Merge fix/security-audit: RBAC/API-key-hash/cookie hardening

app/main.py

@@ -27,7 +27,7 @@ app.add_middleware(
     secret_key=settings.SECRET_KEY,
     session_cookie="hf_oidc",
     same_site="lax",
-    https_only=False,
+    https_only=settings.SESSION_COOKIE_SECURE,
     max_age=600,
 )
 
@@ -451,6 +451,19 @@ def _migrate_schema():
                     "CREATE INDEX idx_time_slots_special_slot_id ON time_slots (special_slot_id)"
                 ))
 
+        # --- api_keys: migrate legacy plaintext `key` -> hashed `key_hash` ---
+        # Only runs on deployments that still have the old plaintext column;
+        # fresh installs get key_hash/key_prefix directly from create_all.
+        if _has_table(db, "api_keys") and _has_column(db, "api_keys", "key"):
+            if not _has_column(db, "api_keys", "key_hash"):
+                db.execute(text("ALTER TABLE api_keys ADD COLUMN key_hash VARCHAR(64) NULL"))
+            if not _has_column(db, "api_keys", "key_prefix"):
+                db.execute(text("ALTER TABLE api_keys ADD COLUMN key_prefix VARCHAR(16) NULL"))
+            db.execute(text("ALTER TABLE api_keys MODIFY COLUMN `key` VARCHAR(64) NULL"))
+            db.execute(text("UPDATE api_keys SET key_hash = SHA2(`key`, 256), key_prefix = LEFT(`key`, 8) WHERE key_hash IS NULL AND `key` IS NOT NULL"))
+            db.execute(text("UPDATE api_keys SET `key` = NULL WHERE `key` IS NOT NULL"))
+            _ensure_unique_index(db, "api_keys", "idx_api_keys_key_hash", "key_hash")
+
         # --- schedule_type_special_slots: create-table is handled by
         # Base.metadata.create_all on first boot; no migration needed here
         # because there is no legacy table to evolve. Future schema bumps