fix: invalidate auth cache when rotating user API key (#881)

AchoArnold · Copilot · AchoArnold · commit fa7884719bb1 · 2026-05-13T21:45:36.000+03:00
RotateAPIKey now loads the old API key before updating and calls cache.Del(oldKey) after the DB transaction succeeds. This ensures the old key immediately stops authenticating instead of remaining valid for up to 2 hours (the ristretto cache TTL). Follows the surgical approach (Option B) matching how gorm_phone_api_key_repository already handles cache invalidation. Adds an integration test that rotates the key and verifies the old key returns 401 while the new key returns 200. Closes #881 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/api/pkg/repositories/gorm_user_repository.go b/api/pkg/repositories/gorm_user_repository.go
@@ -65,8 +65,13 @@ func (repository *gormUserRepository) RotateAPIKey(ctx context.Context, userID e
 	}
 
 	user := new(entities.User)
+	var oldAPIKey string
 	err = crdbgorm.ExecuteTx(ctx, repository.db, nil,
 		func(tx *gorm.DB) error {
+			if err := tx.WithContext(ctx).Where("id = ?", userID).First(user).Error; err != nil {
+				return err
+			}
+			oldAPIKey = user.APIKey
 			return tx.WithContext(ctx).Model(user).
 				Clauses(clause.Returning{}).
 				Where("id = ?", userID).
@@ -78,6 +83,10 @@ func (repository *gormUserRepository) RotateAPIKey(ctx context.Context, userID e
 		return nil, repository.tracer.WrapErrorSpan(span, stacktrace.PropagateWithCode(err, ErrCodeNotFound, msg))
 	}
 
+	if err == nil && oldAPIKey != "" {
+		repository.cache.Del(oldAPIKey)
+	}
+
 	return user, nil
 }
 
diff --git a/tests/integration_test.go b/tests/integration_test.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"fmt"
 	"io"
 	"net/http"
 	"strings"
@@ -213,6 +214,87 @@ func TestSendSMS_RateLimit(t *testing.T) {
 	}
 }
 
+func TestRotateAPIKey_InvalidatesCache(t *testing.T) {
+	ctx := context.Background()
+
+	// 1) Confirm the current user API key works
+	url := apiBaseURL + "/v1/users/me"
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	require.NoError(t, err)
+	req.Header.Set("x-api-key", userAPIKey)
+
+	resp, err := http.DefaultClient.Do(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode, "initial auth failed: %s", string(body))
+
+	// Parse user ID from the response
+	var meResp struct {
+		Data struct {
+			ID     string `json:"id"`
+			APIKey string `json:"api_key"`
+		} `json:"data"`
+	}
+	require.NoError(t, json.Unmarshal(body, &meResp))
+	userID := meResp.Data.ID
+	oldAPIKey := meResp.Data.APIKey
+	require.NotEmpty(t, userID)
+	require.NotEmpty(t, oldAPIKey)
+	t.Logf("user ID: %s, old API key prefix: %s...", userID, oldAPIKey[:10])
+
+	// 2) Rotate the API key
+	rotateURL := fmt.Sprintf("%s/v1/users/%s/api-keys", apiBaseURL, userID)
+	req, err = http.NewRequestWithContext(ctx, http.MethodDelete, rotateURL, nil)
+	require.NoError(t, err)
+	req.Header.Set("x-api-key", userAPIKey)
+
+	resp, err = http.DefaultClient.Do(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	body, err = io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode, "rotate failed: %s", string(body))
+
+	// Parse new API key from rotate response
+	var rotateResp struct {
+		Data struct {
+			APIKey string `json:"api_key"`
+		} `json:"data"`
+	}
+	require.NoError(t, json.Unmarshal(body, &rotateResp))
+	newAPIKey := rotateResp.Data.APIKey
+	require.NotEmpty(t, newAPIKey)
+	require.NotEqual(t, oldAPIKey, newAPIKey, "API key should have changed after rotation")
+	t.Logf("new API key prefix: %s...", newAPIKey[:10])
+
+	// 3) Old API key should immediately fail (401) — this is the bug regression check
+	req, err = http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	require.NoError(t, err)
+	req.Header.Set("x-api-key", oldAPIKey)
+
+	resp, err = http.DefaultClient.Do(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode, "old API key should return 401 after rotation")
+
+	// 4) New API key should work
+	req, err = http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	require.NoError(t, err)
+	req.Header.Set("x-api-key", newAPIKey)
+
+	resp, err = http.DefaultClient.Do(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	body, err = io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode, "new API key should work: %s", string(body))
+}
+
 func TestSendSMS_OutstandingFlow(t *testing.T) {
 	ctx := context.Background()
 	phone := setupPhone(ctx, t, 60)
