test: add regression tests for local-coding API key auth mismatch (#1748)#1768
Merged
Priyanshu-byte-coder merged 1 commit intoMay 31, 2026
Conversation
…iyanshu-byte-coder#1748) Root cause (confirmed) ---------------------- The initial migration created local_coding_api_keys with a single column api_key to store SHA-256 hashes. A later migration added api_key_hash as a nullable column. At the time issue Priyanshu-byte-coder#1748 was filed, the code was split: Creation → insert({ api_key: hash }) # only api_key written Auth → .eq("api_key_hash", hash) # only api_key_hash read Every key generated through the UI was therefore permanently invalid; authentication always returned "Invalid API key". Applied fix (in place on main branch) -------------------------------------- Key creation now writes the same SHA-256 hash to BOTH columns: insert({ api_key: hash, api_key_hash: hash }) Authentication queries BOTH columns with an OR filter so that pre-existing rows (with only api_key populated) and newly created rows (with both populated) authenticate identically: .or("api_key_hash.eq.<hash>,api_key.eq.<hash>") This preserves backward compatibility with any deployment that had keys created before the api_key_hash column existed. Regression test suite — test/local-coding-auth-regression.test.ts (9 tests) ----------------------------------------------------------------------------- Tests added in this commit provide explicit coverage that was absent: * Key creation writes hash to api_key AND api_key_hash. * POST /local-coding/sync uses OR filter across both columns. * Legacy row (api_key only, api_key_hash NULL) still authenticates. * Invalid key is rejected by both POST and GET sync handlers. * GET /local-coding/sync was previously untested; 4 tests now cover: - missing Authorization header → 401 - invalid key → 401 - valid key → 200 with session data - same OR filter used as POST * Hash function consistency: verifies the hash written during creation would satisfy the filter used during authentication. The pre-existing tests in test/local-coding-keys.test.ts and test/local-coding-sync.test.ts continue to pass unchanged. Closes Priyanshu-byte-coder#1748
|
@Ridanshi is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel. A member of the Team first needs to authorize it. |
github-actions
Bot
added
gssoc26
GSSoC Label Checklist 🏷️@Priyanshu-byte-coder — please apply the appropriate labels before merging: Difficulty (pick one):
Quality (optional):
Validation (required to score):
|
Priyanshu-byte-coder
added
level2
Priyanshu-byte-coder
merged commit dd5fead
into
Priyanshu-byte-coder:main
4 of 5 checks passed
|
🎉 Merged! Thanks for contributing to DevTrack. If the project has been useful to you, a ⭐ star on the repo is the easiest way to support it — it helps DevTrack get discovered by more developers. Keep an eye on open issues for your next contribution! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #1748
Root cause (confirmed)
The initial migration (
20260521000000_add_local_coding_tables.sql) createdlocal_coding_api_keyswith a single columnapi_keyto store SHA-256 key hashes. A later migration (20260522000000_add_api_key_hash_column.sql) addedapi_key_hashas a nullable column.While the schema had two columns, the application code was split:
POST /api/local-coding/keysapi_keyonlyPOST /api/local-coding/syncapi_key_hashonlyEvery key generated through the UI therefore failed authentication immediately — the hash was in
api_keybut the lookup was inapi_key_hash.Applied fix (already on main)
Key creation now writes the same SHA-256 hash to both columns:
Authentication uses an OR filter across both columns, which handles both pre-migration rows (only
api_keypopulated) and newly created rows (both populated):What this PR adds —
test/local-coding-auth-regression.test.ts(9 new tests)The fix was in place but lacked explicit regression coverage. This PR adds a dedicated test file:
api_keyANDapi_key_hashPOST /keysapi_keyset) still authenticatesTest results
All 9 new tests pass. All 13 pre-existing tests in
test/local-coding-keys.test.tsandtest/local-coding-sync.test.tspass unchanged. The single failing test (test/dateUtils.test.tstimezone boundary) is a pre-existing, unrelated issue.