Skip to content

Improve error handling for API key validation (fixes #357) #469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Improve error handling for API key validation (fixes #357) #469

wants to merge 1 commit into from

Conversation

@DecentMakeover
Copy link

@DecentMakeover DecentMakeover commented Oct 23, 2025
edited by coderabbitai bot
Loading

Summary

This PR enhances error handling for API key validation in api_key_service.py, ensuring clear, specific, and secure error responses across validation scenarios. It also simplifies router logic and adds comprehensive test coverage.

Changes Made

1. Enhanced Error Handling (app/modules/auth/api_key_service.py:104–166)

  • Invalid format → Returns HTTP 401 when API key doesn’t start with sk-
  • Not found → Returns HTTP 401 if API key hash isn’t found in DB
  • Internal errors → Returns HTTP 500 with detailed logs for DB/internal issues
  • Logging added → All failure scenarios logged for easier debugging
  • Docstring updated → Improved documentation of return values and exceptions

2. Simplified Router Logic (app/api/router.py:69–74)

  • Removed redundant error handling since validate_api_key() now raises HTTPException directly
  • Centralized and cleaner error flow

3. Comprehensive Test Coverage (app/modules/auth/tests/api_key_service_test.py)

Added 25 unit tests covering:

  • API key generation: format, uniqueness, length
  • Hashing: consistency, hex format
  • Validation scenarios:
    • ✅ Successful validation
    • ❌ Invalid/missing prefix
    • ❌ Empty strings
    • ❌ API key not found in DB
    • ❌ Wrong prefix
    • ❌ Database errors
    • ❌ Special characters, unicode, whitespace
    • ❌ SQL injection attempts
    • ❌ Null bytes
    • ❌ Very long keys
  • API key creation: new vs existing users
  • API key revocation: success and edge cases

All tests pass successfully (25/25).

Test Results## Security Improvements

  • Proper handling of SQL injection attempts
  • Safe processing of malformed input (unicode, null bytes, special chars)
  • Consistent error messages without leaking sensitive info
  • Appropriate HTTP codes (401 for auth failures, 500 for server errors)

Fixes

Closes #357

Summary by CodeRabbit

  • Bug Fixes

    • Enhanced API key validation with improved error handling and clearer error messages for invalid, missing, or malformed keys.

  • Tests

    • Added comprehensive test coverage for API key management, including generation, validation, creation, and revocation scenarios.

@DecentMakeover
Improve error handling for API key validation (fixes potpie-ai#357)
575078e 
Summary:
Enhanced the validate_api_key() function to provide clear, actionable error messages instead of generic failures. This significantly improves debugging and user experience when API key validation fails.

Changes:
- Modified validate_api_key() to raise HTTPException with detailed messages:
  * 401: Invalid API key format (missing 'sk-' prefix)
  * 401: API key not found in database
  * 500: Internal or database error during validation
- Updated get_api_key_user() in router.py to align with new exception-based flow
- Added comprehensive docstring covering all error scenarios
- Created an extensive test suite with 25 unit tests covering:
  * API key generation (format, uniqueness, length)
  * API key hashing (consistency, security)
  * API key validation (success, failure modes, edge cases)
  * API key creation and revocation
  * Security scenarios (SQL injection, null bytes, etc.)

Result:
✅ More transparent error reporting
✅ Stronger security and robustness
✅ Full unit test coverage for all validation paths
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 23, 2025

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

📥 Commits

Reviewing files that changed from the base of the PR and between 5e3aca3 and 575078e.

📒 Files selected for processing (3)
  • app/api/router.py (1 hunks)
  • app/modules/auth/api_key_service.py (2 hunks)
  • app/modules/auth/tests/api_key_service_test.py (1 hunks)
 ________________________________________________________________
< CodeHamster is my sidekick. She powers the GPU with her wheel. >
 ----------------------------------------------------------------
  \
   \   \
        \ /\
        ( )
      .( o ).

Tip

You can get early access to new features in CodeRabbit.

Enable the early_access setting in your project's settings in CodeRabbit to enable early access features such as new models, tools, and more.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 23, 2025

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve Error Handling for API Key Validation (api_key_service.py)

1 participant

@DecentMakeover