fix: compare API key expiration with full timestamp precision#29774
fix: compare API key expiration with full timestamp precision#29774Emran-Y wants to merge 2 commits into
Conversation
The apiKeyStrategy was comparing expiry with day-level granularity by zeroing the time component of both dates via setHours(0,0,0,0). This meant an API key that expired at midnight today was treated as valid throughout the entire day. Also, setHours() mutates the original Date object, so after the comparison keyData.expiresAt would have its time zeroed to midnight. Fix: compare the full Date objects directly (new Date() > new Date(keyData.expiresAt)) without mutating. This matches the Prisma schema where expiresAt is a DateTime with full timestamp precision. Fixes: calcom#29728
|
Welcome to Cal.diy, @Emran-Y! Thanks for opening this pull request. A few things to keep in mind:
A maintainer will review your PR soon. Thanks for contributing! |
|
Re-opening from the correct fork |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe API key strategy now compares the current timestamp directly with 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts`:
- Line 245: Update the expiration check in the API authentication strategy to
use an inclusive comparison, so a key is rejected when the current time is equal
to or later than keyData.expiresAt. Preserve the existing handling for keys
without an expiration value.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 1baac02c-a8b6-4a3c-8bbc-6c3f3bfc5a7f
📒 Files selected for processing (1)
apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts
Reject keys that expire at the exact current timestamp, not just keys that have strictly passed their expiration time. Co-authored-by: CodeRabbit <coderabbit@users.noreply.github.com>
Description
API keys with an
expiresAttimestamp that has already passed were still accepted by the API v2 authentication layer. The expiry comparison used day-level granularity by zeroing the time component of both dates viasetHours(0,0,0,0), meaning a key that expired at midnight today remained valid throughout the entire day.Additionally,
Date.setHours()mutates the original Date object in-place, so after the comparison the storedkeyData.expiresAthad its time component zeroed to midnight.Fix
Changed the comparison from day-level granularity to full timestamp precision:
The fix:
keyData.expiresAtinstead of mutating the originalFixes #29728