feat: add static api key middleware for dev stats (CM-1055)#3933
feat: add static api key middleware for dev stats (CM-1055)#3933
Conversation
|
|
ulemons
force-pushed
the
feat/setup-dev-stats-public-api
branch
from
189109c to
f7b8cc5
Compare
There was a problem hiding this comment.
Pull request overview
This PR introduces a new “DevStats” public API surface by adding a static API key authentication middleware and mounting a new /v1/dev-stats router with a placeholder endpoint.
Changes:
- Added
devStats.apiKeyconfiguration wiring viaCROWD_DEV_STATS_API_KEY. - Implemented
staticApiKeyMiddlewareand mounted the DevStats router at/v1/dev-stats. - Added a placeholder
POST /v1/dev-stats/affiliationsendpoint for initial connectivity testing.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| backend/src/conf/index.ts | Exposes DEV_STATS_CONFIG from node-config. |
| backend/src/conf/configTypes.ts | Adds DevStatsConfiguration type. |
| backend/src/api/public/v1/dev-stats/index.ts | Introduces DevStats router with a placeholder POST /affiliations. |
| backend/src/api/public/middlewares/staticApiKeyMiddleware.ts | Adds static API key auth middleware and sets req.actor. |
| backend/src/api/public/index.ts | Mounts DevStats router behind the static API key middleware. |
| backend/config/default.json | Adds devStats config block. |
| backend/config/custom-environment-variables.json | Maps devStats.apiKey to CROWD_DEV_STATS_API_KEY. |
| backend/.env.dist.local | Adds local env template entry for CROWD_DEV_STATS_API_KEY. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Signed-off-by: Umberto Sgueglia <usgueglia@contractor.linuxfoundation.org>
Signed-off-by: Umberto Sgueglia <usgueglia@contractor.linuxfoundation.org>
Signed-off-by: Umberto Sgueglia <usgueglia@contractor.linuxfoundation.org>
Signed-off-by: Umberto Sgueglia <usgueglia@contractor.linuxfoundation.org>
ulemons
force-pushed
the
feat/setup-dev-stats-public-api
branch
from
9797104 to
e5cc1dd
Compare
Signed-off-by: Umberto Sgueglia <usgueglia@contractor.linuxfoundation.org>
Signed-off-by: Umberto Sgueglia <usgueglia@contractor.linuxfoundation.org>
Signed-off-by: Umberto Sgueglia <usgueglia@contractor.linuxfoundation.org>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
| req.actor = { id: apiKey.name, type: 'service', scopes: apiKey.scopes } | ||
|
|
||
| next() | ||
| } |
There was a problem hiding this comment.
Async middleware missing try-catch causes request hang
High Severity
The staticApiKeyMiddleware is an async function, but Express 4.17.1 does not automatically catch rejected promises from async middleware. If optionsQx(req) or findApiKeyByHash throws (e.g., a database error), the rejection is unhandled and the request hangs indefinitely. The rest of the codebase wraps async handlers with safeWrap from errorMiddleware.ts to forward errors via next(err). This middleware needs a try/catch around the awaited calls that forwards caught errors to next.
| "updatedAt" TIMESTAMPTZ NOT NULL DEFAULT now() | ||
| ); | ||
|
|
||
| CREATE INDEX "ix_apiKeys_keyHash" ON "apiKeys" ("keyHash"); |
There was a problem hiding this comment.
Redundant index on unique-constrained keyHash column
Low Severity
The "keyHash" column is declared UNIQUE on line 4, which already creates an implicit unique B-tree index in PostgreSQL. The explicit CREATE INDEX "ix_apiKeys_keyHash" on the same column creates a second, redundant index that wastes storage and slows writes without any query benefit.
Summary
Sets up the foundation for the DevStats public API:
CROWD_DEV_STATS_API_KEYstatic API key authentication middleware/v1/dev-statswith a temporary placeholder endpoint for testingTest plan
POST /api/v1/dev-stats/affiliationswithout a key → 401Note
Medium Risk
Introduces a new authentication path (API keys) and a new
apiKeyspersistence table; mistakes here could unintentionally grant/deny access or weaken protection on the new public endpoint.Overview
Adds a new public
v1/dev-statsroute protected by astaticApiKeyMiddlewarethat validatesBearerAPI keys (hash lookup, revoked/expired checks) and setsreq.actorscopes for downstream authorization.Introduces an
apiKeysdatabase table plus data-access helpers to fetch keys by hash and updatelastUsedAt, and adds the newread:affiliationsscope used by a rate-limited placeholderPOST /affiliationsendpoint.Written by Cursor Bugbot for commit 474c2ea. This will update automatically on new commits. Configure here.