feat: create recoverable keys from dashboard

apps/dashboard/app/(app)/apis/[apiId]/keys/[keyAuthId]/new/client.tsx

@@ -46,11 +46,18 @@ export const dynamic = "force-dynamic";
 type Props = {
   apiId: string;
   keyAuthId: string;
+  storeEncryptedKeys: boolean;
   defaultBytes: number | null;
   defaultPrefix: string | null;
 };
 
-export const CreateKey = ({ apiId, keyAuthId, defaultBytes, defaultPrefix }: Props) => {
+export const CreateKey = ({
+  apiId,
+  keyAuthId,
+  storeEncryptedKeys,
+  defaultBytes,
+  defaultPrefix,
+}: Props) => {
   const router = useRouter();
   const form = useForm<z.infer<typeof formSchema>>({
     resolver: async (data, context, options) => {
@@ -67,6 +74,7 @@ export const CreateKey = ({ apiId, keyAuthId, defaultBytes, defaultPrefix }: Pro
       expireEnabled: false,
       limitEnabled: false,
       metaEnabled: false,
+      recoverEnabled: false,
       ratelimitEnabled: false,
     },
   });
@@ -105,6 +113,9 @@ export const CreateKey = ({ apiId, keyAuthId, defaultBytes, defaultPrefix }: Pro
     if (refill?.interval === "monthly" && !refill.refillDay) {
       refill.refillDay = 1;
     }
+    if (!values.recoverEnabled) {
+      setRecoverable(false);
+    }
 
     await key.mutateAsync({
       keyAuthId,
@@ -114,6 +125,7 @@ export const CreateKey = ({ apiId, keyAuthId, defaultBytes, defaultPrefix }: Pro
       ownerId: values.ownerId ?? undefined,
       remaining: values.limit?.remaining ?? undefined,
       refill: refill,
+      recoverEnabled: values.recoverEnabled,
       enabled: true,
     });
 
@@ -133,6 +145,7 @@ export const CreateKey = ({ apiId, keyAuthId, defaultBytes, defaultPrefix }: Pro
       : "*".repeat(split.at(0)?.length ?? 0);
   const [showKey, setShowKey] = useState(false);
   const [showKeyInSnippet, setShowKeyInSnippet] = useState(false);
+  const [recoverable, setRecoverable] = useState(false);
 
   const resetRateLimit = () => {
     // set them to undefined so the form resets properly.
@@ -170,9 +183,36 @@ export const CreateKey = ({ apiId, keyAuthId, defaultBytes, defaultPrefix }: Pro
             </div>
             <Alert>
               <AlertCircle className="w-4 h-4" />
-              <AlertTitle>This key is only shown once and can not be recovered </AlertTitle>
+              <AlertTitle>
+                {recoverable
+                  ? "This key can be recovered"
+                  : "This key is only shown once and cannot be recovered"}
+              </AlertTitle>
               <AlertDescription>
-                Please pass it on to your user or store it somewhere safe.
+                {recoverable ? (
+                  <>
+                    It can be recovered using endpoints{" "}
+                    <Link
+                      target="_blank"
+                      href="/docs/api-reference/keys/get"
+                      className="font-medium underline"
+                    >
+                      getKey
+                    </Link>{" "}
+                    and{" "}
+                    <Link
+                      target="_blank"
+                      href="/docs/api-reference/apis/list-keys"
+                      className="font-medium underline"
+                    >
+                      listKeys
+                    </Link>
+                    . Although we still recommend you to pass it on to your user or store it
+                    somewhere safe.
+                  </>
+                ) : (
+                  "Please pass it on to your user or store it somewhere safe."
+                )}
               </AlertDescription>
             </Alert>
             <Code className="flex items-center justify-between w-full gap-4 mt-2 my-8 ph-no-capture max-sm:text-xs sm:overflow-hidden">
@@ -209,6 +249,7 @@ export const CreateKey = ({ apiId, keyAuthId, defaultBytes, defaultPrefix }: Pro
                 form.setValue("expireEnabled", false);
                 form.setValue("ratelimitEnabled", false);
                 form.setValue("metaEnabled", false);
+                form.setValue("recoverEnabled", false);
                 form.setValue("limitEnabled", false);
                 router.refresh();
               }}
@@ -750,7 +791,57 @@ export const CreateKey = ({ apiId, keyAuthId, defaultBytes, defaultPrefix }: Pro
                         ) : null}
                       </CardContent>
                     </Card>
+                    {storeEncryptedKeys && (
+                      <Card>
+                        <CardContent className="justify-between w-full p-4 item-center">
+                          <div className="flex items-center justify-between w-full">
+                            <span>Recoverable</span>
+
+                            <FormField
+                              control={form.control}
+                              name="recoverEnabled"
+                              render={({ field }) => (
+                                <FormItem>
+                                  <FormLabel className="sr-only">Recoverable</FormLabel>
+                                  <FormControl>
+                                    <Switch
+                                      onCheckedChange={(e) => {
+                                        field.onChange(e);
+                                        setRecoverable(e);
+                                        if (field.value === false) {
+                                          resetLimited();
+                                        }
+                                      }}
+                                    />
+                                  </FormControl>
+                                </FormItem>
+                              )}
+                            />
+                          </div>
 
+                          {form.watch("recoverEnabled") ? (
+                            <>
+                              {form.formState.errors.ratelimit && (
+                                <p className="text-xs text-center text-content-alert">
+                                  {form.formState.errors.ratelimit.message}
+                                </p>
+                              )}
+                            </>
+                          ) : null}
+                          <p className="text-xs text-content-subtle">
+                            You can choose to recover and display plaintext keys later, though it's
+                            not recommended. Recoverable keys are securely stored in an encrypted
+                            vault. For more, visit{" "}
+                            <Link
+                              className="font-semibold"
+                              href={"unkey.com/docs/security/recovering-keys"}
+                            >
+                              unkey.com/docs/security/recovering-keys.
+                            </Link>
+                          </p>
+                        </CardContent>
+                      </Card>
+                    )}
                     <div className="w-full">
                       <Button
                         className="w-full"

apps/dashboard/app/(app)/apis/[apiId]/keys/[keyAuthId]/new/page.tsx

@@ -62,6 +62,7 @@ export default async function CreateKeypage(props: {
         <CreateKey
           keyAuthId={keyAuth.id}
           apiId={props.params.apiId}
+          storeEncryptedKeys={keyAuth.storeEncryptedKeys}
           defaultBytes={keyAuth.defaultBytes}
           defaultPrefix={keyAuth.defaultPrefix}
         />

apps/dashboard/app/(app)/apis/[apiId]/keys/[keyAuthId]/new/validation.ts

@@ -87,6 +87,7 @@ export const formSchema = z.object({
     .min(new Date(new Date().getTime() + 2 * 60000))
     .optional(),
   ratelimitEnabled: z.boolean().default(false),
+  recoverEnabled: z.boolean().default(false),
   ratelimit: z
     .object({
       async: z.boolean().default(false),

apps/dashboard/lib/trpc/routers/key/create.ts

@@ -1,8 +1,10 @@
 import { insertAuditLogs } from "@/lib/audit";
 import { db, schema } from "@/lib/db";
+import { env } from "@/lib/env";
 import { TRPCError } from "@trpc/server";
 import { newId } from "@unkey/id";
 import { newKey } from "@unkey/keys";
+import { type EncryptRequest, type RequestContext, Vault } from "@unkey/vault";
 import { z } from "zod";
 import { auth, t } from "../../trpc";
 
@@ -33,6 +35,7 @@ export const createKey = t.procedure
         })
         .optional(),
       enabled: z.boolean().default(true),
+      recoverEnabled: z.boolean().optional(),
       environment: z.string().optional(),
     }),
   )
@@ -110,7 +113,38 @@ export const createKey = t.procedure
           enabled: input.enabled,
           environment: input.environment,
         });
-
+        if (input.recoverEnabled && keyAuth?.storeEncryptedKeys) {
+          const vault = new Vault(env().AGENT_URL, env().AGENT_TOKEN);
+          const encryptReq: EncryptRequest = {
+            keyring: workspace?.id,
+            data: key,
+          };
+          const requestId = crypto.randomUUID();
+          const context: RequestContext = { requestId };
+          const vaultRes = await vault.encrypt(context, encryptReq).catch((err) => {
+            console.error(err);
+            throw new TRPCError({
+              code: "INTERNAL_SERVER_ERROR",
+              message: "Encryption Failed. Please contact support using support@unkey.dev",
+            });
+          });
+          await tx
+            .insert(schema.encryptedKeys)
+            .values({
+              keyId: keyId,
+              workspaceId: workspace.id,
+              encrypted: vaultRes.encrypted,
+              encryptionKeyId: vaultRes.keyId,
+            })
+            .catch((err) => {
+              console.error(err);
+              throw new TRPCError({
+                code: "INTERNAL_SERVER_ERROR",
+                message:
+                  "We are unable to store encrypted the key. Please contact support using support@unkey.dev",
+              });
+            });
+        }
         await insertAuditLogs(tx, {
           workspaceId: workspace.id,
           actor: { type: "user", id: ctx.user.id },