[Rescue] [BUG] [v0.0.7] AuthService::hash_api_key uses non-cryptographic hashing

[hinzwilliam52-ship-it]

Correction for automated rescue. Surgical patch applied to preserve codebase integrity.

Summary by CodeRabbit

• New Features
  • Added API key hashing functionality using industry-standard encryption to enhance authentication security and protect sensitive credentials.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new public function hash_api_key was introduced in the validation module to compute SHA-256 hashes of API keys. The sha2 dependency was added to support cryptographic hashing operations.

Changes

Cohort / File(s)	Summary
API Key Hashing Utility src/validation.rs	Added hash_api_key() public function with SHA-256 cryptographic dependency to compute and return hexadecimal hash digests of API keys.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A key needs a mask, a secret disguise,
SHA-256 hashes beneath moonlit skies,
With SHA2's embrace, no API reveals,
Security deepens with cryptographic seals! 🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically identifies the main change: replacing non-cryptographic hashing with SHA-256 in the hash_api_key function. It is directly related to the code changes in the PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/validation.rs`:
- Around line 129-133: The new function hash_api_key currently accepts raw input
without validation; change its API to validate empty or whitespace-only keys by
returning a Result (e.g., Result<String, ValidationError>) rather than a plain
String, check if api_key.trim().is_empty() and return an appropriate Err when
invalid, otherwise compute and return the SHA256 hex string; update any callers
of hash_api_key to handle the Result and propagate or map the validation error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 79cac6b1-f105-4b7d-98a8-629c433e045e

📥 Commits

Reviewing files that changed from the base of the PR and between a128d12 and ed9c78d.

📒 Files selected for processing (1)

• src/validation.rs

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification: locate definition/call-sites and detect empty-input usage
rg -nP --type rust -C2 '\bhash_api_key\s*\('
rg -nP --type rust -C2 '\bhash_api_key\s*\(\s*(""|&?\s*String::new\s*\(\s*\))\s*\)'

Repository: PlatformNetwork/bounty-challenge

Length of output: 336

---

🏁 Script executed:

# Search for all occurrences of hash_api_key in the codebase
rg -n 'hash_api_key' --type rust -C 3

Repository: PlatformNetwork/bounty-challenge

Length of output: 420

---

🏁 Script executed:

# Also check if there are any tests for this function
fd --type rust | xargs grep -l 'hash_api_key' | head -20

Repository: PlatformNetwork/bounty-challenge

Length of output: 247

---

🏁 Script executed:

# Search for all references to hash_api_key including in comments
rg 'hash_api_key' -C 5 --type-list | head -20

Repository: PlatformNetwork/bounty-challenge

Length of output: 465

---

🏁 Script executed:

# Try with broader pattern to catch function calls
rg 'hash_api_key\s*\(' --type-list | head -20

Repository: PlatformNetwork/bounty-challenge

Length of output: 465

---

🏁 Script executed:

# Let me look at the entire validation.rs file to understand context
wc -l src/validation.rs

Repository: PlatformNetwork/bounty-challenge

Length of output: 97

---

🏁 Script executed:

# Get file size first to decide how to read it
stat src/validation.rs

Repository: PlatformNetwork/bounty-challenge

Length of output: 120

---

🏁 Script executed:

# Read the entire validation.rs file with line numbers
cat -n src/validation.rs

Repository: PlatformNetwork/bounty-challenge

Length of output: 5501

---

🏁 Script executed:

# Search entire codebase for hash_api_key calls (all files, not just rust)
rg 'hash_api_key' --no-heading -C 3

Repository: PlatformNetwork/bounty-challenge

Length of output: 392

---

🏁 Script executed:

# Also check if there are other source files that might import and use it
find . -type f \( -name "*.rs" -o -name "*.toml" -o -name "*.md" \) | head -30

Repository: PlatformNetwork/bounty-challenge

Length of output: 883

---

🏁 Script executed:

# Check if hash_api_key is mentioned in any documentation or API reference
rg 'hash_api_key|api.*key|API.*key' docs/ --type md -C 2

Repository: PlatformNetwork/bounty-challenge

Length of output: 358

---

🏁 Script executed:

# Check src/api/handlers.rs for authentication/API key usage
cat src/api/handlers.rs | head -80

Repository: PlatformNetwork/bounty-challenge

Length of output: 2376

---

🏁 Script executed:

# Check src/lib.rs to see what's exported publicly
cat src/lib.rs

Repository: PlatformNetwork/bounty-challenge

Length of output: 9251

---

Apply input validation to the new hash_api_key function for code quality.

The function added at line 129 accepts user input without validation. Per coding guidelines, all user inputs must be validated before use. While the function is not currently called in the codebase, add a validation check for empty/whitespace API keys if this function is used in production paths:

Suggested improvement

-use sha2::{Sha256, Digest};
-pub fn hash_api_key(api_key: &str) -> String {
+use sha2::{Digest, Sha256};
+
+pub fn hash_api_key(api_key: &str) -> Result<String, String> {
+    if api_key.trim().is_empty() {
+        return Err(String::from("API key cannot be empty"));
+    }
     let mut hasher = Sha256::new();
     hasher.update(api_key.as_bytes());
-    format!("{:x}", hasher.finalize())
+    Ok(format!("{:x}", hasher.finalize()))
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/validation.rs` around lines 129 - 133, The new function hash_api_key
currently accepts raw input without validation; change its API to validate empty
or whitespace-only keys by returning a Result (e.g., Result<String,
ValidationError>) rather than a plain String, check if api_key.trim().is_empty()
and return an appropriate Err when invalid, otherwise compute and return the
SHA256 hex string; update any callers of hash_api_key to handle the Result and
propagate or map the validation error.