From 56016a61243cf280b2c7d3f65698a0d37b55487c Mon Sep 17 00:00:00 2001
From: Michael Freno <michaelt.freno@gmail.com>
Date: Tue, 12 May 2026 12:42:42 -0400
Subject: [PATCH] Fix P1 security findings for FRE-4806

- Add DD_API_KEY and DD_SITE to Zod validation schema (config.ts)
- Truncate API key before storing in user.id to prevent Sentry leak (auth.middleware.ts)
---
 packages/api/src/middleware/auth.middleware.ts | 5 +++--
 packages/monitoring/src/config.ts              | 4 ++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/packages/api/src/middleware/auth.middleware.ts b/packages/api/src/middleware/auth.middleware.ts
index 738193b..6c82566 100644
--- a/packages/api/src/middleware/auth.middleware.ts
+++ b/packages/api/src/middleware/auth.middleware.ts
@@ -46,9 +46,10 @@ export async function authMiddleware(fastify: FastifyInstance) {
     if (apiKey) {
       // In production, validate API key against database
       authReq.apiKey = apiKey;
+      const apiKeyPrefix = apiKey.slice(0, 8);
       authReq.user = {
-        id: `api-${apiKey}`,
-        email: `api-${apiKey}@services.internal`,
+        id: `api-${apiKeyPrefix}...`,
+        email: `api-${apiKeyPrefix}@services.internal`,
         role: 'service',
       };
       authReq.authType = 'api-key';
diff --git a/packages/monitoring/src/config.ts b/packages/monitoring/src/config.ts
index cc9495f..1a04dbd 100644
--- a/packages/monitoring/src/config.ts
+++ b/packages/monitoring/src/config.ts
@@ -7,6 +7,8 @@ const monitoringEnvSchema = z.object({
   DD_TRACE_ENABLED: z.string().default('true'),
   DD_TRACE_SAMPLE_RATE: z.string().transform((v) => Number(v)).default('1.0'),
   DD_LOGS_INJECTION: z.string().default('true'),
+  DD_API_KEY: z.string().default(''),
+  DD_SITE: z.string().default('datadoghq.com'),
   DD_AGENT_HOST: z.string().default('localhost'),
   DD_AGENT_PORT: z.string().transform((v) => Number(v)).default('8126'),
   SENTRY_DSN: z.string().default(''),
@@ -25,6 +27,8 @@ export function getMonitoringConfig(): MonitoringConfig {
     DD_TRACE_ENABLED: process.env.DD_TRACE_ENABLED,
     DD_TRACE_SAMPLE_RATE: process.env.DD_TRACE_SAMPLE_RATE,
     DD_LOGS_INJECTION: process.env.DD_LOGS_INJECTION,
+    DD_API_KEY: process.env.DD_API_KEY,
+    DD_SITE: process.env.DD_SITE,
     DD_AGENT_HOST: process.env.DD_AGENT_HOST,
     DD_AGENT_PORT: process.env.DD_AGENT_PORT,
     SENTRY_DSN: process.env.SENTRY_DSN,