Skip to content

fix: use exact timestamp comparison for API key expiry check#29756

Open
prathamesh04 wants to merge 1 commit into
calcom:mainfrom
prathamesh04:fix/api-key-expiry-check
Open

fix: use exact timestamp comparison for API key expiry check#29756
prathamesh04 wants to merge 1 commit into
calcom:mainfrom
prathamesh04:fix/api-key-expiry-check

Conversation

@prathamesh04

Copy link
Copy Markdown

Problem

API keys with an expiresAt timestamp that has already passed are still accepted by the API v2 authentication layer. The expiry comparison uses day-level granularity via setHours(0, 0, 0, 0), causing:

  1. Keys expired at any time during the day to be accepted until midnight
  2. The expiresAt Date object to be mutated (time zeroed to midnight)

Fixes #29728

Solution

Changed the comparison to use exact timestamps instead of day-level granularity:

// Before
const isKeyExpired = keyData.expiresAt && new Date().setHours(0, 0, 0, 0) > keyData.expiresAt.setHours(0, 0, 0, 0);

// After  
const isKeyExpired = keyData.expiresAt && new Date() > keyData.expiresAt;

This ensures:

  • Expired keys are rejected immediately when their exact expiresAt time has passed
  • The original expiresAt Date object is not mutated

The previous implementation used setHours(0, 0, 0, 0) which truncated both
dates to midnight for day-level granularity comparison. This caused:
1. Keys expired at any time during the day to be accepted until midnight
2. The expiresAt Date object to be mutated (time zeroed to midnight)

Fixes calcom#29728
@github-actions

Copy link
Copy Markdown
Contributor

Welcome to Cal.diy, @prathamesh04! Thanks for opening this pull request.

A few things to keep in mind:

  • This is Cal.diy, not Cal.com. Cal.diy is a community-driven, fully open-source fork of Cal.com licensed under MIT. Your changes here will be part of Cal.diy — they will not be deployed to the Cal.com production app.
  • Please review our Contributing Guidelines if you haven't already.
  • Make sure your PR title follows the Conventional Commits format.

A maintainer will review your PR soon. Thanks for contributing!

@github-actions github-actions Bot added the 🐛 bug Something isn't working label Jul 12, 2026
@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1d474335-ef47-4b7a-b551-01187f06125e

📥 Commits

Reviewing files that changed from the base of the PR and between f004349 and 8a3ff6c.

📒 Files selected for processing (1)
  • apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts

📝 Walkthrough

Walkthrough

The API key authentication strategy now compares new Date() directly with keyData.expiresAt. The previous normalization of both timestamps to midnight was removed, changing expiration behavior at time-of-day boundaries.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly describes the main change: switching API key expiry checks to exact timestamp comparison.
Description check ✅ Passed The description matches the code change and explains the exact-timestamp expiry fix.
Linked Issues check ✅ Passed The change addresses the linked bug by comparing exact timestamps and preserving the original expiresAt value.
Out of Scope Changes check ✅ Passed No unrelated or out-of-scope changes are indicated beyond the expiry check fix.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

🐛 bug Something isn't working size/XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Expired API keys accepted as valid for up to 24 hours past their expiration time

1 participant