Merge branch 'develop' into feature/rotate-api-key

Author: briskt

apikey.go

@@ -239,7 +239,7 @@ func (k *ApiKey) ReEncryptLegacy(oldKey ApiKey, v *string) error {
 // the updated data back to the database.
 func (k *ApiKey) ReEncryptTables(oldSecret string) error {
 	var users []WebauthnUser
-	err := k.Store.QueryApiKey(envConfig.WebauthnTable, k.Key, &users)
+	err := k.Store.ScanApiKey(envConfig.WebauthnTable, k.Key, &users)
 	if err != nil {
 		return fmt.Errorf("failed to query %s table for key %s: %w", envConfig.WebauthnTable, k.Key, err)
 	}

apikey_test.go

@@ -151,7 +151,7 @@ func (ms *MfaSuite) TestApiKey_EncryptDecryptLegacy() {
 func (ms *MfaSuite) TestApiKeyActivate() {
 	notActive := ApiKey{
 		Key:       "0000000000000000000000000000000000000000",
-		Email:     "email@example.com",
+		Email:     exampleEmail,
 		CreatedAt: 1744788331000,
 	}
 	active := notActive
@@ -216,41 +216,41 @@ func (ms *MfaSuite) TestActivateApiKey() {
 	}{
 		{
 			name: "not previously activated",
-			body: map[string]interface{}{
-				"email":       "email@example.com",
+			body: map[string]any{
+				"email":       exampleEmail,
 				"apiKeyValue": key1.Key,
 			},
 			wantStatus: http.StatusOK,
 		},
 		{
 			name: "already activated",
-			body: map[string]interface{}{
-				"email":       "email@example.com",
+			body: map[string]any{
+				"email":       exampleEmail,
 				"apiKeyValue": key2.Key,
 			},
 			wantStatus: http.StatusBadRequest,
 			wantError:  "failed to activate key: key already activated",
 		},
 		{
 			name: "missing email",
-			body: map[string]interface{}{
+			body: map[string]any{
 				"apiKeyValue": key3.Key,
 			},
 			wantStatus: http.StatusBadRequest,
 			wantError:  "email is required",
 		},
 		{
 			name: "missing apiKey",
-			body: map[string]interface{}{
-				"email": "email@example.com",
+			body: map[string]any{
+				"email": exampleEmail,
 			},
 			wantStatus: http.StatusBadRequest,
 			wantError:  "apiKeyValue is required",
 		},
 		{
 			name: "key not found",
-			body: map[string]interface{}{
-				"email":       "email@example.com",
+			body: map[string]any{
+				"email":       exampleEmail,
 				"apiKeyValue": "not a key",
 			},
 			wantStatus: http.StatusNotFound,
@@ -264,14 +264,14 @@ func (ms *MfaSuite) TestActivateApiKey() {
 			ActivateApiKey(res, req)
 
 			if tt.wantStatus != http.StatusOK {
-				ms.Equal(tt.wantStatus, res.Status, fmt.Sprintf("response: %s", res.Body))
+				ms.Equal(tt.wantStatus, res.Status, fmt.Sprintf("ActivateApiKey response: %s", res.Body))
 				var se simpleError
 				ms.decodeBody(res.Body, &se)
 				ms.Equal(tt.wantError, se.Error)
 				return
 			}
 
-			ms.Equal(http.StatusOK, res.Status, fmt.Sprintf("response: %s", res.Body))
+			ms.Equal(http.StatusOK, res.Status, fmt.Sprintf("ActivateApiKey response: %s", res.Body))
 
 			var response struct {
 				ApiSecret string `json:"apiSecret"`
@@ -297,7 +297,7 @@ func (ms *MfaSuite) TestCreateApiKey() {
 		{
 			name: "success",
 			body: map[string]interface{}{
-				"email": "email@example.com",
+				"email": exampleEmail,
 			},
 			wantStatus: http.StatusNoContent,
 		},
@@ -315,20 +315,20 @@ func (ms *MfaSuite) TestCreateApiKey() {
 			CreateApiKey(res, req)
 
 			if tt.wantError != "" {
-				ms.Equal(tt.wantStatus, res.Status, fmt.Sprintf("response: %s", res.Body))
+				ms.Equal(tt.wantStatus, res.Status, fmt.Sprintf("CreateApiKey response: %s", res.Body))
 				var se simpleError
 				ms.decodeBody(res.Body, &se)
 				ms.Equal(tt.wantError, se.Error)
 				return
 			}
 
-			ms.Equal(tt.wantStatus, res.Status, fmt.Sprintf("response: %s", res.Body))
+			ms.Equal(tt.wantStatus, res.Status, fmt.Sprintf("CreateApiKey response: %s", res.Body))
 		})
 	}
 }
 
 func (ms *MfaSuite) TestNewApiKey() {
-	got, err := NewApiKey("email@example.com")
+	got, err := NewApiKey(exampleEmail)
 	ms.NoError(err)
 	ms.Regexp(regexp.MustCompile("[a-f0-9]{40}"), got)
 }

storage.go

@@ -107,23 +107,22 @@ func (s *Storage) Delete(table, attrName, attrVal string) error {
 	return err
 }
 
-// QueryApiKey a table using apiKey-index
-func (s *Storage) QueryApiKey(table, apiKey string, items any) error {
+// ScanApiKey a table using apiKey-index
+func (s *Storage) ScanApiKey(table, apiKey string, items any) error {
 	if table == "" {
 		return tableNameMissingError
 	}
 
-	input := &dynamodb.QueryInput{
-		IndexName:              aws.String("apiKey-index"),
-		KeyConditionExpression: aws.String("apiKey = :val"),
+	input := &dynamodb.ScanInput{
+		FilterExpression: aws.String("apiKey = :val"),
 		ExpressionAttributeValues: map[string]types.AttributeValue{
 			":val": &types.AttributeValueMemberS{Value: apiKey},
 		},
 		TableName: aws.String(table),
 	}
 
 	ctx := context.Background()
-	result, err := s.client.Query(ctx, input)
+	result, err := s.client.Scan(ctx, input)
 	if err != nil {
 		return err
 	}

storage_test.go

@@ -73,7 +73,7 @@ func (ms *MfaSuite) TestStorage_StoreLoad() {
 	}
 }
 
-func (ms *MfaSuite) TestStorage_QueryApiKey() {
+func (ms *MfaSuite) TestStorageScanApiKey() {
 	cfg, err := config.LoadDefaultConfig(
 		context.Background(),
 		config.WithRegion("local"),
@@ -95,7 +95,7 @@ func (ms *MfaSuite) TestStorage_QueryApiKey() {
 	}))
 
 	var users []WebauthnUser
-	err = s.QueryApiKey(TestTableName, "key1", &users)
+	err = s.ScanApiKey(TestTableName, "key1", &users)
 	ms.NoError(err)
 	ms.Len(users, 1)
 	ms.Equal("user1", users[0].ID)

utils_test.go

@@ -22,6 +22,8 @@ import (
 
 const localAppID = "http://localhost"
 
+const exampleEmail = "email@example.com"
+
 func testAwsConfig() aws.Config {
 	cfg, err := config.LoadDefaultConfig(
 		context.Background(),