Skip to content

update at_api_keys table to allow for a key_id column#135

Open
adamkorynta wants to merge 2 commits into
mainfrom
feature/update_apikeys_kid
Open

update at_api_keys table to allow for a key_id column#135
adamkorynta wants to merge 2 commits into
mainfrom
feature/update_apikeys_kid

Conversation

@adamkorynta
Copy link
Copy Markdown
Contributor

@adamkorynta adamkorynta commented Apr 3, 2026

  • this will allow for rapid lookup via CDA when attempting to check secret_hash
  • also rename apikey column to secret_hash in order to explicitly call out apikeys being hashed.
  • update secret hash size to 512 to be well over the bounds of argon2 hashing.
  • Update to only allow moving the EXPIRES field backwards as we do not want to allow resurrection of expired keys
  • remove uniqueness constraint on the apikey hash as collisions may be possible

@adamkorynta
Copy link
Copy Markdown
Contributor Author

adamkorynta commented Apr 3, 2026

@MikeNeilson - I don't see any usages of set_session_user_apikey and my understanding is that CDA is now the only place for managing apikeys so it should be safe to delete?

@adamkorynta adamkorynta requested a review from MikeNeilson April 3, 2026 22:58
@MikeNeilson
Copy link
Copy Markdown
Contributor

MikeNeilson commented Apr 6, 2026

@MikeNeilson - I don't see any usages of set_session_user_apikey and my understanding is that CDA is now the only place for managing apikeys so it should be safe to delete?

Yeah, I only see one usage within the test, but CDA validates the key then just uses the _direct method.

MikeNeilson
MikeNeilson reviewed Apr 6, 2026
View reviewed changes
Comment thread schema/src/cwms/tables/at_api_keys.sql
@adamkorynta adamkorynta marked this pull request as ready for review April 7, 2026 17:04
@adamkorynta @MikeNeilson
update at_api_keys table to allow for a key_id column
956fdf0 
this will allow for rapid lookup via CDA when attempting to check secret_hash
also rename apikey column to secret_hash in order to explicitly call out apikeys being hashed.
update secret hash size to 512 to be well over the bounds of argon2 hashing.
Update to only allow moving the EXPIRES backwards as we do not want to be able to resurrect expired keys
@adamkorynta @MikeNeilson
remove set_session_user_apikey as CDA uses set_session_user_direct
ff24513 
fix apikey view
fix unit test on at_api_keys
@MikeNeilson MikeNeilson force-pushed the feature/update_apikeys_kid branch from 773b77a to ff24513 Compare May 12, 2026 18:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MikeNeilson MikeNeilson MikeNeilson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adamkorynta @MikeNeilson