docs(readme): fix quickstart demo API key to match server hashing#100
Merged
Conversation
The plaintext (`recotem-quickstart`, 18 chars) was below `_API_KEY_MIN_LEN = 32`, and the published hash was a plain sha256 instead of the scrypt KDF the server actually uses, so the quickstart `curl /predict/...` always returned `invalid_api_key`. Replace with a 32-char plaintext and the matching `scrypt(N=2, r=8, p=1, salt=b"recotem.api-key.v1")` hex digest.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The quickstart in
README.mdshipped a demoX-API-Keythat the server rejects unconditionally, so following the quickstart end-to-end always failed with{"detail":"Invalid API key","code":"invalid_api_key"}. This patches the demo plaintext and hash so the example works as written.Changes Made
README.md: replaceRECOTEM_API_PLAINTEXT="recotem-quickstart"(18 chars) withrecotem-quickstart-demo-key-0000(32 chars), meeting_API_KEY_MIN_LEN = 32enforced insrc/recotem/serving/auth.py.README.md: replace theRECOTEM_API_KEYSdigest with the correctscrypt(N=2, r=8, p=1, dklen=32, salt=b"recotem.api-key.v1")hex of the new plaintext (21be5c3b…f125). The previous value was a plainsha256()of the old plaintext, which never matches whatrecotem.serving.auth._hash_api_keycomputes — thesha256:token on the wire is a digest-family label, not the algorithm name.Testing
recotem.serving.auth._hash_api_key("recotem-quickstart-demo-key-0000")and confirmed it equals the new README value byte-for-byte.len("recotem-quickstart-demo-key-0000") == 32, so the_API_KEY_MIN_LENguard no longer rejects it.Breaking Changes
None — README-only documentation fix. Operators following the quickstart will set new env values, but no code, schema, or wire format changed.
Additional Notes
docs(readme): use demo keys in quickstart to remove keygen step), which precomputed the hash with the wrong algorithm and a too-short plaintext.…-demo-key-0000); the existing "DEMO ONLY — for production, generate fresh keys" warning above it is unchanged.