fix: hash private API key before lookup to match stored HMAC value (#155)

Private keys are HMAC-hashed with API_KEY_SECRET before storage in
createApiKey(), but authenticateWithPrivateKey() was comparing the raw
key against the hashed DB value, causing all private key auth to fail.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: seemayr

apps/api/src/lib/auth-validation.ts

@@ -3,7 +3,9 @@ import {
 	type ApiKeyWithWebsiteAndOrganization,
 	getApiKeyByKey,
 } from "@api/db/queries/api-keys";
+import { env } from "@api/env";
 import {
+	hashApiKey,
 	isValidPublicApiKeyFormat,
 	isValidSecretApiKeyFormat,
 } from "@api/utils/api-keys";
@@ -313,7 +315,9 @@ export async function authenticateWithPrivateKey(
 		throw new AuthValidationError(401, "Invalid private API key format");
 	}
 
-	return await getApiKeyFromRedis(privateKey, db);
+	// Private keys are HMAC-hashed before storage, so hash before lookup
+	const hashedKey = hashApiKey(privateKey, env.API_KEY_SECRET);
+	return await getApiKeyFromRedis(hashedKey, db);
 }
 
 /**