26 lines
1.2 KiB
SQL
26 lines
1.2 KiB
SQL
-- =============================================================================
|
|
-- Make workspace API keys revealable.
|
|
--
|
|
-- Adds `key_encrypted` — base64 of secret-box(VIBN_SECRETS_KEY, plaintext token).
|
|
-- Existing rows keep `key_encrypted = NULL` and are therefore NOT revealable;
|
|
-- only the hash was stored at mint time and the plaintext is unrecoverable by
|
|
-- design. Those keys still work for auth (hash lookup is unchanged); they just
|
|
-- can't surface the plaintext again — the UI will flag them as legacy.
|
|
--
|
|
-- New keys minted after this migration will populate `key_encrypted` and can
|
|
-- be revealed on demand by session-authenticated users (never by API-key
|
|
-- principals — prevents lateral movement).
|
|
--
|
|
-- Safe to re-run.
|
|
-- =============================================================================
|
|
|
|
ALTER TABLE vibn_workspace_api_keys
|
|
ADD COLUMN IF NOT EXISTS key_encrypted TEXT;
|
|
|
|
COMMENT ON COLUMN vibn_workspace_api_keys.key_encrypted IS
|
|
'base64( AES-256-GCM encrypt(VIBN_SECRETS_KEY, plaintext vibn_sk_...) ). '
|
|
'NULL for legacy rows minted before this column existed — those keys '
|
|
'remain valid for auth but cannot be revealed.';
|
|
|
|
SELECT 'API-key revealability migration complete' AS status;
|