Skip to content

fix: compare API key expiration with full timestamp precision#29774

Open
Emran-Y wants to merge 2 commits into
calcom:mainfrom
Emran-Y:fix/expired-api-keys-timestamp-precision
Open

fix: compare API key expiration with full timestamp precision#29774
Emran-Y wants to merge 2 commits into
calcom:mainfrom
Emran-Y:fix/expired-api-keys-timestamp-precision

Conversation

@Emran-Y

@Emran-Y Emran-Y commented Jul 14, 2026

Copy link
Copy Markdown

Description

API keys with an expiresAt timestamp that has already passed were still accepted by the API v2 authentication layer. The expiry comparison used day-level granularity by zeroing the time component of both dates via setHours(0,0,0,0), meaning a key that expired at midnight today remained valid throughout the entire day.

Additionally, Date.setHours() mutates the original Date object in-place, so after the comparison the stored keyData.expiresAt had its time component zeroed to midnight.

Fix

Changed the comparison from day-level granularity to full timestamp precision:

// Before (buggy)
keyData.expiresAt && new Date().setHours(0,0,0,0) > keyData.expiresAt.setHours(0,0,0,0)

// After (fixed)
keyData.expiresAt && new Date() > new Date(keyData.expiresAt)

The fix:

  • Compares full Date objects with millisecond precision
  • Creates a new Date from keyData.expiresAt instead of mutating the original
  • Expired keys are immediately rejected, not delayed by up to 24 hours

Fixes #29728

The apiKeyStrategy was comparing expiry with day-level granularity
by zeroing the time component of both dates via setHours(0,0,0,0).
This meant an API key that expired at midnight today was treated as
valid throughout the entire day. Also, setHours() mutates the
original Date object, so after the comparison keyData.expiresAt
would have its time zeroed to midnight.

Fix: compare the full Date objects directly (new Date() > new Date(keyData.expiresAt))
without mutating. This matches the Prisma schema where expiresAt is
a DateTime with full timestamp precision.

Fixes: calcom#29728
@github-actions

Copy link
Copy Markdown
Contributor

Welcome to Cal.diy, @Emran-Y! Thanks for opening this pull request.

A few things to keep in mind:

  • This is Cal.diy, not Cal.com. Cal.diy is a community-driven, fully open-source fork of Cal.com licensed under MIT. Your changes here will be part of Cal.diy — they will not be deployed to the Cal.com production app.
  • Please review our Contributing Guidelines if you haven't already.
  • Make sure your PR title follows the Conventional Commits format.

A maintainer will review your PR soon. Thanks for contributing!

@github-actions github-actions Bot added the 🐛 bug Something isn't working label Jul 14, 2026
@emranyonas

Copy link
Copy Markdown

Re-opening from the correct fork

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2b114778-0171-4350-adcf-149a5874a159

📥 Commits

Reviewing files that changed from the base of the PR and between f0091fb and 2dd1677.

📒 Files selected for processing (1)
  • apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts

📝 Walkthrough

Walkthrough

The API key strategy now compares the current timestamp directly with keyData.expiresAt when determining whether an API key has expired, replacing the previous midnight-normalized date comparison.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the main change: API key expiration now uses full timestamp precision.
Description check ✅ Passed The description matches the code change and explains the timestamp-precision fix.
Linked Issues check ✅ Passed The change satisfies #29728 by using exact timestamp comparison and avoiding mutation.
Out of Scope Changes check ✅ Passed No unrelated code changes are indicated beyond the API key expiration fix.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts`:
- Line 245: Update the expiration check in the API authentication strategy to
use an inclusive comparison, so a key is rejected when the current time is equal
to or later than keyData.expiresAt. Preserve the existing handling for keys
without an expiration value.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1baac02c-a8b6-4a3c-8bbc-6c3f3bfc5a7f

📥 Commits

Reviewing files that changed from the base of the PR and between f004349 and f0091fb.

📒 Files selected for processing (1)
  • apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts

Comment thread apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts Outdated
Reject keys that expire at the exact current timestamp, not just
keys that have strictly passed their expiration time.

Co-authored-by: CodeRabbit <coderabbit@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

🐛 bug Something isn't working size/XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Expired API keys accepted as valid for up to 24 hours past their expiration time

2 participants