Skip to content

security(CASA-11): remove API key from donke URL query parameters #1025

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
orhanrauf wants to merge 1 commit into
base: main
Choose a base branch
from
Open

security(CASA-11): remove API key from donke URL query parameters #1025

orhanrauf wants to merge 1 commit into from
+6 −3

Conversation

@orhanrauf
Copy link
Contributor

@orhanrauf orhanrauf commented Oct 28, 2025
edited by cubic-dev-ai bot
Loading

Summary

This PR addresses CASA-11 security requirement by removing API keys from URL query parameters in all Donke API calls.

Changes

Updated 3 Donke API calls to use Azure Functions' native x-functions-key header authentication instead of exposing the API key in URL query parameters (?code=).

Files Modified:

  • backend/airweave/billing/webhook_handler.py (2 locations)
    • _notify_donke_subscription function
    • _send_team_welcome_email function
  • backend/airweave/api/v1/endpoints/organizations.py (1 location)
    • _notify_donke_signup function

Security Impact

No more API keys in URLs - Prevents exposure in:

  • Server access logs
  • Browser history
  • Network monitoring tools
  • HTTP referrer headers
  • Debugging/error logs

Azure Functions native support - Both methods (?code= and x-functions-key header) are officially supported by AuthLevel.FUNCTION, no Donke changes required.

Testing

Please test:

  1. Organization signup flow → verify Slack notification arrives
  2. Paid subscription creation → verify Slack notification arrives
  3. Team plan subscription → verify welcome email is scheduled
  4. Review server logs to confirm API keys are no longer visible in URLs

References

Summary by cubic

Removed API keys from Donke API URLs by switching to x-functions-key header auth to satisfy CASA-11. Prevents key exposure in logs, referrers, and history; addresses Linear ENG-165.

  • Changes
    • Replaced ?code= with x-functions-key in three Donke calls: notify-signup, notify-subscription, send-team-welcome-email.
    • Uses Azure Functions AuthLevel.FUNCTION; no Donke-side changes needed.

@orhanrauf
security: remove API key from Donke URL query parameters
7032dc1 
Replace ?code= query parameter with x-functions-key header in all Donke
API calls to comply with CASA-11 security requirements.

Changes:
- webhook_handler.py: Update notify-subscription and send-team-welcome-email calls
- organizations.py: Update notify-signup call

Azure Functions with AuthLevel.FUNCTION natively support both query param
and header authentication. This change prevents API key exposure in server
logs, browser history, and network monitoring tools.

Fixes: ENG-165
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Oct 28, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

@orhanrauf orhanrauf changed the title security: Remove API key from Donke URL query parameters (CASA-11) security(CASA-11): Remove API key from Donke URL query parameters Oct 28, 2025
@orhanrauf orhanrauf changed the title security(CASA-11): Remove API key from Donke URL query parameters security(CASA-11): remove API key from donke URL query parameters Oct 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@felixschmetz felixschmetz felixschmetz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@orhanrauf @felixschmetz