From 7032dc1f46bceaa5e48461bc41357c95d8fe1e66 Mon Sep 17 00:00:00 2001
From: Rauf Akdemir <rauf@neena.io>
Date: Tue, 28 Oct 2025 13:11:46 +0100
Subject: [PATCH] security: remove API key from Donke URL query parameters

Replace ?code= query parameter with x-functions-key header in all Donke
API calls to comply with CASA-11 security requirements.

Changes:
- webhook_handler.py: Update notify-subscription and send-team-welcome-email calls
- organizations.py: Update notify-signup call

Azure Functions with AuthLevel.FUNCTION natively support both query param
and header authentication. This change prevents API key exposure in server
logs, browser history, and network monitoring tools.

Fixes: ENG-165
---
 backend/airweave/api/v1/endpoints/organizations.py | 3 ++-
 backend/airweave/billing/webhook_handler.py        | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/backend/airweave/api/v1/endpoints/organizations.py b/backend/airweave/api/v1/endpoints/organizations.py
index 948ed5cd6..c1f862733 100644
--- a/backend/airweave/api/v1/endpoints/organizations.py
+++ b/backend/airweave/api/v1/endpoints/organizations.py
@@ -694,9 +694,10 @@ async def _notify_donke_signup(
         # Simple HTTP call to Donke (uses Azure app key)
         async with httpx.AsyncClient() as client:
             await client.post(
-                f"{settings.DONKE_URL}/api/notify-signup?code={settings.DONKE_API_KEY}",
+                f"{settings.DONKE_URL}/api/notify-signup",
                 headers={
                     "Content-Type": "application/json",
+                    "x-functions-key": settings.DONKE_API_KEY,
                 },
                 json={
                     "organization_name": organization.name,
diff --git a/backend/airweave/billing/webhook_handler.py b/backend/airweave/billing/webhook_handler.py
index 260cf3d97..8245d7c62 100644
--- a/backend/airweave/billing/webhook_handler.py
+++ b/backend/airweave/billing/webhook_handler.py
@@ -941,9 +941,10 @@ async def _notify_donke_subscription(
     try:
         async with httpx.AsyncClient() as client:
             await client.post(
-                f"{settings.DONKE_URL}/api/notify-subscription?code={settings.DONKE_API_KEY}",
+                f"{settings.DONKE_URL}/api/notify-subscription",
                 headers={
                     "Content-Type": "application/json",
+                    "x-functions-key": settings.DONKE_API_KEY,
                 },
                 json={
                     "organization_name": org.name,
@@ -1012,9 +1013,10 @@ async def _send_team_welcome_email(
         # Call Donke to send the welcome email
         async with httpx.AsyncClient() as client:
             await client.post(
-                f"{settings.DONKE_URL}/api/send-team-welcome-email?code={settings.DONKE_API_KEY}",
+                f"{settings.DONKE_URL}/api/send-team-welcome-email",
                 headers={
                     "Content-Type": "application/json",
+                    "x-functions-key": settings.DONKE_API_KEY,
                 },
                 json={
                     "organization_name": org.name,