
+import { Router, Response } from 'express';
+import crypto from 'crypto';
+import { supabase } from '../config/database';
+import { authenticate, AuthenticatedRequest, requireScope } from '../middleware/auth';
+import logger from '../config/logger';
+
+const router = Router();
+
+// All endpoints are for authenticated users (JWT or API key edit rights via user auth).
+router.use(authenticate);
+
+const VALID_SCOPES = new Set(["subscriptions:read", "subscriptions:write", "webhooks:write", "analytics:read"]);
+
+function normalizeScopes(scopes: unknown): string[] {
+  if (Array.isArray(scopes)) {
+    return scopes
+      .map((scope) => String(scope || '').trim())
+      .filter((scope) => scope && VALID_SCOPES.has(scope));
+  }
+
+  if (typeof scopes === 'string') {
+    return scopes
+      .split(',')
+      .map((scope) => scope.trim())
+      .filter((scope) => scope && VALID_SCOPES.has(scope));
+  }
+
+  return [];
+}
+
+function generateApiKey(): { key: string; hash: string } {
+  const key = `sk_${crypto.randomBytes(32).toString('hex')}`;
+  const hash = crypto.createHash('sha256').update(key).digest('hex');
+  return { key, hash };
+}
+
+router.post('/', requireScope('subscriptions:write'), async (req: AuthenticatedRequest, res: Response) => {
+  try {
+    if (!req.user?.id) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
+    const { name, scopes } = req.body || {};
+
+    const serviceName = String(name || 'default').trim();
+    if (!serviceName) {
+      return res.status(400).json({ error: 'service name is required' });
+    }
+
+    const normalizedScopes = normalizeScopes(scopes);
+    if (normalizedScopes.length === 0) {
+      return res.status(400).json({ error: 'at least one valid scope is required' });
+    }
+
+    const { key, hash } = generateApiKey();
+
+    let insertResult: any;
+    try {
+      insertResult = await supabase.from('api_keys').insert([
+        {
+          user_id: req.user.id,
+          service_name: serviceName,
+          key_hash: hash,
+          scopes: normalizedScopes,
+          revoked: false,
+          last_used_at: null,
+          request_count: 0,
+        },
+      ]);
+    } catch (dbError) {
+      logger.error('insert call threw', dbError);
+      throw dbError;
+    }
+
+    const error = (insertResult as any).error;
+
+    if (error) {
+      logger.error('Failed to create API key', { error });
+      return res.status(500).json({ error: 'Failed to create API key' });
+    }
+
+    console.log('about to send success response');
+    return res.status(201).json({ success: true, key, scopes: normalizedScopes });
+  } catch (error) {
+    logger.error('Create API key error:', error);
+    console.error('Create API key error:', error);
+    return res.status(500).json({ error: String(error) || 'Internal server error' });
+  }
+});
+
+router.get('/', requireScope('subscriptions:read'), async (req: AuthenticatedRequest, res: Response) => {
+  try {
+    if (!req.user?.id) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
+    const { data, error } = await supabase
+      .from('api_keys')
+      .select('id, service_name, scopes, revoked, created_at, updated_at, last_used_at, request_count')
+      .eq('user_id', req.user.id)
+      .order('created_at', { ascending: false });
+
+    if (error) {
+      logger.error('Failed to list API keys', { error });
+      return res.status(500).json({ error: 'Failed to list API keys' });
+    }
+
+    return res.json({ success: true, data });
+  } catch (error) {
+    logger.error('List API keys error:', error);
+    return res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+router.delete('/:id', requireScope('subscriptions:write'), async (req: AuthenticatedRequest, res: Response) => {
+  try {
+    if (!req.user?.id) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
+    const keyId = req.params.id;
+
+    const { data: existingKey, error: fetchError } = await supabase
+      .from('api_keys')
+      .select('id')
+      .eq('id', keyId)
+      .eq('user_id', req.user.id)
+      .single();
+
+    if (fetchError || !existingKey) {
+      return res.status(404).json({ error: 'API key not found' });
+    }
+
+    const { error } = await supabase
+      .from('api_keys')
+      .update({ revoked: true, updated_at: new Date().toISOString() })
+      .eq('id', keyId)
+      .eq('user_id', req.user.id);
+
+    if (error) {
+      logger.error('Failed to revoke API key', { error });
+      return res.status(500).json({ error: 'Failed to revoke API key' });
+    }
+
+    return res.json({ success: true });
+  } catch (error) {
+    logger.error('Revoke API key error:', error);
+    return res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+router.get('/:id/usage', requireScope('subscriptions:read'), async (req: AuthenticatedRequest, res: Response) => {
+  try {
+    if (!req.user?.id) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
+    const keyId = req.params.id;
+
+    const { data, error } = await supabase
+      .from('api_keys')
+      .select('id, service_name, scopes, revoked, created_at, updated_at, last_used_at, request_count')
+      .eq('id', keyId)
+      .eq('user_id', req.user.id)
+      .single();
+
+    if (error || !data) {
+      logger.error('Failed to fetch API key usage', { error });
+      return res.status(404).json({ error: 'API key not found' });
+    }
+
+    return res.json({ success: true, data });
+  } catch (error) {
+    logger.error('API key usage error:', error);
+    return res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+export default router;