From f1ac1a107263cfc1addab7b15bbf07a38c7bf0a6 Mon Sep 17 00:00:00 2001
From: lc6464 <64722907+lc6464@users.noreply.github.com>
Date: Tue, 24 Mar 2026 12:20:57 +0800
Subject: [PATCH] fix(web): ensure at least 40% of the characters are masked
 for api key

- keys longer than 12 chars show prefix + last 4 chars
- keys 9-12 chars show prefix + last 2 chars
- shorter keys are fully masked
---
 web/backend/api/models.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/web/backend/api/models.go b/web/backend/api/models.go
index 1e3b5f90a..142363079 100644
--- a/web/backend/api/models.go
+++ b/web/backend/api/models.go
@@ -307,16 +307,25 @@ func (h *Handler) handleSetDefaultModel(w http.ResponseWriter, r *http.Request)
 }
 
 // maskAPIKey returns a masked version of an API key for safe display.
-// Keys longer than 8 chars show prefix + last 4 chars: "sk-****abcd"
+// Keys longer than 12 chars show prefix + last 4 chars: "sk-****abcd".
+// Keys 9-12 chars show prefix + last 2 chars: "sk-****cd".
 // Shorter keys are fully masked as "****".
 // Empty keys return empty string.
+// Ensure at least 40% of the key is masked.
 func maskAPIKey(key string) string {
 	if key == "" {
 		return ""
 	}
+
 	if len(key) <= 8 {
 		return "****"
 	}
+
+	// Show first 3 chars and last 2 chars
+	if len(key) <= 12 {
+		return key[:3] + "****" + key[len(key)-2:]
+	}
+
 	// Show first 3 chars and last 4 chars
 	return key[:3] + "****" + key[len(key)-4:]
 }