- Add strict username validation to prevent LDAP injection attacks
- Only allow alphanumeric characters, underscores, and hyphens in usernames
- Implement length limits and format validation for usernames
- Replace direct string interpolation with validated input in LDAP filters
- Update all logging to use sanitized username consistently
- Fix ESLint warnings for code style compliance
This prevents injection attacks like: *)(|(uid=admin that could bypass
authentication or allow user enumeration through malicious LDAP filters.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Security enhancement to prevent disabled users from using API keys:
- Auto-disable all API keys when user is disabled/deleted
- Add user status validation during API key authentication
- Prevent API usage even if key is active but user is disabled
- Add comprehensive logging for security audit trail
This ensures disabled users cannot bypass restrictions through
existing API keys and maintains system security integrity.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add isDeleted, deletedAt, deletedBy, deletedByType fields to getUserApiKeys service method
- Include deletion fields in user routes API keys response
- Add debug logging to dashboard component to troubleshoot deleted keys count
- Ensure frontend can properly identify and count deleted API keys
This fixes the issue where deleted API keys count was always showing 0
instead of the actual number of deleted keys.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add deleted API keys display to user's My API Keys view
- Show deleted status with gray indicator and "Deleted" badge
- Display deletion date and hide delete button for deleted keys
- Fix cost calculation in admin deleted API keys tab
- Add getCostStats call to properly populate cost data
- Support includeDeleted parameter in user API keys endpoint
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Redirect users to API Keys tab after login instead of overview
- Remove Token Limit and Daily Cost Limit from user API key details modal
- Implement soft delete for API keys to preserve usage statistics
- Add admin endpoint to view deleted API keys with metadata
- Track deletion metadata (deletedBy, deletedAt, deletedByType)
- Ensure deleted API keys cannot be restored
- Include deleted key stats in user totals while excluding from active count
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add comprehensive input validation for LDAP authentication:
- Validate bindDN, bindCredentials, userDN, and password parameters
- Add configuration validation during service initialization
- Enhanced error messages for missing/invalid LDAP settings
- Prevent "stringToWrite must be a string" errors from ldapjs client
- Added null/undefined checks for all LDAP credential parameters
This fixes authentication errors when LDAP configuration values
are missing, empty, or of incorrect type.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
