From 4662be444172674eb03abcda157c628e94c86b93 Mon Sep 17 00:00:00 2001
From: "Dwi Fahni Denni (dfdenni)" <dfdenni0912@gmail.com>
Date: Mon, 25 May 2026 23:38:01 +0700
Subject: [PATCH] Potential fix for code scanning alert no. 14: Use of password
 hash with insufficient computational effort

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 backend/src/modules/api-keys/domain/aggregates/ApiKey.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/backend/src/modules/api-keys/domain/aggregates/ApiKey.ts b/backend/src/modules/api-keys/domain/aggregates/ApiKey.ts
index e2e6c8d..d4d6f86 100644
--- a/backend/src/modules/api-keys/domain/aggregates/ApiKey.ts
+++ b/backend/src/modules/api-keys/domain/aggregates/ApiKey.ts
@@ -268,7 +268,9 @@ export class ApiKey extends AggregateRoot<ApiKeyId> {
     const rawKeySecret = ApiKey.generateApiKeySecret();
     const rawEncryptionKey = ApiKey.generateEncryptKey();
     const keyHint = rawKeySecret.slice(-4);
-    const apiKeySecret = crypto.createHash('sha256').update(rawKeySecret).digest('hex');
+    const salt = crypto.randomBytes(16).toString('hex');
+    const derivedKey = crypto.scryptSync(rawKeySecret, salt, 64).toString('hex');
+    const apiKeySecret = `${salt}:${derivedKey}`;
 
     this.props.apiKeySecret = apiKeySecret;
     this.props.keyHint = keyHint;