Skip to content

Bug: gatewayRoutes returns 500 instead of 401 when API key prefix exists but hash mismatches #421

Description

@greatest0fallt1me

Description

When a valid prefix is matched but the hash comparison fails, the gateway throws inside apiKeyRepository and surfaces as a 500. The correct response is a 401 with a generic message and no timing oracle.

Requirements and Context

  • Wrap the hash compare in a constant-time path returning a typed InvalidKey error
  • Update gateway handler to map to UnauthorizedError
  • Add Jest test for the exact mismatch path
  • Must be secure, tested, and documented
  • Should be efficient and easy to review

Suggested Execution

  1. Fork the repo and create a branch
    git checkout -b bug/gateway-prefix-hash-mismatch
  2. Implement changes
    • src/repositories/apiKeyRepository.ts
    • src/routes/gatewayRoutes.ts
  3. Test and commit
    • npm test -- gatewayRoutes
    • Cover edge cases (constant-time path verified)
    • Include test output and notes in the PR

Example commit message

fix: gateway returns 401 on hash mismatch

Acceptance Criteria

  • Mismatch returns 401 not 500
  • No timing oracle observable in test
  • Tests cover both happy and mismatch paths
  • Docs updated

Guidelines

  • Backend (Node/TS): Jest, minimum 90% coverage
  • Clear documentation and inline comments
  • Timeframe: 96 hours

Metadata

Metadata

Assignees

Labels

GRANTFOX OSSGrantFox open-source campaign taskMAYBE REWARDEDMay be rewarded under the GrantFox campaignOFFICIAL CAMPAIGNOfficial GrantFox campaign issueStellar WaveIssues in the Stellar wave programbackendBackend service worksecuritySecurity hardening

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions