ApiKeyStrategy

generateSecret

Generates the API-Key secret which ultimately gets hashed and determines the session id.

generateLookupId

Generates an API-Key lookup ID.

A separate lookup ID enables us to use stronger salted hashing methods for the actual API-Key. This is because when we extract the incoming API-Key from the request, hashing methods that automatically handle salting (e.g. bcrypt) will produce different hashes for the same input, making it impossible to compare the incoming API-Key with the stored hash.

By using a separate lookup ID, we can identify the correct stored hash to compare against.

hashingStrategy

Defines a custom strategy for how API-Keys get hashed and checked.

delimiter

Used when constructing and parsing API-Keys. You might need to override this delimiter if you customized the secret-/ and or lookup-generation. See constructApiKey or parse for more detailed information.

constructApiKey

Constructs an API-Key which the Users supply to the API.

Each strategy determines how it combines the lookup ID with the secret itself, because lookup-/ and secret-generation are customizable leading to Vendure not enforcing a fixed delimiter.

The output of this function must be parsable via this strategys parse function.

parse

In order to allow users to send only one header with their API-Key, while still supporting a separate lookup ID, strategies must be able to parse provided tokens into both parts, more specifically this function must be able to parse the output of constructApiKey.

We do not force an arbitrary delimiter, for example a colon ':', because the secret itself and the lookup ID are both customizable and may conflict with it, hence the need for custom parsing.

Custom parsing also allows strategies to use special characters in their API-Keys, by requiring the token to be base64 encoded for example or include prefixes such as:

• 'test_', 'prod_'
• 'admin_', 'customer_'

to visually distinguish between keys more easily.

lastUsedAtUpdateInterval

The main use of the lastUsedAt-field is enabling the detection and invalidation of unused API-Keys. By default, every request which gets authorized by an API-Key persists the usage date. This might not be desirable for larger instances, due to the cost of frequent database writes.

Defining a longer duration, for example 15 minutes, means that the lastUsedAt field will only be written to in 15 minute intervals, resulting in considerably fewer database writes. This technically reduces the accuracy of the lastUsedAt-field but keep in mind that when looking for unused keys, what often matters is that a key has been used at all in the last days or weeks and not the specific second.

If passed as a number should represent milliseconds and if passed as a string describes a time span per zeit/ms. Eg: 5m, '1 hour', '10h'

hashingStrategy

generateSecret

generateLookupId

delimiter

lastUsedAtUpdateInterval

constructApiKey

parse

secretSize

lookupSize

hashingStrategy

generateSecret

generateLookupId