mirror of
https://github.com/DeBrosOfficial/orama.git
synced 2026-06-16 22:54:12 +00:00
7b5587094d
The namespace-ownership middleware compared an api_key caller's RAW key against namespace_ownership.owner_id, but api_keys are stored HMAC-hashed (HashAPIKey). So every api_key-authenticated owner got a 403 on a namespace they actually own — blocking function deploy and PUT /v1/push/config. Hash the presented api_key before the ownership comparison (hashed first, raw second as a rolling-upgrade legacy fallback), mirroring the existing lookupAPIKeyNamespace pattern. The wallet path is unchanged (wallets stored raw). Security-reviewed: grants only to the correct key holder, no escalation.