Add API key management and webhook infrastructure with Express + PostgreSQL

[Copilot]

Implements API key authentication and outbound webhook delivery system integrated with existing Zod config and telemetry infrastructure.

Database Schema

Three tables with proper indexes and triggers:

• api_keys: Argon2id-hashed secrets, scopes array, prefix-based tokens
• webhooks: Event subscriptions with HMAC secrets
• webhook_deliveries: Delivery tracking with retry metadata

Migration: migrations/001_initial_schema.sql

API Key Service

• Generation: prefix_<64-char-hex> format, Argon2id hashing (64MB, t=3, p=4)
• Verification: Constant-time HMAC, prefix-indexed lookup, scope enforcement
• Endpoints: POST (create, idempotent), GET (list), DELETE (revoke, idempotent)

// Authentication middleware with scope enforcement
app.get('/protected', authenticate({ requiredScopes: ['read'] }), handler);

Webhook Service

• Signing: HMAC SHA-256 in X-Signature: sha256=<hash> header
• Delivery: Exponential backoff (configurable base/max attempts/timeout)
• Endpoints: POST (register), GET (list), DELETE, POST /test, POST /:id/replay

// Webhook payload verification
function verifyWebhook(payload: string, signature: string, secret: string): boolean {
  return verifyWebhookSignature(payload, signature, secret);
}

Configuration

Extended Zod schema:

• DATABASE_URL: PostgreSQL connection (optional, warns if missing)
• API_KEY_PREFIX/PEPPER: Token customization
• WEBHOOK_MAX_ATTEMPTS/BACKOFF_BASE_MS/TIMEOUT_MS: Retry configuration

Production Notes

• Idempotency store: In-memory Map, needs Redis/DB backend for multi-instance
• API key creation: Unauthenticated endpoint, requires stricter rate limiting
• Webhook secrets: Plaintext storage (required for signing), consider encryption at rest
• Concurrent deliveries: No limits, recommend queue-based system
• Timing attacks: Sequential key verification documented

Security

• Helmet middleware, rate limiting (100/15min), Bearer token auth
• Query logging sanitized (no parameter exposure)
• CodeQL clean scan

Original prompt

Implement API key management and outbound webhook infrastructure in lippytm/Transparency-Logic-Time-Machine-Bots- using Express + Postgres, integrating with existing TypeScript setup (config via Zod, telemetry logger). Scope:

• Add Express HTTP server bootstrap with health check and middleware (JSON body parsing, helmet, basic rate limiting for auth endpoints).
• Database: Postgres client config (env DATABASE_URL). Add migration/sql defining tables: api_keys (UUID pk, name, owner, scopes[], hashed_secret, prefix, last_used_at, created_at, revoked_at), webhooks (UUID pk, owner, url, events[], secret, active, created_at, updated_at), webhook_deliveries (UUID pk, webhook_id fk, event_type, status, attempts, response_code, response_ms, payload_digest, created_at, last_attempt_at).
• Config: extend Zod env schema for DB and feature settings (API_KEY_PREFIX optional, API_KEY_PEPPER optional, WEBHOOK_MAX_ATTEMPTS, WEBHOOK_BACKOFF_BASE_MS, WEBHOOK_TIMEOUT_MS). Update .env.example and README docs for new vars and usage.
• API keys: service to issue/revoke/verify keys (argon2 hashed at rest, prefix/fingerprint logging only). Middleware to authenticate Bearer token and enforce scopes. Endpoints: POST /api/keys (create; returns full token once), GET /api/keys (list with scopes, last_used), DELETE /api/keys/:id (revoke). Support Idempotency-Key on POST/DELETE; audit log via logger.
• Webhooks: registration/list/delete endpoints: POST /api/webhooks (url, events[], secret, active), GET /api/webhooks, DELETE /api/webhooks/:id, POST /api/webhooks/test (sends delivery.test), POST /api/webhooks/:id/replay?delivery_id=... (replay failed). Delivery signer using HMAC SHA-256; headers: X-Signature: sha256=, X-Timestamp, X-Event-Id, X-Event-Type.
• Delivery worker/service: in-process queue with exponential backoff and max attempts; records deliveries in webhook_deliveries, dead-letters failures, supports replay. Respect WEBHOOK_TIMEOUT_MS per request.
• Types: event payload typings (e.g., resource.changed, delivery.test). Use UUIDs (or nanoid) for ids.
• Logging/telemetry: use existing logger/telemetry integration where relevant (issuance, revocation, deliveries, failures).
• Docs: README section documenting endpoints, headers, response shapes, env vars, and simple curl examples.
• Package updates: add dependencies (express, pg, zod for routes, helmet, rate-limiter, argon2, uuid/nanoid, body-parser if needed) and scripts to run server/migrations if applicable.

Target branch: master. Deliver a working server and schema with tests/smoke where feasible, aligned to the repo’s TypeScript tooling (eslint/prettier).

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[lippytm]

I hope its okay I don’t know what to do! I need someone to fix these issues

[Copilot]

Pull request overview

This PR implements a comprehensive API key management and webhook delivery system integrated with the existing TypeScript infrastructure. The implementation adds Express HTTP server capabilities, PostgreSQL database integration, and security features including Argon2id password hashing and HMAC webhook signatures.

Changes:

• Added database schema with three tables (api_keys, webhooks, webhook_deliveries) including indexes and triggers
• Implemented API key service with secure generation, verification, and scope-based authorization
• Implemented webhook service with HMAC signature verification and retry logic with exponential backoff
• Added Express server with security middleware (Helmet, rate limiting) and authentication middleware
• Extended Zod configuration schema for database, API key, and webhook settings

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 30 comments.

Show a summary per file

File	Description
migrations/001_initial_schema.sql	PostgreSQL schema defining api_keys, webhooks, and webhook_deliveries tables with indexes and triggers
src/database/index.ts	Database connection pooling and query execution with logging
src/config/index.ts	Extended configuration schema for database, API key, and webhook settings
src/services/api-key.service.ts	API key generation, verification with Argon2id hashing, and scope management
src/services/webhook.service.ts	Webhook HMAC signing, delivery with retry logic, and event triggering
src/middleware/auth.middleware.ts	Bearer token authentication with scope enforcement
src/routes/api-keys.routes.ts	REST endpoints for API key creation, listing, and revocation with idempotency support
src/routes/webhooks.routes.ts	REST endpoints for webhook management, testing, and replay functionality
src/server/index.ts	Express application setup with security middleware and rate limiting
src/index.ts	Main entry point with database initialization and graceful shutdown
test/webhook.test.js	Unit tests for webhook signature creation and verification
README.md	Comprehensive documentation for API endpoints and webhook usage
package.json	Added dependencies for Express, PostgreSQL, Argon2, and security middleware
.env.example	Environment variable examples for new configuration options
.eslintrc.js	Updated ESLint config to allow namespace declarations

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The webhook URL is not validated. Malicious or misconfigured URLs could be used to perform Server-Side Request Forgery (SSRF) attacks against internal services. Add URL validation to ensure the webhook URL points to an allowed destination (e.g., block private IP ranges, localhost, metadata endpoints).

[Copilot]

Missing validation for the 'owner' field format and length. Without constraints, users could create invalid or malicious owner identifiers. Consider validating that the owner is a valid email or username format, and enforce a maximum length constraint.

[Copilot]

Each call to updateDeliveryStatus increments the attempts counter independently. If multiple updates happen concurrently (which shouldn't happen in the current code but could in future modifications), the attempts count could be incorrect. While not currently a problem, consider using a more atomic approach or ensuring the attempts counter matches the actual retry logic (e.g., passing the attempt number rather than incrementing).

[Copilot]

When creating an API key with a duplicate name/owner combination, the database will throw a unique constraint violation error. This error is not caught and handled gracefully in the route handler, resulting in a generic 500 error instead of a more informative 409 Conflict response. Consider catching constraint violation errors and returning appropriate HTTP status codes.

[Copilot]

Same issue with setTimeout for idempotency cleanup as in the POST endpoint. Timer references are not stored and cannot be cleared on shutdown, potentially causing memory leaks and lost cleanup tasks across restarts.

[Copilot]

The tests don't cover the edge case where signature lengths differ (which will cause timingSafeEqual to throw an error with the current implementation). Add a test case that verifies behavior when a malformed signature is provided (e.g., wrong length, missing prefix).

[Copilot]

The query filters by both active = true AND event type, but there's no composite index on (active, events). While individual indexes exist, a composite index or GIN index on the events array would improve performance when triggering webhooks. Consider adding an index like CREATE INDEX idx_webhooks_active_events ON webhooks USING GIN(events) WHERE active = true;

Suggested change

	-- Index to efficiently query active webhooks by event type
	CREATE INDEX IF NOT EXISTS idx_webhooks_active_events
	ON webhooks USING GIN (events)
	WHERE active = true;

[Copilot]

The authenticate middleware is called without passing the configured pepper value. This means API keys created with a pepper (from config or user-provided) cannot be verified. The middleware should load the global pepper from config and use it for verification. This is a critical issue that breaks authentication when a pepper is configured.

[Copilot]

The timingSafeEqual function requires both buffers to be the same length. If the signature strings differ in length, this will throw an error instead of returning false. Add length check before timingSafeEqual or wrap in try-catch to handle length mismatches gracefully.

Suggested change

	return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSignature));
	const receivedBuffer = Buffer.from(signature);
	const expectedBuffer = Buffer.from(expectedSignature);
	if (receivedBuffer.length !== expectedBuffer.length) {
	return false;
	}
	return crypto.timingSafeEqual(receivedBuffer, expectedBuffer);

[Copilot]

The example webhook verification code has the same timingSafeEqual bug as the service code - it will throw an error if the signature lengths don't match. The documentation example should include a length check before calling timingSafeEqual to match best practices.

Suggested change

	return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSignature));
	// Safely compare signatures without throwing on length mismatch
	if (typeof signature !== 'string') {
	return false;
	}
	const receivedBuffer = Buffer.from(signature, 'utf8');
	const expectedBuffer = Buffer.from(expectedSignature, 'utf8');
	if (receivedBuffer.length !== expectedBuffer.length) {
	return false;
	}
	return crypto.timingSafeEqual(receivedBuffer, expectedBuffer);