Description
When a valid prefix is matched but the hash comparison fails, the gateway throws inside apiKeyRepository and surfaces as a 500. The correct response is a 401 with a generic message and no timing oracle.
Requirements and Context
- Wrap the hash compare in a constant-time path returning a typed
InvalidKey error
- Update gateway handler to map to
UnauthorizedError
- Add Jest test for the exact mismatch path
- Must be secure, tested, and documented
- Should be efficient and easy to review
Suggested Execution
- Fork the repo and create a branch
git checkout -b bug/gateway-prefix-hash-mismatch
- Implement changes
src/repositories/apiKeyRepository.ts
src/routes/gatewayRoutes.ts
- Test and commit
npm test -- gatewayRoutes
- Cover edge cases (constant-time path verified)
- Include test output and notes in the PR
Example commit message
fix: gateway returns 401 on hash mismatch
Acceptance Criteria
Guidelines
- Backend (Node/TS): Jest, minimum 90% coverage
- Clear documentation and inline comments
- Timeframe: 96 hours
Description
When a valid
prefixis matched but the hash comparison fails, the gateway throws insideapiKeyRepositoryand surfaces as a 500. The correct response is a 401 with a generic message and no timing oracle.Requirements and Context
InvalidKeyerrorUnauthorizedErrorSuggested Execution
src/repositories/apiKeyRepository.tssrc/routes/gatewayRoutes.tsnpm test -- gatewayRoutesExample commit message
Acceptance Criteria
Guidelines