( workspaceId: string | undefined | null, providerId: BYOKProviderId )
| 41 | * and reading fresh keeps revocation immediate across ECS tasks. |
| 42 | */ |
| 43 | export async function getBYOKKey( |
| 44 | workspaceId: string | undefined | null, |
| 45 | providerId: BYOKProviderId |
| 46 | ): Promise<BYOKKeyResult | null> { |
| 47 | if (!workspaceId) { |
| 48 | return null |
| 49 | } |
| 50 | |
| 51 | try { |
| 52 | const keys = await db |
| 53 | .select({ id: workspaceBYOKKeys.id, encryptedApiKey: workspaceBYOKKeys.encryptedApiKey }) |
| 54 | .from(workspaceBYOKKeys) |
| 55 | .where( |
| 56 | and( |
| 57 | eq(workspaceBYOKKeys.workspaceId, workspaceId), |
| 58 | eq(workspaceBYOKKeys.providerId, providerId) |
| 59 | ) |
| 60 | ) |
| 61 | .orderBy(asc(workspaceBYOKKeys.createdAt), asc(workspaceBYOKKeys.id)) |
| 62 | |
| 63 | if (!keys.length) { |
| 64 | return null |
| 65 | } |
| 66 | |
| 67 | const startIndex = nextRotationIndex(`${workspaceId}:${providerId}`, keys.length) |
| 68 | for (let offset = 0; offset < keys.length; offset++) { |
| 69 | const key = keys[(startIndex + offset) % keys.length] |
| 70 | try { |
| 71 | const { decrypted } = await decryptSecret(key.encryptedApiKey) |
| 72 | return { apiKey: decrypted, isBYOK: true } |
| 73 | } catch (error) { |
| 74 | logger.error('Failed to decrypt BYOK key, skipping', { |
| 75 | workspaceId, |
| 76 | providerId, |
| 77 | keyId: key.id, |
| 78 | error, |
| 79 | }) |
| 80 | } |
| 81 | } |
| 82 | |
| 83 | return null |
| 84 | } catch (error) { |
| 85 | logger.error('Failed to get BYOK key', { workspaceId, providerId, error }) |
| 86 | return null |
| 87 | } |
| 88 | } |
| 89 | |
| 90 | export async function getApiKeyWithBYOK( |
| 91 | provider: string, |
no test coverage detected