in packages/better-auth/src/plugins/api-key/index.ts [139:223]
handler: createAuthMiddleware(async (ctx) => {
const key = getter(ctx)!;
if (typeof key !== "string") {
throw new APIError("BAD_REQUEST", {
message: ERROR_CODES.INVALID_API_KEY_GETTER_RETURN_TYPE,
});
}
if (key.length < opts.defaultKeyLength) {
// if the key is shorter than the default key length, than we know the key is invalid.
// we can't check if the key is exactly equal to the default key length, because
// a prefix may be added to the key.
throw new APIError("FORBIDDEN", {
message: ERROR_CODES.INVALID_API_KEY,
});
}
if (
opts.customAPIKeyValidator &&
!opts.customAPIKeyValidator({ ctx, key })
) {
throw new APIError("FORBIDDEN", {
message: ERROR_CODES.INVALID_API_KEY,
});
}
const hashed = opts.disableKeyHashing
? key
: await defaultKeyHasher(key);
const apiKey = await validateApiKey({
hashedKey: hashed,
ctx,
opts,
schema,
});
await deleteAllExpiredApiKeys(ctx.context);
let user: User;
try {
const userResult = await ctx.context.internalAdapter.findUserById(
apiKey.userId,
);
if (!userResult) {
throw new APIError("UNAUTHORIZED", {
message: ERROR_CODES.INVALID_USER_ID_FROM_API_KEY,
});
}
user = userResult;
} catch (error) {
throw error;
}
const session = {
user,
session: {
id: apiKey.id,
token: key,
userId: user.id,
userAgent: ctx.request?.headers.get("user-agent") ?? null,
ipAddress: ctx.request
? getIp(ctx.request, ctx.context.options)
: null,
createdAt: new Date(),
updatedAt: new Date(),
expiresAt:
apiKey.expiresAt ||
getDate(
ctx.context.options.session?.expiresIn || 60 * 60 * 24 * 7, // 7 days
"ms",
),
},
};
ctx.context.session = session;
if (ctx.path === "/get-session") {
return session;
} else {
return {
context: ctx,
};
}
}),