fix: Improve API key validation to prevent GitHub PAT acceptance#34
fix: Improve API key validation to prevent GitHub PAT acceptance#34spenceriam wants to merge 1 commit intomainfrom
Conversation
- Update API key validation to require 'sk-or-v1-' prefix instead of accepting 'sk-or-' or 'sk-' - Add proper format checking in useSimpleApiKeyStorage hook - Improve error messages for invalid keys - Add validation in ModelSelector before fetching models - Update placeholder text to reflect correct key format Fixes #23
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| error: 'Invalid API key format. OpenRouter keys must start with "sk-or-v1-"' | ||
| }) | ||
| return false | ||
| } |
There was a problem hiding this comment.
Bug: Stale Invalid API Key Causes Inconsistent State
Early-return on invalid key format sets an error but does not clear a stored invalid API key or notify the parent via onApiKeyValidated(false), unlike other failure paths. This can leave a stale invalid key in sessionStorage and skip parent state updates (especially when autoTest triggers testApiKey), causing inconsistent UI/state compared to other error cases.
There was a problem hiding this comment.
Pull Request Overview
This pull request updates the OpenRouter API key validation to enforce a stricter format requirement. The changes tighten validation from accepting multiple key formats (sk-or- or sk-) to only accepting the specific OpenRouter format sk-or-v1-, ensuring proper authentication with the OpenRouter API. Additionally, the version has been bumped to 0.5.5-beta and package-lock.json peer dependencies have been updated.
- Enforces strict OpenRouter API key format validation (
sk-or-v1-prefix) - Improves error messages with more specific authentication and network error handling
- Adds API key format validation check before making API calls
Reviewed Changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package-lock.json | Version bump to 0.5.5-beta and peer dependency updates |
| hooks/useSimpleApiKeyStorage.ts | Updated API key format validation to require sk-or-v1- prefix and exposed isValidFormat in return value |
| components/ApiKeyInput.tsx | Enhanced validation logic with stricter format checks and improved error messages for authentication, rate limiting, and network issues |
| components/ModelSelector.tsx | Added pre-flight API key format validation and enhanced error handling with specific error types |
1 participant
Summary
Fixes critical security issue where GitHub PATs and other invalid keys were being accepted by the API key validation.
Changes Made
Testing
Fixes #23
Note
Require 'sk-or-v1-' API keys across input, storage, and model fetch with clearer errors and updated placeholders.
components/ApiKeyInput.tsx:sk-or-v1-prefix before testing keys; update placeholder accordingly.components/ModelSelector.tsx:isValidFormatbefore fetching models; surface specific error messages.hooks/useSimpleApiKeyStorage.ts:isValidFormatto requiresk-or-v1-and expose it to consumers.Written by Cursor Bugbot for commit dab9d89. This will update automatically on new commits. Configure here.