Description
In verifyApiKey.js the entire Project lean document is stored in Redis cache via setProjectByApiKeyCache. If an admin updates allowedDomains (CORS restriction) in the dashboard, the cache is never invalidated, so the old domain list is used for CORS checks until the cache expires. This means a removed domain continues to have API access for the entire cache TTL window — a security gap. The cache also stores jwtSecret in plaintext in Redis, which broadens the attack surface if Redis is compromised.
Steps to Reproduce
Set allowedDomains to ['https://trusted-site.com'] for a project.
Make one API call — result is cached.
In the dashboard, update allowedDomains to ['https://new-site.com'].
Immediately call from https://trusted-site.com — it is still allowed (cache hit with old list).
Expected Behaviour
Updating allowedDomains in the dashboard should invalidate the per-project API key cache so the new CORS policy takes effect immediately, or the cache TTL should be documented and surfaced to users.
Actual Behaviour
Stale allowedDomains are served from cache after the project configuration is updated, allowing formerly-allowed origins to bypass the updated CORS policy.
Description
In verifyApiKey.js the entire Project lean document is stored in Redis cache via setProjectByApiKeyCache. If an admin updates allowedDomains (CORS restriction) in the dashboard, the cache is never invalidated, so the old domain list is used for CORS checks until the cache expires. This means a removed domain continues to have API access for the entire cache TTL window — a security gap. The cache also stores jwtSecret in plaintext in Redis, which broadens the attack surface if Redis is compromised.
Steps to Reproduce
Set allowedDomains to ['https://trusted-site.com'] for a project.
Make one API call — result is cached.
In the dashboard, update allowedDomains to ['https://new-site.com'].
Immediately call from https://trusted-site.com — it is still allowed (cache hit with old list).
Expected Behaviour
Updating allowedDomains in the dashboard should invalidate the per-project API key cache so the new CORS policy takes effect immediately, or the cache TTL should be documented and surfaced to users.
Actual Behaviour
Stale allowedDomains are served from cache after the project configuration is updated, allowing formerly-allowed origins to bypass the updated CORS policy.