security: HMAC-SHA256 pepper for API keys, sha256 for memcached keys; ci: mypy_path for cli

igorbenav · igorbenav · commit d4bb10392bde · 2026-05-10T04:57:54.000-03:00
diff --git a/backend/src/infrastructure/auth/session/backends/memcached.py b/backend/src/infrastructure/auth/session/backends/memcached.py
@@ -63,7 +63,7 @@ def _encode_key(self, key: str) -> bytes:
             The encoded key as bytes
         """
         if len(key) > 240:
-            key_hash = hashlib.md5(key.encode()).hexdigest()
+            key_hash = hashlib.sha256(key.encode()).hexdigest()[:32]
             key = f"{key[:200]}:{key_hash}"
         return key.encode("utf-8")
 
diff --git a/backend/src/modules/api_keys/service.py b/backend/src/modules/api_keys/service.py
@@ -1,13 +1,15 @@
 """API key management service for developer-facing products."""
 
 import hashlib
+import hmac
 import secrets
 from datetime import UTC, datetime, timedelta
 from typing import Any
 
 from fastcrud.types import GetMultiResponseDict
 from sqlalchemy.ext.asyncio import AsyncSession
 
+from ...infrastructure.config.settings import get_settings
 from ...infrastructure.logging import get_logger
 from ..common.exceptions import PermissionDeniedError, ResourceNotFoundError
 from .crud import crud_api_keys, crud_key_permissions, crud_key_usage
@@ -31,6 +33,7 @@
 )
 
 logger = get_logger()
+settings = get_settings()
 
 
 class APIKeyService:
@@ -54,13 +57,22 @@ def _generate_api_key(self) -> tuple[str, str, str]:
         raw_key = secrets.token_urlsafe(self.key_length)
         prefix = raw_key[: self.key_prefix_length]
         api_key = f"fai_{prefix}_{raw_key[self.key_prefix_length :]}"
-        key_hash = hashlib.sha256(api_key.encode()).hexdigest()
+        key_hash = self._hash_api_key(api_key)
 
         return api_key, prefix, key_hash
 
     def _hash_api_key(self, api_key: str) -> str:
-        """Hash an API key for storage or comparison."""
-        return hashlib.sha256(api_key.encode()).hexdigest()
+        """Hash an API key for storage or comparison.
+
+        HMAC-SHA256 with SECRET_KEY as the pepper. Deterministic so DB lookup
+        by `key_hash` stays O(1); the server-side secret means a stolen
+        `key_hash` column alone cannot be used to forge or verify keys offline.
+        """
+        return hmac.new(
+            settings.SECRET_KEY.encode("utf-8"),
+            api_key.encode("utf-8"),
+            hashlib.sha256,
+        ).hexdigest()
 
     async def create_api_key(
         self,
diff --git a/backend/tests/unit/infrastructure/auth/session/backends/test_memcached.py b/backend/tests/unit/infrastructure/auth/session/backends/test_memcached.py
@@ -41,7 +41,7 @@ def memcached_storage(mock_memcached):
 def encode_key(key):
     """Helper function to encode a key the same way the storage class does."""
     if len(key) > 240:
-        key_hash = hashlib.md5(key.encode()).hexdigest()
+        key_hash = hashlib.sha256(key.encode()).hexdigest()[:32]
         key = f"{key[:200]}:{key_hash}"
     return key.encode("utf-8")
 
diff --git a/cli/pyproject.toml b/cli/pyproject.toml
@@ -44,6 +44,7 @@ known-first-party = ["cli"]
 
 [tool.mypy]
 python_version = "3.11"
+mypy_path = "src"
 warn_return_any = true
 warn_unused_configs = true
 warn_unused_ignores = true
