fix bug api key managemtn for admin

2026-02-25 02:08:34 +07:00
parent 649473d2cc
commit c57755c09c
11 changed files with 126 additions and 46 deletions
--- a/03-apiservice/app/security/api_key.py
+++ b/03-apiservice/app/security/api_key.py
@@ -1,6 +1,10 @@
 import secrets
+from typing import Optional

 import bcrypt
+from cryptography.fernet import Fernet, InvalidToken
+
+from app.core.config import settings


 def generate_api_key(prefix_len: int = 8, token_bytes: int = 32) -> str:
@@ -20,3 +24,34 @@ def hash_api_key(api_key: str) -> str:

 def verify_api_key(api_key: str, api_key_hash: str) -> bool:
    return bcrypt.checkpw(api_key.encode("utf-8"), api_key_hash.encode("utf-8"))
+
+
+def _get_fernet() -> Fernet:
+    if not settings.API_KEY_ENC_SECRET:
+        raise ValueError("API_KEY_ENC_SECRET is not configured")
+    # Expect a base64 urlsafe key; if plaintext is provided, derive a Fernet key
+    secret = settings.API_KEY_ENC_SECRET
+    # If length is 44 and endswith '=', assume already a Fernet key
+    if len(secret) == 44 and secret.endswith("="):
+        key = secret.encode("utf-8")
+    else:
+        # Derive deterministic Fernet key from secret (simple approach)
+        import base64
+        import hashlib
+
+        digest = hashlib.sha256(secret.encode("utf-8")).digest()
+        key = base64.urlsafe_b64encode(digest)
+    return Fernet(key)
+
+
+def encrypt_api_key(plain_key: str) -> str:
+    f = _get_fernet()
+    return f.encrypt(plain_key.encode("utf-8")).decode("utf-8")
+
+
+def decrypt_api_key(cipher_text: str) -> Optional[str]:
+    try:
+        f = _get_fernet()
+        return f.decrypt(cipher_text.encode("utf-8")).decode("utf-8")
+    except (InvalidToken, ValueError):
+        return None