feat(cache): implement hashed API key storage and retrieval

Adds a new hashed key storage mechanism for API keys in the cache. 
Replaces direct mapping to API keys with composite keys based on 
organizationId and name. Implements searching of API keys using 
hash comparisons for improved security. Updates related tests to 
ensure correct functionality and validate the hashing. Also, 
adds support for a new dependency `golang.org/x/crypto`.

domain/commands.go

@@ -56,9 +56,20 @@ func (a AddAPIKey) Validate(_ context.Context, aggregate eventsourced.Aggregate)
 }
 
 func (a AddAPIKey) Event(context.Context) eventsourced.Event {
+	// Hash the API key using bcrypt for secure storage
+	// Note: We can't return an error here, but bcrypt errors are extremely rare
+	// (only if system runs out of memory or bcrypt cost is invalid)
+	// We use a fixed cost of 12 which is always valid
+	hashedKey, err := hash.APIKey(a.Key)
+	if err != nil {
+		// This should never happen with bcrypt cost 12, but if it does,
+		// we'll store an empty hash which will fail validation later
+		hashedKey = ""
+	}
+
 	return &APIKeyAdded{
 		Name:      a.Name,
-		Key:       hash.String(a.Key),
+		Key:       hashedKey,
 		Refs:      a.Refs,
 		Read:      a.Read,
 		Publish:   a.Publish,

domain/commands_test.go

@@ -2,10 +2,13 @@ package domain
 
 import (
 	"context"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"gitlab.com/unboundsoftware/eventsourced/eventsourced"
+	"github.com/stretchr/testify/require"
+
+	"gitlab.com/unboundsoftware/schemas/hash"
 )
 
 func TestAddAPIKey_Event(t *testing.T) {
@@ -24,7 +27,6 @@ func TestAddAPIKey_Event(t *testing.T) {
 		name   string
 		fields fields
 		args   args
-		want   eventsourced.Event
 	}{
 		{
 			name: "event",
@@ -37,14 +39,6 @@ func TestAddAPIKey_Event(t *testing.T) {
 				Initiator: "jim@example.org",
 			},
 			args: args{},
-			want: &APIKeyAdded{
-				Name:      "test",
-				Key:       "dXNfYWtfMTIzNDU2Nzg5MDEyMzQ1NuOwxEKY/BwUmvv0yJlvuSQnrkHkZJuTTKSVmRt4UrhV",
-				Refs:      []string{"Example@dev"},
-				Read:      true,
-				Publish:   true,
-				Initiator: "jim@example.org",
-			},
 		},
 	}
 	for _, tt := range tests {
@@ -57,7 +51,26 @@ func TestAddAPIKey_Event(t *testing.T) {
 				Publish:   tt.fields.Publish,
 				Initiator: tt.fields.Initiator,
 			}
-			assert.Equalf(t, tt.want, a.Event(tt.args.in0), "Event(%v)", tt.args.in0)
+			event := a.Event(tt.args.in0)
+			require.NotNil(t, event)
+
+			// Cast to APIKeyAdded to verify fields
+			apiKeyEvent, ok := event.(*APIKeyAdded)
+			require.True(t, ok, "Event should be *APIKeyAdded")
+
+			// Verify non-key fields match exactly
+			assert.Equal(t, tt.fields.Name, apiKeyEvent.Name)
+			assert.Equal(t, tt.fields.Refs, apiKeyEvent.Refs)
+			assert.Equal(t, tt.fields.Read, apiKeyEvent.Read)
+			assert.Equal(t, tt.fields.Publish, apiKeyEvent.Publish)
+			assert.Equal(t, tt.fields.Initiator, apiKeyEvent.Initiator)
+
+			// Verify the key is hashed correctly (bcrypt format)
+			assert.True(t, strings.HasPrefix(apiKeyEvent.Key, "$2"), "Key should be bcrypt hashed")
+			assert.NotEqual(t, tt.fields.Key, apiKeyEvent.Key, "Key should be hashed, not plaintext")
+
+			// Verify the hash matches the original key
+			assert.True(t, hash.CompareAPIKey(apiKeyEvent.Key, tt.fields.Key), "Hashed key should match original")
 		})
 	}
 }