From 1c57c60770ee679d77a72a475dceefd0ad014c4c Mon Sep 17 00:00:00 2001
From: multipleof4 <planetrenox@protonmail.com>
Date: Sun, 15 Mar 2026 14:55:02 -0700
Subject: [PATCH] Fix: Harden RSA key env parsing

---
 lib/kalshi/auth.js | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/lib/kalshi/auth.js b/lib/kalshi/auth.js
index 24d9918..32bfb7e 100644
--- a/lib/kalshi/auth.js
+++ b/lib/kalshi/auth.js
@@ -3,13 +3,34 @@ import crypto from 'crypto';
 const DEFAULT_KALSHI_API_BASE = 'https://api.elections.kalshi.com';
 const KALSHI_API_BASE = (process.env.KALSHI_API_BASE || DEFAULT_KALSHI_API_BASE).trim().replace(/\/+$/, '');
 
+function normalizePrivateKey(value) {
+  if (!value) return '';
+
+  let key = String(value).trim();
+
+  // Strip accidental wrapping quotes from env UIs
+  if (
+    (key.startsWith('"') && key.endsWith('"')) ||
+    (key.startsWith("'") && key.endsWith("'"))
+  ) {
+    key = key.slice(1, -1);
+  }
+
+  // Normalize line breaks from various env formats
+  return key
+    .replace(/\\r\\n/g, '\n')
+    .replace(/\r\n/g, '\n')
+    .replace(/\\n/g, '\n')
+    .trim();
+}
+
 /**
  * Signs a Kalshi API request using RSA-PSS with SHA-256.
  * Returns headers needed for authenticated requests.
  */
 export function signRequest(method, path, timestampMs = Date.now()) {
-  const keyId = process.env.KALSHI_API_KEY_ID;
-  const privateKeyPem = process.env.KALSHI_RSA_PRIVATE_KEY?.replace(/\\n/g, '\n');
+  const keyId = process.env.KALSHI_API_KEY_ID?.trim();
+  const privateKeyPem = normalizePrivateKey(process.env.KALSHI_RSA_PRIVATE_KEY);
 
   if (!keyId || !privateKeyPem) {
     throw new Error('Missing KALSHI_API_KEY_ID or KALSHI_RSA_PRIVATE_KEY');