>_
.issue.db
/highway-workflow-engine
Dashboard
Issues
Memory
Lessons
Audit Log
New Issue
Edit Issue #257
Update issue details
Title *
Description
Critical security vulnerability discovered in API key rotation: **Issues Found:** 1. Rotation kept old keys active (is_active=TRUE) - only set expires_at 2. is_rotating flag was set but never checked by RBAC middleware 3. Default 24h grace period meant compromised keys stayed valid 4. No immediate deactivation option for security incidents **Impact:** - Compromised API keys remained valid for 24 hours after rotation - Multiple rotations created chains of active keys - Security incident response ineffective **Fix Applied:** 1. Default behavior now IMMEDIATELY deactivates old key 2. Grace period is opt-in via grace_period_hours parameter 3. List endpoint shows 'rotating' status for keys in grace period 4. Existing rotated keys in production deactivated **Files Modified:** - api/blueprints/v1/api_keys.py (rotate_api_key, list_api_keys) **Database Fix:** UPDATE api_keys SET is_active=FALSE WHERE is_rotating=TRUE
Priority
Low
Medium
High
Critical
Status
Open
In Progress
Closed
Due Date (YYYY-MM-DD)
Tags (comma separated)
Related Issues (IDs)
Enter IDs of issues related to this one. They will be linked as 'related'.
Update Issue
Cancel