apikey

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 23, 2026 License: GPL-3.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MaskAPIKey

func MaskAPIKey(key string) string

MaskAPIKey returns a masked version of an API key for logging/display. Shows first 4 and last 4 characters: "sk-ab...xyz"

Types

type CreateInput

type CreateInput struct {
	TenantID      string   `json:"tenant_id" validate:"required,uuid"`
	UserID        string   `json:"user_id" validate:"omitempty,uuid"`
	Name          string   `json:"name" validate:"required,min=1,max=255"`
	Description   string   `json:"description" validate:"max=1000"`
	Scopes        []string `json:"scopes" validate:"max=50"`
	RateLimit     int      `json:"rate_limit"`
	ExpiresInDays int      `json:"expires_in_days"`
	CreatedBy     string   `json:"created_by" validate:"omitempty,uuid"`
}

CreateInput represents input for creating an API key.

type CreateResult

type CreateResult struct {
	Key       *apikeydom.APIKey
	Plaintext string // Only returned once on creation
}

CreateResult holds the created key and its plaintext (shown only once).

type EncryptionService

type EncryptionService struct {
	// contains filtered or unexported fields
}

EncryptionService handles encryption and decryption of tenant API keys.

func NewEncryptionService

func NewEncryptionService(encryptor crypto.Encryptor) *EncryptionService

NewEncryptionService creates a new EncryptionService. If encryptor is nil, a NoOpEncryptor is used (for development only).

func (*EncryptionService) Decrypt

func (s *EncryptionService) Decrypt(encryptedKey string) (string, error)

Decrypt decrypts an API key from storage. If the key is not encrypted (no prefix), returns it as-is (backward compatibility).

func (*EncryptionService) Encrypt

func (s *EncryptionService) Encrypt(plainKey string) (string, error)

Encrypt encrypts an API key for secure storage. Returns a prefixed string to identify encrypted values: "enc:v1:<ciphertext>"

func (*EncryptionService) IsEncrypted

func (s *EncryptionService) IsEncrypted(key string) bool

IsEncrypted checks if an API key is already encrypted.

type ListInput

type ListInput struct {
	TenantID  string `json:"tenant_id" validate:"required,uuid"`
	Status    string `json:"status"`
	Search    string `json:"search"`
	Page      int    `json:"page"`
	PerPage   int    `json:"per_page"`
	SortBy    string `json:"sort_by"`
	SortOrder string `json:"sort_order"`
}

ListInput represents input for listing API keys.

type RevokeInput

type RevokeInput struct {
	ID        string `json:"id" validate:"required,uuid"`
	TenantID  string `json:"tenant_id" validate:"required,uuid"`
	RevokedBy string `json:"revoked_by" validate:"required,uuid"`
}

RevokeInput represents input for revoking an API key.

type Service

type Service struct {
	// contains filtered or unexported fields
}

Service provides business logic for API key management. pepper is the server-side secret mixed into every new key's stored hash via HMAC-SHA256 (pkg/crypto.HashTokenPeppered). Empty pepper falls back to plain SHA-256 — acceptable only in dev. When the DB is leaked but APP_ENCRYPTION_KEY is not, peppered rows resist offline brute-force against the leaked key_hash column (hashcat / rainbow tables without the HMAC key cannot recover the raw key).

func NewService

func NewService(repo apikeydom.Repository, pepper string, log *logger.Logger) *Service

NewService creates a new Service. pepper should be APP_ENCRYPTION_KEY (or a dedicated secret derived from it).

func (*Service) Create

func (s *Service) Create(ctx context.Context, input CreateInput) (*CreateResult, error)

Create generates and stores a new API key.

func (*Service) Delete

func (s *Service) Delete(ctx context.Context, id, tenantIDStr string) error

Delete deletes an API key. Tenant isolation enforced at DB level.

func (*Service) Get

func (s *Service) Get(ctx context.Context, id, tenantIDStr string) (*apikeydom.APIKey, error)

Get retrieves an API key by ID within a tenant.

func (*Service) List

func (s *Service) List(ctx context.Context, input ListInput) (apikeydom.ListResult, error)

List retrieves a paginated list of API keys.

func (*Service) Revoke

func (s *Service) Revoke(ctx context.Context, input RevokeInput) (*apikeydom.APIKey, error)

Revoke revokes an API key.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL