simstudioai
diff --git a/‎apps/sim/app/api/users/me/api-keys/route.ts‎
Lines changed: 12 additions & 6 deletions b/‎apps/sim/app/api/users/me/api-keys/route.ts‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎apps/sim/app/api/workflows/middleware.ts‎
Lines changed: 78 additions & 25 deletions b/‎apps/sim/app/api/workflows/middleware.ts‎
Lines changed: 78 additions & 25 deletions
diff --git a/‎apps/sim/app/api/workspaces/[id]/api-keys/route.ts‎
Lines changed: 14 additions & 6 deletions b/‎apps/sim/app/api/workspaces/[id]/api-keys/route.ts‎
Lines changed: 14 additions & 6 deletions
diff --git a/‎apps/sim/lib/security/api-key-auth.test.ts‎
Lines changed: 101 additions & 0 deletions b/‎apps/sim/lib/security/api-key-auth.test.ts‎
Lines changed: 101 additions & 0 deletions
@@ -3,7 +3,7 @@ import { nanoid } from 'nanoid'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { createLogger } from '@/lib/logs/console/logger'
-import { generateApiKey } from '@/lib/utils'
+import { createApiKey } from '@/lib/security/api-key-auth'
 import { db } from '@/db'
 import { apiKey } from '@/db/schema'
 
@@ -83,27 +83,33 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    const keyValue = generateApiKey()
+    // Create new API key with hashing
+    const { key: plainKey, hashedKey } = await createApiKey(true)
 
-    // Insert the new API key
+    // Store the hashed version in the database
     const [newKey] = await db
       .insert(apiKey)
       .values({
         id: nanoid(),
         userId,
         name,
-        key: keyValue,
+        key: hashedKey!, // Store the hashed version
         createdAt: new Date(),
         updatedAt: new Date(),
       })
       .returning({
         id: apiKey.id,
         name: apiKey.name,
-        key: apiKey.key,
         createdAt: apiKey.createdAt,
       })
 
-    return NextResponse.json({ key: newKey })
+    // Return the plain key to the user (they'll never see it again)
+    return NextResponse.json({
+      key: {
+        ...newKey,
+        key: plainKey, // Return the plain text key for user to copy
+      },
+    })
   } catch (error) {
     logger.error('Failed to create API key', { error })
     return NextResponse.json({ error: 'Failed to create API key' }, { status: 500 })
 
@@ -1,6 +1,7 @@
-import { and, eq } from 'drizzle-orm'
+import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { createLogger } from '@/lib/logs/console/logger'
+import { authenticateApiKey, isHashedKey, migrateKeyToHashed } from '@/lib/security/api-key-auth'
 import { getWorkflowById } from '@/lib/workflows/utils'
 import { db } from '@/db'
 import { apiKey, workspace, workspaceApiKey } from '@/db/schema'
@@ -70,36 +71,50 @@ export async function validateWorkflowAccess(
         // Check both personal API keys and workspace API keys
 
         // First, check personal API keys belonging to the workflow owner
-        const [personalKey] = await db
-          .select({ key: apiKey.key })
+        const personalKeys = await db
+          .select({
+            id: apiKey.id,
+            key: apiKey.key,
+          })
           .from(apiKey)
-          .where(and(eq(apiKey.userId, workflow.userId), eq(apiKey.key, apiKeyHeader)))
-          .limit(1)
+          .where(eq(apiKey.userId, workflow.userId))
+
+        let validPersonalKey = null
+
+        // Check each personal key with authentication function
+        for (const key of personalKeys) {
+          const isValid = await authenticateApiKey(apiKeyHeader, key.key)
+          if (isValid) {
+            validPersonalKey = key
+            break
+          }
+        }
 
         // If not found in personal keys, check workspace API keys
-        let workspaceKey = null
-        if (!personalKey) {
-          const [wsKey] = await db
+        let validWorkspaceKey = null
+        if (!validPersonalKey) {
+          const workspaceKeys = await db
             .select({
+              id: workspaceApiKey.id,
               key: workspaceApiKey.key,
               workspaceId: workspaceApiKey.workspaceId,
-              workspaceOwnerId: workspace.ownerId,
             })
             .from(workspaceApiKey)
             .leftJoin(workspace, eq(workspaceApiKey.workspaceId, workspace.id))
-            .where(
-              and(
-                eq(workspaceApiKey.key, apiKeyHeader),
-                eq(workspace.id, workflow.workspaceId) // Key must belong to the same workspace as the workflow
-              )
-            )
-            .limit(1)
-
-          workspaceKey = wsKey
+            .where(eq(workspace.id, workflow.workspaceId)) // Key must belong to the same workspace as the workflow
+
+          // Check each workspace key with authentication function
+          for (const key of workspaceKeys) {
+            const isValid = await authenticateApiKey(apiKeyHeader, key.key)
+            if (isValid) {
+              validWorkspaceKey = key
+              break
+            }
+          }
         }
 
         // If neither personal nor workspace key is valid, reject
-        if (!personalKey && !workspaceKey) {
+        if (!validPersonalKey && !validWorkspaceKey) {
           return {
             error: {
               message: 'Unauthorized: Invalid API key',
@@ -108,14 +123,52 @@ export async function validateWorkflowAccess(
           }
         }
 
-        // Update last used for the key that was found
-        if (personalKey) {
-          await db.update(apiKey).set({ lastUsed: new Date() }).where(eq(apiKey.key, apiKeyHeader))
-        } else if (workspaceKey) {
+        // Update last used and potentially migrate to hashed format
+        if (validPersonalKey) {
+          const updates: any = { lastUsed: new Date() }
+
+          // If this is a plain text key, migrate it to hashed format
+          if (!isHashedKey(validPersonalKey.key)) {
+            try {
+              const hashedKey = await migrateKeyToHashed(apiKeyHeader)
+              updates.key = hashedKey
+              logger.info('Migrated personal API key to hashed format', {
+                keyId: validPersonalKey.id,
+              })
+            } catch (error) {
+              logger.error('Failed to migrate personal API key to hashed format', {
+                keyId: validPersonalKey.id,
+                error,
+              })
+              // Continue without migration on error
+            }
+          }
+
+          await db.update(apiKey).set(updates).where(eq(apiKey.id, validPersonalKey.id))
+        } else if (validWorkspaceKey) {
+          const updates: any = { lastUsed: new Date() }
+
+          // If this is a plain text key, migrate it to hashed format
+          if (!isHashedKey(validWorkspaceKey.key)) {
+            try {
+              const hashedKey = await migrateKeyToHashed(apiKeyHeader)
+              updates.key = hashedKey
+              logger.info('Migrated workspace API key to hashed format', {
+                keyId: validWorkspaceKey.id,
+              })
+            } catch (error) {
+              logger.error('Failed to migrate workspace API key to hashed format', {
+                keyId: validWorkspaceKey.id,
+                error,
+              })
+              // Continue without migration on error
+            }
+          }
+
           await db
             .update(workspaceApiKey)
-            .set({ lastUsed: new Date() })
-            .where(eq(workspaceApiKey.key, apiKeyHeader))
+            .set(updates)
+            .where(eq(workspaceApiKey.id, validWorkspaceKey.id))
         }
       }
     }
 
@@ -5,7 +5,8 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { createLogger } from '@/lib/logs/console/logger'
 import { getUserEntityPermissions } from '@/lib/permissions/utils'
-import { generateApiKey, generateRequestId } from '@/lib/utils'
+import { createApiKey } from '@/lib/security/api-key-auth'
+import { generateRequestId } from '@/lib/utils'
 import { db } from '@/db'
 import { apiKey, workspace, workspaceApiKey } from '@/db/schema'
 
@@ -129,29 +130,36 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       )
     }
 
-    const keyValue = generateApiKey()
+    // Create new API key with hashing
+    const { key: plainKey, hashedKey } = await createApiKey(true)
 
-    // Insert the new workspace API key
+    // Store the hashed version in the database
     const [newKey] = await db
       .insert(workspaceApiKey)
       .values({
         id: nanoid(),
         workspaceId,
         createdBy: userId,
         name,
-        key: keyValue,
+        key: hashedKey!, // Store the hashed version
         createdAt: new Date(),
         updatedAt: new Date(),
       })
       .returning({
         id: workspaceApiKey.id,
         name: workspaceApiKey.name,
-        key: workspaceApiKey.key,
         createdAt: workspaceApiKey.createdAt,
       })
 
     logger.info(`[${requestId}] Created workspace API key: ${name} in workspace ${workspaceId}`)
-    return NextResponse.json({ key: newKey })
+
+    // Return the plain key to the user (they'll never see it again)
+    return NextResponse.json({
+      key: {
+        ...newKey,
+        key: plainKey, // Return the plain text key for user to copy
+      },
+    })
   } catch (error: any) {
     logger.error(`[${requestId}] Workspace API key POST error`, error)
     return NextResponse.json(
 
@@ -0,0 +1,101 @@
+import { describe, expect, it } from 'vitest'
+import {
+  authenticateApiKey,
+  createApiKey,
+  hashApiKey,
+  isHashedKey,
+  isValidApiKeyFormat,
+  migrateKeyToHashed,
+} from './api-key-auth'
+
+describe('API Key Authentication', () => {
+  it.concurrent('should detect hashed keys correctly', () => {
+    expect(isHashedKey('$2a$12$abcdef')).toBe(true)
+    expect(isHashedKey('$2b$12$abcdef')).toBe(true)
+    expect(isHashedKey('$2y$12$abcdef')).toBe(true)
+    expect(isHashedKey('plain-text-key')).toBe(false)
+    expect(isHashedKey('sk_live_123456')).toBe(false)
+  })
+
+  it.concurrent('should authenticate plain text keys (legacy)', async () => {
+    const plainKey = 'sk_live_test_123456'
+    const storedPlainKey = 'sk_live_test_123456'
+
+    const result = await authenticateApiKey(plainKey, storedPlainKey)
+    expect(result).toBe(true)
+  })
+
+  it.concurrent('should reject invalid plain text keys', async () => {
+    const inputKey = 'sk_live_test_123456'
+    const storedKey = 'sk_live_test_different'
+
+    const result = await authenticateApiKey(inputKey, storedKey)
+    expect(result).toBe(false)
+  })
+
+  it.concurrent('should authenticate hashed keys', async () => {
+    const plainKey = 'sk_live_test_123456'
+    const hashedKey = await hashApiKey(plainKey)
+
+    const result = await authenticateApiKey(plainKey, hashedKey)
+    expect(result).toBe(true)
+  })
+
+  it.concurrent('should reject invalid hashed keys', async () => {
+    const correctKey = 'sk_live_test_123456'
+    const wrongKey = 'sk_live_test_different'
+    const hashedKey = await hashApiKey(correctKey)
+
+    const result = await authenticateApiKey(wrongKey, hashedKey)
+    expect(result).toBe(false)
+  })
+
+  it.concurrent('should create API key with hashing', async () => {
+    const { key, hashedKey } = await createApiKey(true)
+
+    expect(key).toBeDefined()
+    expect(hashedKey).toBeDefined()
+    expect(isHashedKey(hashedKey!)).toBe(true)
+
+    const isValid = await authenticateApiKey(key, hashedKey!)
+    expect(isValid).toBe(true)
+  })
+
+  it.concurrent('should create API key without hashing', async () => {
+    const { key, hashedKey } = await createApiKey(false)
+
+    expect(key).toBeDefined()
+    expect(hashedKey).toBeUndefined()
+  })
+
+  it.concurrent('should migrate plain key to hashed format', async () => {
+    const plainKey = 'sk_live_test_123456'
+    const hashedKey = await migrateKeyToHashed(plainKey)
+
+    expect(isHashedKey(hashedKey)).toBe(true)
+
+    const isValid = await authenticateApiKey(plainKey, hashedKey)
+    expect(isValid).toBe(true)
+  })
+
+  it.concurrent('should validate API key format', () => {
+    expect(isValidApiKeyFormat('sk_live_test_123456')).toBe(true)
+    expect(isValidApiKeyFormat('')).toBe(false)
+    expect(isValidApiKeyFormat('short')).toBe(false)
+    expect(isValidApiKeyFormat('a'.repeat(250))).toBe(false)
+    expect(isValidApiKeyFormat('valid-key-12345')).toBe(true)
+  })
+
+  it.concurrent('should handle backward compatibility - mixed key types', async () => {
+    const plainKey = 'sk_live_test_123456'
+
+    const plainResult = await authenticateApiKey(plainKey, plainKey)
+    expect(plainResult).toBe(true)
+
+    const hashedStoredKey = await hashApiKey(plainKey)
+    const hashedResult = await authenticateApiKey(plainKey, hashedStoredKey)
+    expect(hashedResult).toBe(true)
+
+    expect(plainResult).toBe(hashedResult)
+  })
+})