perf: Add apiKey fingerprint for lookups

Author: DaevMithran

src/controllers/admin/api-key.ts

@@ -391,27 +391,28 @@ export class APIKeyController {
 				} satisfies APIKeyGetResponseBody);
 			}
 			// Otherwise try to get the latest not revoked API key
-			const keys = await APIKeyService.instance.find(
+			const key = await APIKeyService.instance.findOne(
 				{
 					customer: response.locals.customer,
 					revoked: false,
 				},
+				undefined,
+				options,
 				{
 					createdAt: 'DESC',
-				},
-				options
+				}
 			);
-			if (keys.length == 0) {
+			if (!key) {
 				return response.status(StatusCodes.NOT_FOUND).json({
 					error: 'API key not found',
 				});
 			}
 			return response.status(StatusCodes.OK).json({
-				apiKey: keys[0].apiKey,
-				name: keys[0].name,
-				createdAt: keys[0].createdAt.toISOString(),
-				expiresAt: keys[0].expiresAt.toISOString(),
-				revoked: keys[0].revoked,
+				apiKey: key.apiKey,
+				name: key.name,
+				createdAt: key.createdAt.toISOString(),
+				expiresAt: key.expiresAt.toISOString(),
+				revoked: key.revoked,
 			} satisfies APIKeyGetResponseBody);
 		} catch (error) {
 			return response.status(StatusCodes.INTERNAL_SERVER_ERROR).json({

src/database/entities/api.key.entity.ts

@@ -1,4 +1,4 @@
-import { BeforeInsert, BeforeUpdate, Column, Entity, JoinColumn, ManyToOne } from 'typeorm';
+import { BeforeInsert, BeforeUpdate, Column, Entity, Index, JoinColumn, ManyToOne } from 'typeorm';
 
 import * as dotenv from 'dotenv';
 import { CustomerEntity } from './customer.entity.js';
@@ -58,6 +58,13 @@ export class APIKeyEntity {
 	@JoinColumn({ name: 'userId' })
 	user!: UserEntity;
 
+	@Index({ unique: true })
+	@Column({
+		type: 'varchar',
+		nullable: false,
+	})
+	fingerprint!: string;
+
 	@BeforeInsert()
 	setCreatedAt() {
 		this.createdAt = new Date();
@@ -79,7 +86,8 @@ export class APIKeyEntity {
 		expiresAt: Date,
 		customer: CustomerEntity,
 		user: UserEntity,
-		revoked = false
+		revoked = false,
+		fingerprint: string
 	) {
 		this.apiKeyHash = apiKeyHash;
 		this.apiKey = apiKey;
@@ -88,5 +96,6 @@ export class APIKeyEntity {
 		this.customer = customer;
 		this.user = user;
 		this.revoked = revoked;
+		this.fingerprint = fingerprint;
 	}
 }

src/database/migrations/InsertFingerprintApiKeyTable.ts

@@ -0,0 +1,44 @@
+import { TableColumn, type MigrationInterface, type QueryRunner } from 'typeorm';
+import { SecretBox } from '@veramo/kms-local';
+import { sha256 } from '../../utils'; // ensure this returns a hex string
+
+export class InsertFingerprintAPIKeyTable1746780465032 implements MigrationInterface {
+	public async up(queryRunner: QueryRunner): Promise<void> {
+		const tableName = 'apiKey';
+		const secretBox = new SecretBox(process.env.EXTERNAL_DB_ENCRYPTION_KEY);
+
+		// Step 1: Delete all revoked API keys
+		await queryRunner.query(`DELETE FROM "${tableName}" WHERE "revoked" = true`);
+
+		// Step 2: Add the fingerprint column (non-nullable, no default)
+		await queryRunner.addColumn(
+			tableName,
+			new TableColumn({
+				name: 'fingerprint',
+				type: 'varchar',
+				isNullable: false,
+			})
+		);
+
+		// Step 3: Add fingerprints for non-revoked keys
+		const records: any[] = await queryRunner.query(`SELECT "apiKey", "apiKeyHash" FROM "${tableName}"`);
+		for (const record of records) {
+			const decryptedKey = await secretBox.decrypt(record.apiKey);
+			const fingerprint = sha256(decryptedKey);
+			await queryRunner.query(`UPDATE "${tableName}" SET "fingerprint" = $1 WHERE "apiKeyHash" = $2`, [
+				fingerprint,
+				record.apiKeyHash,
+			]);
+		}
+
+		// Step 4: Add a unique index on fingerprint
+		await queryRunner.query(
+			`CREATE UNIQUE INDEX "IDX_apiKey_c5fdf6760b38094e0905ac85e4" ON "${tableName}" ("fingerprint") `
+		);
+	}
+
+	public async down(queryRunner: QueryRunner): Promise<void> {
+		await queryRunner.query(`DROP INDEX "IDX_apiKey_c5fdf6760b38094e0905ac85e4"`);
+		await queryRunner.dropColumn('apiKey', 'fingerprint');
+	}
+}

src/services/admin/api-key.ts

@@ -1,16 +1,16 @@
-import type { Repository } from 'typeorm';
+import type { FindOptionsOrder, FindOptionsRelations, FindOptionsWhere, Repository } from 'typeorm';
+import type { CustomerEntity } from '../../database/entities/customer.entity.js';
+import type { UserEntity } from '../../database/entities/user.entity.js';
+import type { APIServiceOptions } from '../../types/admin.js';
 import { decodeJWT } from 'did-jwt';
 import bcrypt from 'bcrypt';
 import { randomBytes, createHmac } from 'crypto';
+import { SecretBox } from '@veramo/kms-local';
 import { Connection } from '../../database/connection/connection.js';
-
-import * as dotenv from 'dotenv';
-import type { CustomerEntity } from '../../database/entities/customer.entity.js';
 import { APIKeyEntity } from '../../database/entities/api.key.entity.js';
-import type { UserEntity } from '../../database/entities/user.entity.js';
-import { SecretBox } from '@veramo/kms-local';
 import { API_SECRET_KEY_LENGTH, API_KEY_PREFIX, API_KEY_EXPIRATION } from '../../types/constants.js';
-import type { APIServiceOptions } from '../../types/admin.js';
+import { sha256 } from '../../utils/index.js';
+import * as dotenv from 'dotenv';
 dotenv.config();
 
 export class APIKeyService {
@@ -35,11 +35,17 @@ export class APIKeyService {
 		revoked = false,
 		options?: APIServiceOptions
 	): Promise<APIKeyEntity> {
-		const apiKeyHash = await APIKeyService.hashAPIKey(apiKey);
 		const { decryptionNeeded } = options || {};
 		if (!apiKey) {
 			throw new Error('API key is not specified');
 		}
+
+		// fingerprint
+		const fingerprint = sha256(apiKey);
+
+		// slow - hash
+		const apiKeyHash = await APIKeyService.hashAPIKey(apiKey);
+
 		if (!name) {
 			throw new Error('API key name is not specified');
 		}
@@ -50,7 +56,10 @@ export class APIKeyService {
 			expiresAt = new Date();
 			expiresAt.setMonth(expiresAt.getDay() + API_KEY_EXPIRATION);
 		}
+
+		// encrypt the key
 		const encryptedAPIKey = await this.encryptAPIKey(apiKey);
+
 		// Create entity
 		const apiKeyEntity = new APIKeyEntity(
 			apiKeyHash,
@@ -59,7 +68,8 @@ export class APIKeyService {
 			expiresAt,
 			user.customer,
 			user,
-			revoked
+			revoked,
+			fingerprint
 		);
 		const apiKeyRecord = (await this.apiKeyRepository.insert(apiKeyEntity)).identifiers[0];
 		if (!apiKeyRecord) throw new Error(`Cannot create a new API key`);
@@ -131,31 +141,45 @@ export class APIKeyService {
 	}
 
 	public async get(apiKey: string, options?: APIServiceOptions) {
-		const { decryptionNeeded } = options || {};
+		// fingerprint
+		const fingerprint = sha256(apiKey);
 
-		// ToDo: possible bottleneck cause we are fetching all the keys
-		for (const record of await this.find({})) {
-			if (await APIKeyService.compareAPIKey(apiKey, record.apiKeyHash)) {
-				if (decryptionNeeded) {
-					record.apiKey = await this.decryptAPIKey(record.apiKey);
-				}
-				return record;
-			}
+		// fetch the api key entity
+		const apiKeyEntity = await APIKeyService.instance.findOne(
+			{
+				fingerprint,
+			},
+			{ customer: true, user: true },
+			options
+		);
+		if (!apiKeyEntity) {
+			throw new Error('Invalid API key');
+		}
+
+		// validate expiry
+		if (apiKeyEntity.revoked) {
+			throw new Error('API Key is expired');
 		}
-		return null;
+
+		// bcrypt comparison
+		const isValid = await APIKeyService.compareAPIKey(apiKey, apiKeyEntity.apiKeyHash);
+		if (!isValid) throw new Error('Invalid API key');
+
+		return apiKeyEntity;
 	}
 
 	public async find(
-		where: Record<string, unknown>,
-		order?: Record<string, 'ASC' | 'DESC'>,
-		options?: APIServiceOptions
+		where: FindOptionsWhere<APIKeyEntity>,
+		relations?: FindOptionsRelations<APIKeyEntity>,
+		options?: APIServiceOptions,
+		order?: FindOptionsOrder<APIKeyEntity>
 	) {
 		try {
 			const { decryptionNeeded } = options || {};
 			const apiKeyList = await this.apiKeyRepository.find({
-				where: where,
-				relations: ['customer', 'user'],
-				order: order,
+				where,
+				relations,
+				order,
 			});
 			if (decryptionNeeded) {
 				for (const apiKey of apiKeyList) {
@@ -168,6 +192,25 @@ export class APIKeyService {
 		}
 	}
 
+	public async findOne(
+		where: FindOptionsWhere<APIKeyEntity>,
+		relations?: FindOptionsRelations<APIKeyEntity>,
+		options?: APIServiceOptions,
+		order?: FindOptionsOrder<APIKeyEntity>
+	) {
+		const apiKeyEntity = await this.apiKeyRepository.findOne({
+			where,
+			relations,
+			order,
+		});
+
+		if (apiKeyEntity && options?.decryptionNeeded) {
+			apiKeyEntity.apiKey = await this.decryptAPIKey(apiKeyEntity.apiKey);
+		}
+
+		return apiKeyEntity;
+	}
+
 	// Utils
 	public static generateAPIKey(userId: string): string {
 		const apiKey = createHmac('sha512', randomBytes(API_SECRET_KEY_LENGTH).toString('hex'))

src/services/identity/abstract.ts

@@ -229,7 +229,7 @@ export abstract class AbstractIdentityService implements IIdentityService {
 	updateAPIKey(apiKey: APIKeyEntity, newApiKey: string): Promise<APIKeyEntity> {
 		throw new Error(`Not supported`);
 	}
-	getAPIKey(customer: CustomerEntity, user: UserEntity): Promise<APIKeyEntity | undefined> {
+	getAPIKey(customer: CustomerEntity, user: UserEntity): Promise<APIKeyEntity | null> {
 		throw new Error(`Not supported`);
 	}
 	decryptAPIKey(apiKey: string): Promise<string> {

src/services/identity/index.ts

@@ -171,7 +171,7 @@ export interface IIdentityService {
 	): Promise<UnsuspensionResult | BulkUnsuspensionResult>;
 	setAPIKey(apiKey: string, customer: CustomerEntity, user: UserEntity): Promise<APIKeyEntity>;
 	updateAPIKey(apiKey: APIKeyEntity, newApiKey: string): Promise<APIKeyEntity>;
-	getAPIKey(customer: CustomerEntity, user: UserEntity): Promise<APIKeyEntity | undefined>;
+	getAPIKey(customer: CustomerEntity, user: UserEntity): Promise<APIKeyEntity | null>;
 	decryptAPIKey(apiKey: string): Promise<string>;
 }
 

src/services/identity/postgres.ts

@@ -579,22 +579,14 @@ export class PostgresIdentityService extends DefaultIdentityService {
 		return apiKeyEntity;
 	}
 
-	async getAPIKey(customer: CustomerEntity, user: UserEntity): Promise<APIKeyEntity | undefined> {
+	async getAPIKey(customer: CustomerEntity, user: UserEntity): Promise<APIKeyEntity | null> {
 		const options = { decryptionNeeded: true } satisfies APIServiceOptions;
-		const keys = await APIKeyService.instance.find(
+		const key = await APIKeyService.instance.findOne(
 			{ customer: customer, user: user, revoked: false, name: 'idToken' },
 			undefined,
 			options
 		);
-		if (keys.length > 1) {
-			throw new Error(
-				`For the customer with customer id ${customer.customerId} and user with logToId ${user.logToId} there more then 1 API key`
-			);
-		}
-		if (keys.length == 0) {
-			return undefined;
-		}
-		return keys[0];
+		return key;
 	}
 
 	async decryptAPIKey(apiKey: string): Promise<string> {

src/utils/index.ts

@@ -1,3 +1,5 @@
+import { createHash } from 'crypto';
+
 export function getStripeObjectKey(input: string | { id: string } | null) {
 	if (!input) {
 		return '';
@@ -9,3 +11,7 @@ export function getStripeObjectKey(input: string | { id: string } | null) {
 
 	return input.id;
 }
+
+export function sha256(input: string): string {
+	return createHash('sha256').update(input).digest('hex');
+}