fix(auth): address crew review findings for #28

Security and correctness fixes for the keys/bootstrap implementation:

- bootstrap: invert check order (admin count first, file warning second) so
  server can restart after first-run without manual file deletion
- bootstrap/admin-recover: use O_EXCL flag (wx) on key file writes to prevent
  symlink TOCTOU attacks and parallel-start race
- bootstrap: ensure APP_DIR exists before createKey() so FS failure doesn't
  orphan a DB row silently; surface error with recovery instructions
- admin-recover: add --force guard against accidental duplicate admin keys,
  refuse to overwrite existing key file, apply TTY gate on plaintext output
- admin-recover: use path.join instead of template literal for portability
- keys: extract validateAllowedModels/resolveRateLimit helpers to reduce
  complexity below ESLint limit
- keys: validate allowedModels entries against model-name regex (SSRF prevention)
- keys: reject non-integer and negative rateLimitOverride with explicit error
- keys: revokeKey returns boolean; idempotent (AND revoked_at IS NULL guard)
- keys: setDebugEnabled returns boolean
- keys: listKeys uses stable ORDER BY created_at, id
- keys: generateKey uses 33 bytes (264 bits) to eliminate zero-padding on last char
- keys: document unsalted SHA-256 rationale in hashKey comment
- migration: remove redundant CREATE INDEX (UNIQUE already creates one);
  add json_valid CHECK on allowed_models column
- tests: fix migration path to use import.meta.dir (not process.cwd())
- tests: add 15 new tests covering edge cases from review

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: HXYerror

src/cli/admin-recover.ts

@@ -1,20 +1,28 @@
 import { defineCommand } from "citty"
 import consola from "consola"
 import fs from "node:fs"
+import path from "node:path"
 
 import { initDb } from "~/lib/db"
 import { PATHS } from "~/lib/paths"
-import { createKey } from "~/services/keys"
+import { countActiveAdminKeys, createKey } from "~/services/keys"
 
-const ADMIN_KEY_FILE_RECOVER = `${PATHS.APP_DIR}/admin.key.txt`
+const ADMIN_KEY_FILE_RECOVER = path.join(PATHS.APP_DIR, "admin.key.txt")
 
 export const adminRecover = defineCommand({
   meta: {
     name: "recover",
     description:
       "Mint a new admin key (requires local data-dir access as proof of operator identity)",
   },
-  run() {
+  args: {
+    force: {
+      type: "boolean",
+      description: "Create a new admin key even if active admin keys exist",
+      default: false,
+    },
+  },
+  run({ args }) {
     // Proof of operator identity: must be able to stat the data directory
     try {
       fs.statSync(PATHS.APP_DIR)
@@ -28,11 +36,49 @@ export const adminRecover = defineCommand({
     // Init DB (runs migrations) — needed if invoked independently
     initDb()
 
+    // Guard: warn if active admin keys already exist unless --force is set
+    const existing = countActiveAdminKeys()
+    if (existing > 0 && !args.force) {
+      consola.warn(
+        `${existing} active admin key(s) already exist. Pass --force to create a new one anyway.`,
+      )
+      process.exit(1)
+    }
+
+    // Guard: refuse to overwrite an unread key file
+    if (fs.existsSync(ADMIN_KEY_FILE_RECOVER)) {
+      consola.error(
+        `${ADMIN_KEY_FILE_RECOVER} already exists. Read and delete it first:\n`
+          + `  cat ${ADMIN_KEY_FILE_RECOVER} && rm ${ADMIN_KEY_FILE_RECOVER}`,
+      )
+      process.exit(1)
+    }
+
     const { plain } = createKey({ tier: "admin", label: "recovery-admin" })
 
-    // Write to file and print
-    fs.writeFileSync(ADMIN_KEY_FILE_RECOVER, plain + "\n", { mode: 0o600 })
-    consola.success(`Recovery admin key generated: ${plain}`)
+    // O_EXCL prevents symlink attacks and clobber on race
+    try {
+      fs.writeFileSync(ADMIN_KEY_FILE_RECOVER, plain + "\n", {
+        mode: 0o600,
+        flag: "wx",
+      })
+    } catch (err) {
+      consola.error(`Failed to write recovery key file: ${String(err)}`)
+      process.exit(1)
+    }
+
+    // Mirror bootstrap.ts: full key on TTY only — avoid log capture on non-TTY
+    if (process.stdout.isTTY) {
+      consola.success(`Recovery admin key generated: ${plain}`)
+    } else {
+      consola.info(
+        `Recovery admin key written to ${ADMIN_KEY_FILE_RECOVER}. Read and delete the file.`,
+      )
+    }
     consola.info(`Also written to ${ADMIN_KEY_FILE_RECOVER}`)
   },
 })
+
+// Re-export the canonical file path so callers don't duplicate the join
+
+export { ADMIN_KEY_FILE } from "~/lib/bootstrap"

src/lib/bootstrap.ts

@@ -2,12 +2,12 @@ import consola from "consola"
 import fs from "node:fs"
 import path from "node:path"
 
-import { countActiveAdminKeys, createKey, hashKey } from "~/services/keys"
+import { countActiveAdminKeys, createKey } from "~/services/keys"
 
 import { getConfig } from "./config-store"
 import { PATHS } from "./paths"
 
-const ADMIN_KEY_FILE = path.join(PATHS.APP_DIR, "admin.key.txt")
+export const ADMIN_KEY_FILE = path.join(PATHS.APP_DIR, "admin.key.txt")
 
 /**
  * Returns true if the admin bootstrap file exists (operator hasn't read it yet).
@@ -19,40 +19,64 @@ export function bootstrapFilePending(): boolean {
 /**
  * Run bootstrap: if auth is enabled and no admin keys exist, generate one.
  * Called during startup AFTER initDb() and BEFORE HTTP listener binds.
+ *
+ * Logic:
+ * 1. If auth is disabled → no-op.
+ * 2. If admin keys already exist in DB → warn if file still present, return.
+ * 3. Otherwise → create first admin key and write to ADMIN_KEY_FILE.
  */
 export function runBootstrap(): void {
   const { features } = getConfig()
   if (!features.auth) return // auth off — no bootstrap needed
 
-  if (bootstrapFilePending()) {
-    // Bootstrap file still exists — operator must read and delete it first
-    consola.error(
-      `Startup blocked: admin bootstrap file exists at ${ADMIN_KEY_FILE}.\n`
-        + `Please read your admin key and delete this file before restarting:\n`
-        + `  cat ${ADMIN_KEY_FILE} && rm ${ADMIN_KEY_FILE}`,
-    )
-    process.exit(1)
+  const adminCount = countActiveAdminKeys()
+
+  if (adminCount > 0) {
+    // Already bootstrapped. Remind operator to delete the key file if it lingers.
+    if (bootstrapFilePending()) {
+      consola.warn(
+        `Admin key file still present at ${ADMIN_KEY_FILE}. Delete it after reading:\n`
+          + `  rm ${ADMIN_KEY_FILE}`,
+      )
+    }
+    return
   }
 
-  const adminCount = countActiveAdminKeys()
-  if (adminCount > 0) return // admin keys exist — no bootstrap needed
+  // No active admin keys — generate the first one.
+  // Ensure APP_DIR exists before writing key file.
+  fs.mkdirSync(PATHS.APP_DIR, { recursive: true, mode: 0o700 })
 
-  // Generate first admin key
   const { plain } = createKey({ tier: "admin", label: "bootstrap-admin" })
-  const sha256prefix = hashKey(plain).slice(0, 8)
 
-  // Write plaintext to file with mode 0600
-  fs.mkdirSync(PATHS.APP_DIR, { recursive: true, mode: 0o700 })
-  fs.writeFileSync(ADMIN_KEY_FILE, plain + "\n", { mode: 0o600 })
+  // Write plaintext key with O_EXCL to prevent symlink/TOCTOU attacks.
+  // If the file somehow already exists (race between two server starts),
+  // the write fails — the first writer wins and the second exits cleanly.
+  try {
+    fs.writeFileSync(ADMIN_KEY_FILE, plain + "\n", { mode: 0o600, flag: "wx" })
+  } catch (err) {
+    const code = (err as NodeJS.ErrnoException).code
+    if (code === "EEXIST") {
+      // Another instance won the race — its key is valid.
+      consola.warn(
+        `Bootstrap key file already exists at ${ADMIN_KEY_FILE} (parallel start?). Using existing file.`,
+      )
+      return
+    }
+    // Unexpected write failure: key is in DB but not on disk.
+    // Surface the error so the operator can run `admin recover`.
+    consola.error(
+      `Admin key created in DB but file write failed. Run 'copilot-api admin recover' to retrieve it. Error: ${String(err)}`,
+    )
+    throw err
+  }
 
-  // Output to stdout: full key only on TTY, path+hash on non-TTY (Docker/journald)
-  const isTty = process.stdout.isTTY
-  if (isTty) {
+  // Output: full key on TTY; path-only on non-TTY (Docker/journald — avoid log capture)
+  if (process.stdout.isTTY) {
     consola.success(`Admin key generated: ${plain}`)
     consola.info(`Also written to ${ADMIN_KEY_FILE} (delete after reading)`)
   } else {
     consola.info(
-      `Admin key written to ${ADMIN_KEY_FILE} (sha256:${sha256prefix}…). Read & delete this file.`,
+      `Admin key written to ${ADMIN_KEY_FILE}. Read it and delete the file before restarting.`,
     )
   }
 }

src/lib/migrations/002_keys.sql

@@ -3,10 +3,10 @@ CREATE TABLE IF NOT EXISTS keys (
   hash TEXT UNIQUE NOT NULL,
   tier TEXT NOT NULL CHECK(tier IN ('admin','client')),
   label TEXT,
-  allowed_models TEXT NOT NULL DEFAULT '["*"]',
+  allowed_models TEXT NOT NULL DEFAULT '["*"]' CHECK(json_valid(allowed_models)),
   rate_limit_override INTEGER,
   debug_enabled INTEGER NOT NULL DEFAULT 0,
   created_at INTEGER NOT NULL,
   revoked_at INTEGER
 );
-CREATE INDEX IF NOT EXISTS idx_keys_hash ON keys(hash);
+-- Note: UNIQUE on hash automatically creates an index; no explicit CREATE INDEX needed.

src/services/keys.ts

@@ -2,7 +2,7 @@ import crypto from "node:crypto"
 
 import { getDb } from "~/lib/db"
 
-// Row type from DB
+// Row type from DB (full — includes hash for internal auth use)
 export interface KeyRow {
   id: string
   hash: string
@@ -18,13 +18,17 @@ export interface KeyRow {
 // Base32 alphabet (RFC 4648, no padding)
 const BASE32_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
 
+// Regex that mirrors the upstream model-name validation in config-store (SSRF prevention)
+const MODEL_RE = /^\w[\w.:-]*$/
+
 /**
  * Generate a new API key: "sk-cap-" + 52 base32 chars = 59 chars total.
- * Uses 32 random bytes = 256 bits entropy.
+ * Uses 33 random bytes = 264 bits of entropy; 264 / 5 = 52 full 5-bit groups
+ * (260 bits encoded) with 4 bits remaining — no zero-padding required.
  */
 export function generateKey(): string {
-  const bytes = crypto.randomBytes(32)
-  // Encode to base32: each 5 bits → one char; 32 bytes = 256 bits = 51.2 → pad to 52 chars
+  const bytes = crypto.randomBytes(33)
+  // Encode to base32: each 5 bits → one char; 33 bytes = 264 bits → exactly 52 chars
   let result = ""
   let buffer = 0
   let bitsLeft = 0
@@ -36,51 +40,81 @@ export function generateKey(): string {
       result += BASE32_CHARS[(buffer >> bitsLeft) & 0x1f]
     }
   }
-  // Pad to exactly 52 chars if needed
-  while (result.length < 52) {
-    result += BASE32_CHARS[0]
-  }
+  // 33 bytes yields exactly 52 chars; the slice+guard is belt-and-suspenders
   return `sk-cap-${result.slice(0, 52)}`
 }
 
 /**
- * Hash a plain key to sha256 hex for storage.
+ * Hash a plain key to SHA-256 hex for storage.
+ *
+ * Unsalted SHA-256 is intentional: API keys have ≥260 bits of random entropy
+ * so dictionary attacks and rainbow tables are meaningless.
+ * Do NOT use this function for user-chosen secrets (passwords, PINs, etc.).
+ *
  * The plain key value must NEVER be written to the DB.
  */
 export function hashKey(plain: string): string {
   return crypto.createHash("sha256").update(plain).digest("hex")
 }
 
+/** Validate allowedModels: non-empty array of valid model identifiers or "*" */
+function validateAllowedModels(models: Array<string> | undefined): void {
+  if (models === undefined) return
+  if (models.length === 0) {
+    throw new Error(
+      'allowedModels must not be empty; use ["*"] for unrestricted access',
+    )
+  }
+  for (const m of models) {
+    if (m !== "*" && !MODEL_RE.test(m)) {
+      throw new Error(
+        `Invalid model name in allowedModels: "${m}". Must match /^\\w[\\w.:-]*$/ or be "*"`,
+      )
+    }
+  }
+}
+
+/**
+ * Compute the rate-limit integer to store: null means "inherit global".
+ * Positive values are capped at 10× globalDefault.
+ */
+function resolveRateLimit(
+  override: number | undefined,
+  globalDefault: number,
+): number | null {
+  if (override === undefined || override === 0) return null
+  if (!Number.isInteger(override) || override < 0) {
+    throw new Error("rateLimitOverride must be a non-negative integer")
+  }
+  const cap = globalDefault * 10
+  if (override > cap) {
+    throw new Error(
+      `rate_limit_override ${override} exceeds cap ${cap} (10× global default ${globalDefault})`,
+    )
+  }
+  return override
+}
+
 export function createKey(options: {
   tier: "admin" | "client"
   label?: string
   allowedModels?: Array<string>
   rateLimitOverride?: number
   debugEnabled?: boolean
-  globalRateLimit?: number // for cap enforcement
+  globalRateLimit?: number // for cap enforcement; defaults to 60 if not provided
 }): { plain: string; row: KeyRow } {
+  validateAllowedModels(options.allowedModels)
+
   const db = getDb()
   const plain = generateKey()
   const hash = hashKey(plain)
   const id = crypto.randomUUID()
   const now = Date.now()
 
-  // Rate limit override safety: 0/negative = use default (null).
-  // Hard cap at 10× global default; reject above cap.
-  let rateLimit: number | null = null
-  if (
-    options.rateLimitOverride !== undefined
-    && options.rateLimitOverride > 0
-  ) {
-    const globalDefault = options.globalRateLimit ?? 60
-    const cap = globalDefault * 10
-    if (options.rateLimitOverride > cap) {
-      throw new Error(
-        `rate_limit_override ${options.rateLimitOverride} exceeds cap ${cap} (10× global default ${globalDefault})`,
-      )
-    }
-    rateLimit = options.rateLimitOverride
-  }
+  const rateLimit = resolveRateLimit(
+    options.rateLimitOverride,
+    options.globalRateLimit ?? 60,
+  )
 
   const allowedModels = JSON.stringify(options.allowedModels ?? ["*"])
 
@@ -114,13 +148,23 @@ export function createKey(options: {
   return { plain, row }
 }
 
-export function revokeKey(id: string): void {
-  getDb().run(`UPDATE keys SET revoked_at = ? WHERE id = ?`, [Date.now(), id])
+/**
+ * Revoke a key by ID.
+ * Idempotent: only sets revoked_at if the key is currently active.
+ * Returns true if the key was revoked, false if not found or already revoked.
+ * Callers are responsible for verifying the tier before calling (no tier guard here).
+ */
+export function revokeKey(id: string): boolean {
+  const result = getDb().run(
+    `UPDATE keys SET revoked_at = ? WHERE id = ? AND revoked_at IS NULL`,
+    [Date.now(), id],
+  )
+  return result.changes === 1
 }
 
 export function listKeys(): Array<KeyRow> {
   return getDb()
-    .query<KeyRow, []>("SELECT * FROM keys ORDER BY created_at")
+    .query<KeyRow, []>("SELECT * FROM keys ORDER BY created_at, id")
     .all()
 }
 
@@ -142,9 +186,14 @@ export function countActiveAdminKeys(): number {
   return row?.n ?? 0
 }
 
-export function setDebugEnabled(id: string, enabled: boolean): void {
-  getDb().run(`UPDATE keys SET debug_enabled = ? WHERE id = ?`, [
+/**
+ * Toggle the debug flag on a key.
+ * Returns true if the key was found and updated, false otherwise.
+ */
+export function setDebugEnabled(id: string, enabled: boolean): boolean {
+  const result = getDb().run(`UPDATE keys SET debug_enabled = ? WHERE id = ?`, [
     enabled ? 1 : 0,
     id,
   ])
+  return result.changes === 1
 }