fix(auth): harden key copy and audit method logging

SantiagoDePolonia · SantiagoDePolonia · commit b486213a478c · 2026-03-31T17:48:30.000+02:00
diff --git a/internal/admin/dashboard/static/js/modules/auth-keys.js b/internal/admin/dashboard/static/js/modules/auth-keys.js
@@ -11,6 +11,8 @@
             authKeyIssuedValue: '',
             authKeyDeactivatingID: '',
             authKeyCopied: false,
+            authKeyCopyError: false,
+            authKeyCopyResetTimer: null,
             authKeyForm: {
                 name: '',
                 description: '',
@@ -52,27 +54,103 @@
                 this.authKeyError = '';
                 this.authKeyNotice = '';
                 this.authKeyIssuedValue = '';
+                this.resetAuthKeyCopyFeedback();
                 this.authKeyForm = this.defaultAuthKeyForm();
             },
 
             closeAuthKeyForm() {
                 this.authKeyFormOpen = false;
                 this.authKeyError = '';
                 this.authKeyIssuedValue = '';
-                this.authKeyCopied = false;
+                this.resetAuthKeyCopyFeedback();
                 this.authKeyForm = this.defaultAuthKeyForm();
             },
 
+            clearAuthKeyCopyResetTimer() {
+                if (this.authKeyCopyResetTimer !== null) {
+                    clearTimeout(this.authKeyCopyResetTimer);
+                    this.authKeyCopyResetTimer = null;
+                }
+            },
+
+            scheduleAuthKeyCopyFeedbackReset() {
+                this.clearAuthKeyCopyResetTimer();
+                this.authKeyCopyResetTimer = setTimeout(() => {
+                    this.authKeyCopied = false;
+                    this.authKeyCopyError = false;
+                    this.authKeyCopyResetTimer = null;
+                }, 2000);
+            },
+
+            resetAuthKeyCopyFeedback() {
+                this.clearAuthKeyCopyResetTimer();
+                this.authKeyCopied = false;
+                this.authKeyCopyError = false;
+            },
+
+            setAuthKeyCopyFeedback(copied, hasError) {
+                this.authKeyCopied = copied;
+                this.authKeyCopyError = hasError;
+                this.scheduleAuthKeyCopyFeedbackReset();
+            },
+
             copyAuthKeyValue() {
-                navigator.clipboard.writeText(this.authKeyIssuedValue).then(() => {
-                    this.authKeyCopied = true;
-                    setTimeout(() => { this.authKeyCopied = false; }, 2000);
-                });
+                const value = String(this.authKeyIssuedValue || '');
+                const clipboard = global.navigator && global.navigator.clipboard;
+
+                this.resetAuthKeyCopyFeedback();
+
+                if (clipboard && typeof clipboard.writeText === 'function') {
+                    return clipboard.writeText(value).then(() => {
+                        this.setAuthKeyCopyFeedback(true, false);
+                    }).catch((error) => {
+                        console.error('Failed to copy auth key:', error);
+                        this.setAuthKeyCopyFeedback(false, true);
+                    });
+                }
+
+                const doc = global.document;
+                if (!doc || !doc.body || typeof doc.createElement !== 'function' || typeof doc.execCommand !== 'function') {
+                    this.setAuthKeyCopyFeedback(false, true);
+                    return Promise.resolve();
+                }
+
+                const textarea = doc.createElement('textarea');
+                textarea.value = value;
+                textarea.setAttribute('readonly', '');
+                textarea.style.position = 'fixed';
+                textarea.style.top = '0';
+                textarea.style.left = '0';
+                textarea.style.opacity = '0';
+
+                try {
+                    doc.body.appendChild(textarea);
+                    if (typeof textarea.focus === 'function') {
+                        textarea.focus();
+                    }
+                    if (typeof textarea.select === 'function') {
+                        textarea.select();
+                    }
+                    if (typeof textarea.setSelectionRange === 'function') {
+                        textarea.setSelectionRange(0, textarea.value.length);
+                    }
+                    const copied = !!doc.execCommand('copy');
+                    this.setAuthKeyCopyFeedback(copied, !copied);
+                } catch (error) {
+                    console.error('Failed to copy auth key:', error);
+                    this.setAuthKeyCopyFeedback(false, true);
+                } finally {
+                    if (textarea.parentNode) {
+                        textarea.parentNode.removeChild(textarea);
+                    }
+                }
+
+                return Promise.resolve();
             },
 
             dismissIssuedKey() {
                 this.authKeyIssuedValue = '';
-                this.authKeyCopied = false;
+                this.resetAuthKeyCopyFeedback();
                 this.authKeyForm = this.defaultAuthKeyForm();
             },
 
diff --git a/internal/admin/dashboard/static/js/modules/auth-keys.test.js b/internal/admin/dashboard/static/js/modules/auth-keys.test.js
@@ -26,6 +26,26 @@ function createAuthKeysModule(overrides) {
     return factory();
 }
 
+function createTimerHarness() {
+    let nextID = 1;
+    const timers = new Map();
+    return {
+        setTimeout(callback, _delay) {
+            const id = nextID++;
+            timers.set(id, callback);
+            return id;
+        },
+        clearTimeout(id) {
+            timers.delete(id);
+        },
+        runAll() {
+            const callbacks = Array.from(timers.values());
+            timers.clear();
+            callbacks.forEach((callback) => callback());
+        }
+    };
+}
+
 test('submitAuthKeyForm serializes date-only expirations to the end of the selected UTC day', async () => {
     const requests = [];
     const module = createAuthKeysModule({
@@ -57,3 +77,118 @@ test('submitAuthKeyForm serializes date-only expirations to the end of the selec
         '2026-04-01T23:59:59Z'
     );
 });
+
+test('copyAuthKeyValue uses navigator.clipboard when available and resets feedback', async () => {
+    const timers = createTimerHarness();
+    const writes = [];
+    const module = createAuthKeysModule({
+        setTimeout: timers.setTimeout,
+        clearTimeout: timers.clearTimeout,
+        window: {
+            navigator: {
+                clipboard: {
+                    writeText(value) {
+                        writes.push(value);
+                        return Promise.resolve();
+                    }
+                }
+            }
+        }
+    });
+
+    module.authKeyIssuedValue = 'sk_gom_test';
+
+    await module.copyAuthKeyValue();
+
+    assert.deepEqual(writes, ['sk_gom_test']);
+    assert.equal(module.authKeyCopied, true);
+    assert.equal(module.authKeyCopyError, false);
+
+    timers.runAll();
+
+    assert.equal(module.authKeyCopied, false);
+    assert.equal(module.authKeyCopyError, false);
+});
+
+test('copyAuthKeyValue sets an error flag when navigator.clipboard rejects', async () => {
+    const timers = createTimerHarness();
+    const module = createAuthKeysModule({
+        console: {
+            error() {}
+        },
+        setTimeout: timers.setTimeout,
+        clearTimeout: timers.clearTimeout,
+        window: {
+            navigator: {
+                clipboard: {
+                    writeText() {
+                        return Promise.reject(new Error('denied'));
+                    }
+                }
+            }
+        }
+    });
+
+    module.authKeyIssuedValue = 'sk_gom_test';
+
+    await module.copyAuthKeyValue();
+
+    assert.equal(module.authKeyCopied, false);
+    assert.equal(module.authKeyCopyError, true);
+
+    timers.runAll();
+
+    assert.equal(module.authKeyCopied, false);
+    assert.equal(module.authKeyCopyError, false);
+});
+
+test('copyAuthKeyValue falls back to document.execCommand when clipboard API is unavailable', async () => {
+    const timers = createTimerHarness();
+    const appended = [];
+    const removed = [];
+    const fakeBody = {
+        appendChild(node) {
+            node.parentNode = fakeBody;
+            appended.push(node);
+        },
+        removeChild(node) {
+            removed.push(node);
+            node.parentNode = null;
+        }
+    };
+    const fakeDocument = {
+        body: fakeBody,
+        createElement() {
+            return {
+                value: '',
+                style: {},
+                setAttribute() {},
+                focus() {},
+                select() {},
+                setSelectionRange() {},
+                parentNode: null
+            };
+        },
+        execCommand(command) {
+            assert.equal(command, 'copy');
+            return true;
+        }
+    };
+    const module = createAuthKeysModule({
+        setTimeout: timers.setTimeout,
+        clearTimeout: timers.clearTimeout,
+        window: {
+            document: fakeDocument
+        }
+    });
+
+    module.authKeyIssuedValue = 'sk_gom_test';
+
+    await module.copyAuthKeyValue();
+
+    assert.equal(appended.length, 1);
+    assert.equal(removed.length, 1);
+    assert.equal(appended[0].value, 'sk_gom_test');
+    assert.equal(module.authKeyCopied, true);
+    assert.equal(module.authKeyCopyError, false);
+});
diff --git a/internal/admin/dashboard/templates/index.html b/internal/admin/dashboard/templates/index.html
@@ -282,6 +282,9 @@ <h3>Create API Key</h3>
                         <span x-text="authKeyCopied ? 'Copied' : 'Copy'"></span>
                     </button>
                 </div>
+                <p class="alias-form-error" x-show="authKeyCopyError">
+                    Unable to copy the key automatically. Copy it manually.
+                </p>
                 <div class="alias-form-actions">
                     <button type="button" class="pagination-btn pagination-btn-primary"
                         @click="dismissIssuedKey()">Done, I&rsquo;ve stored it</button>
diff --git a/internal/auditlog/middleware.go b/internal/auditlog/middleware.go
@@ -398,6 +398,12 @@ func EnrichEntryWithAuthMethod(c *echo.Context, method string) {
 	if !ok || entry == nil {
 		return
 	}
+	method = strings.ToLower(strings.TrimSpace(method))
+	switch method {
+	case AuthMethodAPIKey, AuthMethodMasterKey, AuthMethodNoKey, "unknown":
+	default:
+		return
+	}
 	entry.AuthMethod = method
 }
 
diff --git a/internal/auditlog/middleware_auth_method_test.go b/internal/auditlog/middleware_auth_method_test.go
@@ -0,0 +1,47 @@
+package auditlog
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/labstack/echo/v5"
+)
+
+func TestEnrichEntryWithAuthMethodTrimsAndValidatesAllowedValues(t *testing.T) {
+	e := echo.New()
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+	entry := &LogEntry{}
+	c.Set(string(LogEntryKey), entry)
+
+	EnrichEntryWithAuthMethod(c, "  API_KEY  ")
+	if entry.AuthMethod != AuthMethodAPIKey {
+		t.Fatalf("entry auth method = %q, want %q", entry.AuthMethod, AuthMethodAPIKey)
+	}
+
+	EnrichEntryWithAuthMethod(c, "master_key")
+	if entry.AuthMethod != AuthMethodMasterKey {
+		t.Fatalf("entry auth method = %q, want %q", entry.AuthMethod, AuthMethodMasterKey)
+	}
+}
+
+func TestEnrichEntryWithAuthMethodIgnoresBlankAndUnsupportedValues(t *testing.T) {
+	e := echo.New()
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+	entry := &LogEntry{}
+	c.Set(string(LogEntryKey), entry)
+
+	EnrichEntryWithAuthMethod(c, "   ")
+	if entry.AuthMethod != "" {
+		t.Fatalf("entry auth method = %q, want empty", entry.AuthMethod)
+	}
+
+	EnrichEntryWithAuthMethod(c, "oauth")
+	if entry.AuthMethod != "" {
+		t.Fatalf("entry auth method = %q, want empty", entry.AuthMethod)
+	}
+}
diff --git a/internal/auditlog/store_postgresql.go b/internal/auditlog/store_postgresql.go
@@ -87,7 +87,6 @@ func NewPostgreSQLStore(pool *pgxpool.Pool, retentionDays int) (*PostgreSQLStore
 		"ALTER TABLE audit_logs ADD COLUMN IF NOT EXISTS auth_key_id TEXT",
 		"ALTER TABLE audit_logs ADD COLUMN IF NOT EXISTS auth_method TEXT",
 		"ALTER TABLE audit_logs ADD COLUMN IF NOT EXISTS user_path TEXT",
-		"ALTER TABLE audit_logs ADD COLUMN IF NOT EXISTS auth_method TEXT",
 	}
 	for _, migration := range migrations {
 		if _, err := pool.Exec(ctx, migration); err != nil {
diff --git a/internal/auditlog/store_sqlite.go b/internal/auditlog/store_sqlite.go
@@ -72,7 +72,6 @@ func NewSQLiteStore(db *sql.DB, retentionDays int) (*SQLiteStore, error) {
 		"ALTER TABLE audit_logs ADD COLUMN auth_key_id TEXT",
 		"ALTER TABLE audit_logs ADD COLUMN auth_method TEXT",
 		"ALTER TABLE audit_logs ADD COLUMN user_path TEXT",
-		"ALTER TABLE audit_logs ADD COLUMN auth_method TEXT",
 	}
 	for _, migration := range migrations {
 		if _, err := db.Exec(migration); err != nil {
diff --git a/internal/server/auth.go b/internal/server/auth.go
@@ -72,12 +72,12 @@ func AuthMiddlewareWithAuthenticator(masterKey string, authenticator BearerToken
 			}
 
 			if authenticator != nil && authenticator.Enabled() {
+				auditlog.EnrichEntryWithAuthMethod(c, auditlog.AuthMethodAPIKey)
 				authKeyID, err := authenticator.Authenticate(c.Request().Context(), token)
 				if err == nil {
 					ctx := core.WithAuthKeyID(c.Request().Context(), authKeyID)
 					c.SetRequest(c.Request().WithContext(ctx))
 					auditlog.EnrichEntryWithAuthKeyID(c, authKeyID)
-					auditlog.EnrichEntryWithAuthMethod(c, auditlog.AuthMethodAPIKey)
 					return next(c)
 				}
 
diff --git a/internal/server/auth_test.go b/internal/server/auth_test.go
@@ -189,6 +189,9 @@ func TestAuthMiddlewareWithAuthenticator_ManagedKeyEnrichesContextAndAudit(t *te
 		if entry.AuthKeyID != "key-123" {
 			t.Fatalf("audit entry auth key id = %q, want key-123", entry.AuthKeyID)
 		}
+		if entry.AuthMethod != auditlog.AuthMethodAPIKey {
+			t.Fatalf("audit entry auth method = %q, want %q", entry.AuthMethod, auditlog.AuthMethodAPIKey)
+		}
 		return c.String(http.StatusOK, "ok")
 	}
 
@@ -235,6 +238,7 @@ func TestAuthMiddlewareWithAuthenticator_ManagedKeyFailureUsesGenericClientMessa
 	require.True(t, ok)
 	require.NotNil(t, entry)
 	require.NotNil(t, entry.Data)
+	assert.Equal(t, auditlog.AuthMethodAPIKey, entry.AuthMethod)
 	assert.Equal(t, string(core.ErrorTypeAuthentication), entry.ErrorType)
 	assert.Equal(t, "authentication unavailable", entry.Data.ErrorMessage)
 }

Original file line number	Diff line number	Diff line change
`@@ -398,6 +398,12 @@ func EnrichEntryWithAuthMethod(c *echo.Context, method string) {`
`398`	`398`	`if !ok \|\| entry == nil {`
`399`	`399`	`return`
`400`	`400`	`}`
	`401`	`+ method = strings.ToLower(strings.TrimSpace(method))`
	`402`	`+ switch method {`
	`403`	`+ case AuthMethodAPIKey, AuthMethodMasterKey, AuthMethodNoKey, "unknown":`
	`404`	`+ default:`
	`405`	`+ return`
	`406`	`+ }`
`401`	`407`	`entry.AuthMethod = method`
`402`	`408`	`}`
`403`	`409`
Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,6 @@ func NewPostgreSQLStore(pool pgxpool.Pool, retentionDays int) (PostgreSQLStore`
`87`	`87`	`"ALTER TABLE audit_logs ADD COLUMN IF NOT EXISTS auth_key_id TEXT",`
`88`	`88`	`"ALTER TABLE audit_logs ADD COLUMN IF NOT EXISTS auth_method TEXT",`
`89`	`89`	`"ALTER TABLE audit_logs ADD COLUMN IF NOT EXISTS user_path TEXT",`
`90`		`- "ALTER TABLE audit_logs ADD COLUMN IF NOT EXISTS auth_method TEXT",`
`91`	`90`	`}`
`92`	`91`	`for _, migration := range migrations {`
`93`	`92`	`if _, err := pool.Exec(ctx, migration); err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,6 @@ func NewSQLiteStore(db sql.DB, retentionDays int) (SQLiteStore, error) {`
`72`	`72`	`"ALTER TABLE audit_logs ADD COLUMN auth_key_id TEXT",`
`73`	`73`	`"ALTER TABLE audit_logs ADD COLUMN auth_method TEXT",`
`74`	`74`	`"ALTER TABLE audit_logs ADD COLUMN user_path TEXT",`
`75`		`- "ALTER TABLE audit_logs ADD COLUMN auth_method TEXT",`
`76`	`75`	`}`
`77`	`76`	`for _, migration := range migrations {`
`78`	`77`	`if _, err := db.Exec(migration); err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -72,12 +72,12 @@ func AuthMiddlewareWithAuthenticator(masterKey string, authenticator BearerToken`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`if authenticator != nil && authenticator.Enabled() {`
	`75`	`+ auditlog.EnrichEntryWithAuthMethod(c, auditlog.AuthMethodAPIKey)`
`75`	`76`	`authKeyID, err := authenticator.Authenticate(c.Request().Context(), token)`
`76`	`77`	`if err == nil {`
`77`	`78`	`ctx := core.WithAuthKeyID(c.Request().Context(), authKeyID)`
`78`	`79`	`c.SetRequest(c.Request().WithContext(ctx))`
`79`	`80`	`auditlog.EnrichEntryWithAuthKeyID(c, authKeyID)`
`80`		`- auditlog.EnrichEntryWithAuthMethod(c, auditlog.AuthMethodAPIKey)`
`81`	`81`	`return next(c)`
`82`	`82`	`}`
`83`	`83`
Original file line number	Diff line number	Diff line change
`@@ -189,6 +189,9 @@ func TestAuthMiddlewareWithAuthenticator_ManagedKeyEnrichesContextAndAudit(t *te`
`189`	`189`	`if entry.AuthKeyID != "key-123" {`
`190`	`190`	`t.Fatalf("audit entry auth key id = %q, want key-123", entry.AuthKeyID)`
`191`	`191`	`}`
	`192`	`+ if entry.AuthMethod != auditlog.AuthMethodAPIKey {`
	`193`	`+ t.Fatalf("audit entry auth method = %q, want %q", entry.AuthMethod, auditlog.AuthMethodAPIKey)`
	`194`	`+ }`
`192`	`195`	`return c.String(http.StatusOK, "ok")`
`193`	`196`	`}`
`194`	`197`
`@@ -235,6 +238,7 @@ func TestAuthMiddlewareWithAuthenticator_ManagedKeyFailureUsesGenericClientMessa`
`235`	`238`	`require.True(t, ok)`
`236`	`239`	`require.NotNil(t, entry)`
`237`	`240`	`require.NotNil(t, entry.Data)`
	`241`	`+ assert.Equal(t, auditlog.AuthMethodAPIKey, entry.AuthMethod)`
`238`	`242`	`assert.Equal(t, string(core.ErrorTypeAuthentication), entry.ErrorType)`
`239`	`243`	`assert.Equal(t, "authentication unavailable", entry.Data.ErrorMessage)`
`240`	`244`	`}`