[APIP] Populate TokenId with hashed API-key

[DDH13]

Related to wso2/api-platform#2131
This pull request introduces an enhancement to the API key authentication policy by including a hashed token identifier in the authentication process, along with dependency updates and a version bump.

API Key Authentication Enhancements:

• Added a new field TokenId to the authentication context, which stores a SHA-256 hash of the provided API key for improved traceability and security. (policies/api-key-auth/apikey.go)
• Imported the crypto/sha256 and encoding/hex packages to support the hashing functionality. (policies/api-key-auth/apikey.go)

Dependency and Version Updates:

• Updated the Go version to 1.26.2 and bumped the github.com/wso2/api-platform/sdk/core dependency to v0.2.14. (policies/api-key-auth/go.mod)
• Incremented the policy version from v1.0.3 to v1.0.4 in policy-definition.yaml.

[coderabbitai]

Warning

Review limit reached

@DDH13, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 12 minutes and 29 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7283b944-c7ef-446a-bec4-caa258547a5a

📥 Commits

Reviewing files that changed from the base of the PR and between d76784d and 521eb4b.

📒 Files selected for processing (1)

• policies/api-key-auth/apikey.go

📝 Walkthrough

Walkthrough

The API key authentication policy is updated to compute a TokenId and store it in shared.AuthContext.Properties upon successful authentication. The value is the hex-encoded SHA-256 hash of the provided API key, using the newly imported crypto/sha256 and encoding/hex packages. Alongside this, go.mod bumps the Go toolchain to 1.26.2 and upgrades github.com/wso2/api-platform/sdk/core from v0.2.4 to v0.2.14. The policy definition version is incremented from v1.0.3 to v1.0.4.

Suggested Reviewers

• pubudu538
• malinthaprasan
• Krishanx92

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a hashed TokenId derived from the API key to the authentication context.
Description check	✅ Passed	The description covers the main changes and includes a reference to the related issue, but lacks several required template sections like Purpose, Goals, Approach, and formal documentation/testing details.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

policies/api-key-auth/apikey.go (1)

233-233: ⚡ Quick win

Extract TokenId computation to a named variable or helper for improved readability.

The inline anonymous function is syntactically correct but not idiomatic Go. Consider computing the hash before struct creation:

// Option 1: Compute inline
tokenId := hex.EncodeToString(sha256.Sum256([]byte(providedKey))[:])
shared.AuthContext = &policy.AuthContext{
    // ...
    TokenId: tokenId,
}

// Option 2: Extract to helper (if reused)
func computeTokenId(key string) string {
    return hex.EncodeToString(sha256.Sum256([]byte(key))[:])
}

This improves clarity and follows Go conventions for struct initialization.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@policies/api-key-auth/apikey.go` at line 233, Extract the TokenId computation
from the inline anonymous function into a simple variable assignment before
struct initialization. Compute the SHA256 hash of the providedKey, encode it as
hex, and assign it to a tokenId variable, then use that variable in the TokenId
field of the AuthContext struct initialization. This replaces the anonymous
function call with a straightforward variable reference, making the code more
readable and idiomatic to Go conventions.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@policies/api-key-auth/apikey.go`:
- Line 233: Extract the TokenId computation from the inline anonymous function
into a simple variable assignment before struct initialization. Compute the
SHA256 hash of the providedKey, encode it as hex, and assign it to a tokenId
variable, then use that variable in the TokenId field of the AuthContext struct
initialization. This replaces the anonymous function call with a straightforward
variable reference, making the code more readable and idiomatic to Go
conventions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4150d472-c176-4677-9763-e568519dea5a

📥 Commits

Reviewing files that changed from the base of the PR and between 2577899 and d76784d.

⛔ Files ignored due to path filters (1)

• policies/api-key-auth/go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• policies/api-key-auth/apikey.go
• policies/api-key-auth/go.mod
• policies/api-key-auth/policy-definition.yaml