Skip to content

Add scoped API keys with least-privilege enforcement to src/routes/apiKeys.ts #460

Closed
Feature
#548
Closed
Add scoped API keys with least-privilege enforcement to src/routes/apiKeys.ts#460
Feature
#548
Assignees
olaleyeolajide81-sketch
Labels
GRANTFOX OSSGrantFox OSS campaignMAYBE REWARDEDGrantFox OSS campaignOFFICIAL CAMPAIGNGrantFox OSS campaignStellar WaveIssues in the Stellar wave programadvancedauthbackendBackend services and APIsfeatureFeaturesecuritySecurity hardening and audits

Description

@Baskarayelu
Baskarayelu
opened on Jun 17, 2026

📋 Description

src/routes/apiKeys.ts issues API keys, but keys appear to grant broad access rather than a narrow, declared set of scopes. There is no middleware that checks a request's required scope against the presenting key.

Why this matters: a leaked all-powerful key is a full compromise; a leaked read-only trust:read key is a contained incident. Least-privilege scoping turns key leakage from catastrophe into inconvenience.

🎯 Requirements & Context

  • Define a scope vocabulary (e.g. bond:read, bond:write, attestation:write, trust:read, payouts:write) as a typed enum.
  • Persist scopes with each key (migration via node-pg-migrate); default new keys to least privilege.
  • Add a requireScope(scope) Express middleware and apply it to the relevant routes.
  • Return the project's standard 403 envelope on missing scope; never leak which scope was missing beyond what's safe.
  • Add an endpoint/flow to mint a key with an explicit scope set, with audit-log entries (reuse src/services/audit).

Constraints: Express 4, Postgres, zod, existing RBAC in src/services/rbac. Coordinate with the auth middleware in src/middleware.

🛠️ Suggested Execution

git checkout -b feature/scoped-api-keys
  • Migration + service changes + requireScope middleware + route wiring + audit logging.
  • supertest tests: key with scope passes, without scope gets 403, scope escalation rejected.
  • TSDoc + docs/api-keys.md documenting the scope vocabulary.
npm run test -- apiKeys
npm run migrate:lint
npm run lint && npm run build

Edge cases: revoked key, expired key, key with empty scope set, scope present but route not covered.

Example commit message

feat(auth): scoped API keys with requireScope least-privilege middleware

✅ Acceptance Criteria & Guidelines

Requirement Target
Scope enforcement middleware + route wiring Required
Migration passes migrate:lint / safety Required
Audit-logged key minting Required
Coverage of new code ≥ 95%
docs/api-keys.md Required
Timeframe 96 hours

💬 Community & Support

Security design questions → Credence Discord: https://discord.gg/nmnPBkBge. Comment here when you start. 🚀

Metadata

Metadata

Assignees

Labels

GRANTFOX OSSGrantFox OSS campaignMAYBE REWARDEDGrantFox OSS campaignOFFICIAL CAMPAIGNGrantFox OSS campaignStellar WaveIssues in the Stellar wave programadvancedauthbackendBackend services and APIsfeatureFeaturesecuritySecurity hardening and audits

Type

Feature

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions