fix(cortex-login): validate API key format before keyring save

factorydroid · factorydroid · commit c076be3fad33 · 2026-01-26T20:43:03.000+04:00
Fixes bounty issue #1622

The login_with_api_key function now validates the API key format before
attempting to save it to the keyring. This prevents invalid keys (empty,
too short, containing control characters or whitespace) from being stored.

Changes:
- Add validate_api_key_format() function with comprehensive checks
- Call validation in login_with_api_key() before save_auth()
- Add unit tests for all validation cases
diff --git a/cortex-login/src/lib.rs b/cortex-login/src/lib.rs
@@ -268,12 +268,56 @@ pub fn delete_auth(cortex_home: &Path, mode: CredentialsStoreMode) -> Result<boo
     }
 }
 
+/// Minimum length for a valid API key.
+const MIN_API_KEY_LENGTH: usize = 10;
+
+/// Validate API key format.
+///
+/// Checks that the key:
+/// - Has a minimum length (10 characters)
+/// - Contains only valid characters (no newlines or control characters)
+/// - Does not contain leading/trailing whitespace
+///
+/// Returns `Ok(())` if valid, or an error describing the validation failure.
+pub fn validate_api_key_format(api_key: &str) -> Result<()> {
+    // Check for empty key
+    if api_key.is_empty() {
+        anyhow::bail!("API key cannot be empty");
+    }
+
+    // Check for leading/trailing whitespace
+    if api_key != api_key.trim() {
+        anyhow::bail!("API key contains leading or trailing whitespace");
+    }
+
+    // Check minimum length
+    if api_key.len() < MIN_API_KEY_LENGTH {
+        anyhow::bail!(
+            "API key is too short (minimum {} characters, got {})",
+            MIN_API_KEY_LENGTH,
+            api_key.len()
+        );
+    }
+
+    // Check for invalid characters (newlines, control characters)
+    if api_key.chars().any(|c| c.is_control()) {
+        anyhow::bail!("API key contains invalid characters (newlines or control characters)");
+    }
+
+    Ok(())
+}
+
 /// Login with API key (stores securely).
+///
+/// Validates the API key format before attempting to save to the keyring.
 pub fn login_with_api_key(
     cortex_home: &Path,
     api_key: &str,
     mode: CredentialsStoreMode,
 ) -> Result<()> {
+    // Validate API key format before attempting to save
+    validate_api_key_format(api_key).context("Invalid API key format")?;
+
     let data = SecureAuthData::with_api_key(api_key.to_string());
     save_auth(cortex_home, &data, mode)?;
     Ok(())
@@ -784,4 +828,70 @@ mod tests {
         assert!(metadata.has_api_key);
         assert!(!metadata.has_access_token);
     }
+
+    #[test]
+    fn test_validate_api_key_format_valid() {
+        // Valid keys should pass
+        assert!(validate_api_key_format("sk-proj-1234567890").is_ok());
+        assert!(validate_api_key_format("sk-ant-api123456").is_ok());
+        assert!(validate_api_key_format("1234567890").is_ok());
+    }
+
+    #[test]
+    fn test_validate_api_key_format_empty() {
+        let result = validate_api_key_format("");
+        assert!(result.is_err());
+        assert!(result.unwrap_err().to_string().contains("empty"));
+    }
+
+    #[test]
+    fn test_validate_api_key_format_too_short() {
+        let result = validate_api_key_format("short");
+        assert!(result.is_err());
+        assert!(result.unwrap_err().to_string().contains("too short"));
+    }
+
+    #[test]
+    fn test_validate_api_key_format_whitespace() {
+        // Leading whitespace
+        let result = validate_api_key_format(" sk-proj-1234567890");
+        assert!(result.is_err());
+        assert!(result.unwrap_err().to_string().contains("whitespace"));
+
+        // Trailing whitespace
+        let result = validate_api_key_format("sk-proj-1234567890 ");
+        assert!(result.is_err());
+        assert!(result.unwrap_err().to_string().contains("whitespace"));
+    }
+
+    #[test]
+    fn test_validate_api_key_format_newlines() {
+        // Newline at end is detected as whitespace (trim check fires first)
+        let result = validate_api_key_format("sk-proj-1234567890\n");
+        assert!(result.is_err());
+        let err_msg = result.unwrap_err().to_string();
+        assert!(err_msg.contains("whitespace") || err_msg.contains("invalid characters"));
+
+        // Newline in middle is detected as invalid character
+        let result = validate_api_key_format("sk-proj\n-1234567890");
+        assert!(result.is_err());
+        assert!(
+            result
+                .unwrap_err()
+                .to_string()
+                .contains("invalid characters")
+        );
+    }
+
+    #[test]
+    fn test_validate_api_key_format_control_chars() {
+        let result = validate_api_key_format("sk-proj-123\x00456");
+        assert!(result.is_err());
+        assert!(
+            result
+                .unwrap_err()
+                .to_string()
+                .contains("invalid characters")
+        );
+    }
 }
