Skip to content

feat: add database constraints for API key expiration and lifetime#20444

Closed
ThomasK33 wants to merge 1 commit into
mainfrom
thomask33/10-23-enforce_api_key_time_checks
Closed

feat: add database constraints for API key expiration and lifetime#20444
ThomasK33 wants to merge 1 commit into
mainfrom
thomask33/10-23-enforce_api_key_time_checks

Conversation

@ThomasK33
Copy link
Copy Markdown
Member

@ThomasK33 ThomasK33 commented Oct 23, 2025

Add Database Constraints for API Key Validity

This PR adds database-level constraints to ensure API keys have valid expiration times and lifetimes:

  1. Adds api_keys_expires_at_after_created constraint to ensure expiration dates are always at or after creation dates
  2. Adds api_keys_lifetime_seconds_positive constraint to enforce positive lifetime values

The migration includes defensive updates to fix any existing data that would violate these constraints:

  • Sets any zero or negative lifetime_seconds to 86400 (24 hours)
  • Updates any expires_at values that are before created_at to match the creation date

Tests have been updated to ensure proper creation dates are set when testing expired API keys.

This was referenced Oct 23, 2025
Merged
Merged
This was referenced Oct 23, 2025
Closed
Merged
Closed
Closed
Closed
Closed
Merged
Closed
Closed
Closed
@ThomasK33 Graphite App
Copy link
Copy Markdown
Member Author

ThomasK33 commented Oct 23, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ThomasK33 ThomasK33 mentioned this pull request Oct 23, 2025
Closed
@ThomasK33 ThomasK33 force-pushed the thomask33/10-23-enforce_api_key_time_checks branch from 18f8a4e to 9efa897 Compare October 24, 2025 10:23
@ThomasK33 ThomasK33 changed the base branch from thomask33/09-25-resource_scoped_api_keys_in_codersdk to graphite-base/20444 October 24, 2025 11:33
@ThomasK33 ThomasK33 force-pushed the thomask33/10-23-enforce_api_key_time_checks branch from 9efa897 to c853e86 Compare October 24, 2025 11:35
@ThomasK33 ThomasK33 force-pushed the graphite-base/20444 branch from 42451c1 to f684831 Compare October 24, 2025 11:35
@graphite-app graphite-app Bot changed the base branch from graphite-base/20444 to main October 24, 2025 11:36
@ThomasK33 ThomasK33 force-pushed the thomask33/10-23-enforce_api_key_time_checks branch 6 times, most recently from ed96ae7 to 653cb07 Compare October 24, 2025 16:45
@ThomasK33 ThomasK33 marked this pull request as ready for review October 24, 2025 16:46
@ThomasK33 ThomasK33 force-pushed the thomask33/10-23-enforce_api_key_time_checks branch from 653cb07 to 3090b36 Compare October 26, 2025 09:32
@ThomasK33 ThomasK33 force-pushed the thomask33/10-23-enforce_api_key_time_checks branch 6 times, most recently from 47af1e4 to 965240f Compare October 27, 2025 18:15
@ThomasK33 ThomasK33 force-pushed the thomask33/10-23-enforce_api_key_time_checks branch from 965240f to a8fd73e Compare October 28, 2025 08:08
@ThomasK33
fix: enforce API key lifetime and expiry constraints
cfe60ff 
Add checks to require positive API key lifetime and non-retro expiry.
Backfill bad rows before constraint to crash fast on regressions.
Update test API keys to assert sensible CreatedAt timestamps.
@ThomasK33 ThomasK33 force-pushed the thomask33/10-23-enforce_api_key_time_checks branch from a8fd73e to cfe60ff Compare October 28, 2025 13:48
@github-actions github-actions Bot added stale This issue is like stale bread. and removed stale This issue is like stale bread. labels Nov 5, 2025
@github-actions github-actions Bot added the stale This issue is like stale bread. label Nov 17, 2025
@github-actions github-actions Bot closed this Nov 20, 2025
@github-actions github-actions Bot deleted the thomask33/10-23-enforce_api_key_time_checks branch April 29, 2026 00:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ThomasK33 ThomasK33

Labels

stale This issue is like stale bread.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ThomasK33