feat: api key validation#789
Merged
harshhsahu merged 1 commit intoWalkover-Web-Solution:testingfrom Mar 26, 2026
Merged
Conversation
![windsurf-bot[bot]](https://avatars.githubusercontent.com/in/1066231?s=60&v=4){kind=small}
harshhsahu
requested changes
Mar 10, 2026
Anushtha-Rathore
force-pushed
the
api-key-delete-validation
branch
3 times, most recently
from
e108dbb to
e089c6d
Compare
Husainbw786
reviewed
Mar 26, 2026
Collaborator
Husainbw786
left a comment
Husainbw786
left a comment
There was a problem hiding this comment.
Code Review - Optimization Suggestions
1. Add Index for Query Pattern (High Priority - Performance)
The query pattern { org_id, \apikey_object_id.${service}`: apikey_object_id, deletedAt: null }` will be slow without an index.
Recommendation: Add a compound index:
{ org_id: 1, 'apikey_object_id.openai': 1, deletedAt: 1 }
// Repeat for each service, or use a wildcard index if MongoDB 4.2+2. Validate service Against a Whitelist (Security)
Currently any string is accepted for service. This should be validated to protect against query injection.
Recommendation:
const VALID_SERVICES = ['openai', 'anthropic', 'google', ...];
if (!VALID_SERVICES.includes(service)) {
return { success: false, error: 'Invalid service' };
}3. Consider Adding .limit() to Queries
If an API key is used by hundreds of agents/versions, pulling all documents could be expensive.
Recommendation: Add .limit(100) or similar to avoid pulling thousands of docs.
4. Redundant Error Handling
The current pattern catches the error, logs it, then rethrows. Consider either:
- Let it propagate naturally, OR
- Return a consistent error response:
} catch (error) {
return { success: false, error: \`Failed to check API key usage: ${error.message}\` };
}Overall
Solid feature implementation. The index is the biggest performance win, and service validation is important for security.
Anushtha-Rathore
force-pushed
the
api-key-delete-validation
branch
from
e089c6d to
f0c00bb
Compare
harshhsahu
added a commit
that referenced
this pull request
Mar 31, 2026
* fix: chatbot image save (input and generation) * fix: revmove embed user agent from the webhook * refactor: prompt spilit fix * add grafanna package * fix: update resource creation settings to include keepDuplicate option * fix: update settings in createCollection and createResourceInCollection to ensure keepDuplicate is consistently applied * key name change * proxy url remove from env * change proxy_refrence_id to PUBLIC_REFERENCEID * feat: added the 'status' key to the apikey model * removed status key * status removed * fixed prompt_enhancer_percentage and criteria_check * static data with security key * feat: add hide feature to hide prompt helper * fix: prompt optimiser fix * feat auto reset limit and remove cron * fix: embed preview * fix: embed preview * feat: transform ViaSocket fields structure for new payload format * feat: add model type in get all agent api * fix: resolved windsurf comments * feat: add configuration type in get agents by user id projection * feat: integrate Not Diamond model selection and update agent version controller * fix: resolved windsurd comments * feat: response caching * feat: auto model select * feat: added batch in model * feat: implement log queue processing with multiple services for enhanced message handling * feat: auto model select * fix: improve Redis error handling and connection strategy * refactor: rich ui * feat: implement multi-type pre-tool support (#803) * feat: implement multi-type pre-tool support * fix: add validation pre-tool management * fix: removed redundant code * feat: agent to template (#810) Co-authored-by: Yogesh Patel <yogeshpatel@gmail.com> * feat: response caching (#813) * create proxy auth token for automaint (#815) Co-authored-by: Prayanshrajput <prayanshrajput15@gmail.com> * cosumer logic change * grafanna added * not take start date from frontend * fix: add pre_tools to simple_fields in updateAgentController * refactor: consolidate actionData and onClickType field schema handling (#824) * fix: handled the notdiamond api failure safely * refactor: convert Pyroscope import from require to ES6 import syntax (#826) * fix: agent template knowledgeBase added * update local token generation config * fix: chatbot preveiw bug fixed * fix: pass template name and description to schema builder and remove actionData field overrides * fix: tempalte tool call count bug fixed * refactor: apply code review suggestions * fix: add bridge_id to Thread query filter in saveSubThreadIdAndName * feat: enhance log processing and metrics storage (#823) - Added new fields to the raw_data model, including time_zone and updated table name. - Refactored logQueueConsumer to handle saving conversation and orchestrator history, as well as batch metrics. - Introduced saveHistory and saveMetrics services for structured data storage in PostgreSQL and TimescaleDB. - Implemented error handling for database operations in the new services. Co-authored-by: Husain Baghwala <husainhackerrank@gmail.com> * fix: stream in subscribe api (#847) * feat: added reasoning in history and fixed orchestral history * refactor: enhance Redis cache clearing response (#852) - Updated the clearRedisCache function to include detailed response data. - Added 'cleared_keys' and 'skipped_keys' to the response, along with a count of cleared keys. - Improved message formatting for multiple cleared keys. * Clear redid while publish (#855) * feat: implement cache invalidation after publishing version - Added functionality to delete cache keys related to the published version after the publish operation. - Ensures that outdated cache entries are removed, improving data consistency. * feat: add cache invalidation for API call updates - Added cache deletion when API calls are updated via updateApiCallByFunctionId - Implemented cache invalidation in saveApi service when updating existing API calls - Invalidates cache keys for all associated bridge_ids to ensure data consistency - Imported agentVersionService and deleteInCache utilities in apiCall controller and service --------- Co-authored-by: Husain Baghwala <husainhackerrank@gmail.com> * refactor: change connected_agents key from agent_name to bridge_id across codebase * changes * fix: pr comment resolved (#853) * chore: optimise apicalls collections, migration (#844) chore: refactor apicalls migration script and add getOrganizationOwner helper chore: moved all migrations to migration-mongo folder * feat: api key validation (#789) * feat: template validation by agent (#843) * feat: template validation by agent * fix: agent comment changes * fix: agent changes and one commit (#799) * chore: optimized apicredentials collection and wrote migreation (#845) * chore: optimized apicredentials collection and wrote migreation * chore: refactor apikeycredentials migration * chore: optimised apilerts collection , removed duplicate schema from code, and wrote migration (#848) chore: resolved ai comments `# squash d8c192a # chore: resolved ai comments * chore: migrate orgAccessToken from ResponseType collection to Proxy org meta (#858) * fix: history queue bug * fix: log queue bugs * fix: prod or test env check added * feat: update model configuration modes and include additional fields in agent retrieval and API responses (#868) * refactor: replace flattenDict with extractPrimitiveValues and include pre-tool arguments in variable path resolution (#870) * chore: add migration script to remap connected_agents keys from agent names to bridge_id in configurations and configuration_versions collections (#872) Co-authored-by: Yogesh Patel <yogeshpatel@gmail.com> * fix: added stream for model (#871) s * fix: missed condition (#874) * axios package fix --------- Co-authored-by: adityajunwal <adityakjunwal@gmail.com> Co-authored-by: Dhiraj Parihar <dhirajparihar2001@gmail.com> Co-authored-by: Natwar Singh Rathor <87537893+Natwar589@users.noreply.github.com> Co-authored-by: Natwar589 <natwarrathor961@gmail.com> Co-authored-by: harshhsahu <harsh@whozzat.com> Co-authored-by: Husain Baghwala <husainhackerrank@gmail.com> Co-authored-by: Prayanshrajput <104488357+Prayanshrajput@users.noreply.github.com> Co-authored-by: Yogesh Patel <yogeshpatel@gmail.com> Co-authored-by: Prayanshrajput <prayanshrajput15@gmail.com> Co-authored-by: Anushtha-Rathore <anushtharathore35@gmail.com> Co-authored-by: LAVISH GEHLOD <lavishgehlod210204@acropolis.in> Co-authored-by: yogeshpatel70 <155749062+yogeshpatel70@users.noreply.github.com> Co-authored-by: Aditya Kumar Junwal <163153177+adityajunwal@users.noreply.github.com> Co-authored-by: harsh <145131947+harshhsahu@users.noreply.github.com> Co-authored-by: LAVI9966 <102133274+LAVI9966@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
prevent deletion of API keys currently in use by agents