fix: api keys authentication does not work #1511

homarr-labs · Nov 20, 2024 · 4ffb40f · 4ffb40f
1 parent ed74604
commit 4ffb40f
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 7 deletions.
diff --git a/apps/nextjs/src/app/[locale]/manage/tools/api/components/api-keys.tsx b/apps/nextjs/src/app/[locale]/manage/tools/api/components/api-keys.tsx
@@ -23,7 +23,7 @@ export const ApiKeysManagement = ({ apiKeys }: ApiKeysManagementProps) => {
   const { mutate, isPending } = clientApi.apiKeys.create.useMutation({
     async onSuccess(data) {
       openModal({
-        apiKey: data.randomToken,
+        apiKey: data.apiKey,
       });
       await revalidatePathActionAsync("/manage/tools/api");
     },

diff --git a/apps/nextjs/src/app/api/[...trpc]/route.ts b/apps/nextjs/src/app/api/[...trpc]/route.ts
@@ -1,6 +1,7 @@
 import { createOpenApiFetchHandler } from "trpc-swagger/build/index.mjs";
 
 import { appRouter, createTRPCContext } from "@homarr/api";
+import { hashPasswordAsync } from "@homarr/auth";
 import type { Session } from "@homarr/auth";
 import { createSessionAsync } from "@homarr/auth/server";
 import { db, eq } from "@homarr/db";
@@ -28,12 +29,19 @@ const getSessionOrDefaultFromHeadersAsync = async (apiKeyHeaderValue: string | n
     return null;
   }
 
+  const [apiKeyId, apiKey] = apiKeyHeaderValue.split(".");
+
+  if (!apiKeyId || !apiKey) {
+    logger.warn("An attempt to authenticate over API has failed due to invalid API key format");
+    return null;
+  }
+
   const apiKeyFromDb = await db.query.apiKeys.findFirst({
-    where: eq(apiKeys.apiKey, apiKeyHeaderValue),
+    where: eq(apiKeys.id, apiKeyId),
     columns: {
       id: true,
-      apiKey: false,
-      salt: false,
+      apiKey: true,
+      salt: true,
     },
     with: {
       user: {
@@ -47,7 +55,14 @@ const getSessionOrDefaultFromHeadersAsync = async (apiKeyHeaderValue: string | n
     },
   });
 
-  if (apiKeyFromDb === undefined) {
+  if (!apiKeyFromDb) {
+    logger.warn("An attempt to authenticate over API has failed");
+    return null;
+  }
+
+  const hashedApiKey = await hashPasswordAsync(apiKey, apiKeyFromDb.salt);
+
+  if (apiKeyFromDb.apiKey !== hashedApiKey) {
     logger.warn("An attempt to authenticate over API has failed");
     return null;
   }

diff --git a/packages/api/src/router/apiKeys.ts b/packages/api/src/router/apiKeys.ts
@@ -28,14 +28,15 @@ export const apiKeysRouter = createTRPCRouter({
     const salt = await createSaltAsync();
     const randomToken = generateSecureRandomToken(64);
     const hashedRandomToken = await hashPasswordAsync(randomToken, salt);
+    const id = createId();
     await db.insert(apiKeys).values({
-      id: createId(),
+      id,
       apiKey: hashedRandomToken,
       salt,
       userId: ctx.session.user.id,
     });
     return {
-      randomToken,
+      apiKey: `${id}.${randomToken}`,
     };
   }),
 });