From 1ef2b6903dbaeb07d026aa0170e398293aa7f83c Mon Sep 17 00:00:00 2001
From: lc6464 <64722907+lc6464@users.noreply.github.com>
Date: Tue, 24 Mar 2026 13:54:04 +0800
Subject: [PATCH] test(web): add percentage checking of characters displaying
 in APIKey

---
 web/backend/api/models.go      |  2 +-
 web/backend/api/models_test.go | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/web/backend/api/models.go b/web/backend/api/models.go
index 142363079..64a7b5f1f 100644
--- a/web/backend/api/models.go
+++ b/web/backend/api/models.go
@@ -311,7 +311,7 @@ func (h *Handler) handleSetDefaultModel(w http.ResponseWriter, r *http.Request)
 // Keys 9-12 chars show prefix + last 2 chars: "sk-****cd".
 // Shorter keys are fully masked as "****".
 // Empty keys return empty string.
-// Ensure at least 40% of the key is masked.
+// Ensure at least 40% of the key will not be displayed.
 func maskAPIKey(key string) string {
 	if key == "" {
 		return ""
diff --git a/web/backend/api/models_test.go b/web/backend/api/models_test.go
index 5378e986e..0127ce675 100644
--- a/web/backend/api/models_test.go
+++ b/web/backend/api/models_test.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@@ -365,6 +366,24 @@ func TestMaskAPIKey(t *testing.T) {
 			if got != tc.want {
 				t.Fatalf("maskAPIKey(%q) = %q, want %q", tc.key, got, tc.want)
 			}
+
+			if tc.key != "" {
+				displayed := strings.Replace(tc.want, "****", "", 1)
+				if len(tc.key) <= 8 {
+					if displayed != "" {
+						t.Fatalf("maskAPIKey(%q) displayed part = %q, want empty", tc.key, displayed)
+					}
+				} else {
+					if len(displayed)*10 > len(tc.key)*6 {
+						t.Fatalf(
+							"maskAPIKey(%q) displayed length = %d, want at most 60%% of %d",
+							tc.key,
+							len(displayed),
+							len(tc.key),
+						)
+					}
+				}
+			}
 		})
 	}
 }