fix: security hardening for API key generation (Priya's review)

3 issues found during frontend planning:

1. Tier self-escalation: users could set tier='enterprise' in the
   request body. Fixed: tier locked to auth.tier, removed from request.

2. No key limit: unlimited key generation. Fixed: max 5 active keys
   per user, returns 403 with clear message.

3. generate_key returned only the raw key string, no ID for frontend
   list. Fixed: returns dict with key, id, name, tier.

Also: generate route now returns 'id' so frontend can show the key
in the list immediately without refetching.

Tests updated: mock returns dict, CreateAPIKeyRequest no longer
accepts tier. 392 tests pass.

Author: DevanshuNEU

backend/routes/api_keys.py

@@ -15,9 +15,11 @@
 router = APIRouter(prefix="", tags=["API Keys"])
 
 
+MAX_KEYS_PER_USER = 5
+
+
 class CreateAPIKeyRequest(BaseModel):
     name: str
-    tier: str = "free"
 
 
 @router.get("/metrics")
@@ -46,37 +48,54 @@ async def generate_api_key(
     auth: AuthContext = Depends(require_auth)
 ):
     """Generate a new API key."""
-    set_operation_context("generate_api_key", user_id=auth.user_id, tier=request.tier)
-    add_breadcrumb("API key generation requested", category="api_keys", tier=request.tier)
+    if not auth.user_id:
+        raise HTTPException(status_code=401, detail="User ID required")
+
+    set_operation_context("generate_api_key", user_id=auth.user_id, tier=auth.tier)
+    add_breadcrumb("API key generation requested", category="api_keys", tier=auth.tier)
 
     logger.info(
         "API key generation requested",
         user_id=auth.user_id,
         key_name=request.name,
-        tier=request.tier
+        tier=auth.tier
     )
 
+    # Tier is locked to the user's auth tier (no self-escalation)
+    tier = auth.tier or "free"
+
+    # Enforce key limit per user
+    key_count = api_key_manager.count_keys(auth.user_id)
+    if key_count >= MAX_KEYS_PER_USER:
+        raise HTTPException(
+            status_code=403,
+            detail=f"Maximum {MAX_KEYS_PER_USER} active API keys allowed. Revoke an existing key first."
+        )
+
     try:
-        with track_time("generate_api_key", tier=request.tier):
-            new_key = api_key_manager.generate_key(
+        with track_time("generate_api_key", tier=tier):
+            result = api_key_manager.generate_key(
                 name=request.name,
-                tier=request.tier,
+                tier=tier,
                 user_id=auth.user_id
             )
 
         logger.info(
             "API key generated successfully",
             user_id=auth.user_id,
             key_name=request.name,
-            tier=request.tier
+            tier=tier
         )
 
         return {
-            "api_key": new_key,
-            "tier": request.tier,
+            "api_key": result["key"],
+            "id": result["id"],
+            "tier": tier,
             "name": request.name,
             "message": "Save this key securely - it won't be shown again"
         }
+    except HTTPException:
+        raise
     except Exception as e:
         logger.error(
             "API key generation failed",

backend/services/rate_limiter.py

@@ -177,21 +177,32 @@ class APIKeyManager:
     def __init__(self, supabase_client):
         self.db = supabase_client
 
-    def generate_key(self, name: str, tier: str = 'free', user_id: Optional[str] = None) -> str:
-        """Generate a new API key"""
-        # Generate secure random key
+    def generate_key(self, name: str, tier: str = 'free', user_id: Optional[str] = None) -> Dict:
+        """Generate a new API key. Returns dict with raw key + metadata."""
         key = f"ci_{secrets.token_urlsafe(32)}"
-        
-        # Store in database
-        self.db.table("api_keys").insert({
+
+        result = self.db.table("api_keys").insert({
             "key_hash": hashlib.sha256(key.encode()).hexdigest(),
             "name": name,
             "tier": tier,
             "user_id": user_id,
             "created_at": datetime.utcnow().isoformat()
         }).execute()
-        
-        return key
+
+        row = result.data[0] if result.data else {}
+        return {
+            "key": key,
+            "id": row.get("id"),
+            "name": name,
+            "tier": tier,
+        }
+
+    def count_keys(self, user_id: str) -> int:
+        """Count active keys for a user."""
+        result = self.db.table("api_keys").select(
+            "id", count="exact"
+        ).eq("user_id", user_id).eq("active", True).execute()
+        return result.count or 0
 
     def verify_key(self, api_key: str) -> Optional[Dict]:
         """Verify API key and return metadata"""

backend/tests/test_observability_routes.py

@@ -355,7 +355,13 @@ def mock_dependencies(self):
              patch("routes.api_keys.rate_limiter") as mock_limiter, \
              patch("routes.api_keys.metrics") as mock_metrics:
 
-            mock_manager.generate_key = MagicMock(return_value="sk-test-key-123")
+            mock_manager.generate_key = MagicMock(return_value={
+                "key": "ci_test-key-123",
+                "id": "test-uuid",
+                "name": "test",
+                "tier": "free",
+            })
+            mock_manager.count_keys = MagicMock(return_value=0)
             mock_limiter.get_usage = MagicMock(return_value={"minute": 5, "hour": 50})
             mock_metrics.get_metrics = MagicMock(return_value={"searches": 100})
 
@@ -371,7 +377,7 @@ async def test_generate_key_logs_request(self, mock_observability, mock_dependen
         from routes.api_keys import generate_api_key, CreateAPIKeyRequest
         from middleware.auth import AuthContext
 
-        request = CreateAPIKeyRequest(name="Production Key", tier="pro")
+        request = CreateAPIKeyRequest(name="Production Key")
         auth = AuthContext(user_id="user-123", email="test@test.com", tier="pro")
 
         await generate_api_key(request, auth)
@@ -387,7 +393,7 @@ async def test_generate_key_sets_context_with_tier(self, mock_observability, moc
         from routes.api_keys import generate_api_key, CreateAPIKeyRequest
         from middleware.auth import AuthContext
 
-        request = CreateAPIKeyRequest(name="Key", tier="enterprise")
+        request = CreateAPIKeyRequest(name="Key")
         auth = AuthContext(user_id="user", email="test@test.com", tier="enterprise")
 
         await generate_api_key(request, auth)