remove api-key-org association for root keys

2025-08-26 12:15:35 +02:00 · 2025-08-01 15:55:47 -07:00 · 2025-08-01 15:55:47 -07:00 · 7402590f49
commit 7402590f49
parent 6d359b6bb9
11 changed files with 47 additions and 26 deletions
--- a/server/middlewares/integration/verifyApiKeyApiKeyAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyApiKeyAccess.ts
@ -35,6 +35,11 @@ export async function verifyApiKeyApiKeyAccess(
            );
        }
        if (callerApiKey.isRoot) {
            // Root keys can access any key in any org
            return next();
        }
        const [callerApiKeyOrg] = await db
            .select()
            .from(apiKeyOrg)
--- a/server/middlewares/integration/verifyApiKeyClientAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyClientAccess.ts
@ -28,6 +28,11 @@ export async function verifyApiKeyClientAccess(
            );
        }
        if (apiKey.isRoot) {
            // Root keys can access any key in any org
            return next();
        }
        const client = await db
            .select()
            .from(clients)
--- a/server/middlewares/integration/verifyApiKeyOrgAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyOrgAccess.ts
@ -27,6 +27,11 @@ export async function verifyApiKeyOrgAccess(
            );
        }
        if (req.apiKey?.isRoot) {
            // Root keys can access any key in any org
            return next();
        }
        if (!req.apiKeyOrg) {
            const apiKeyOrgRes = await db
                .select()
--- a/server/middlewares/integration/verifyApiKeyResourceAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyResourceAccess.ts
@ -37,6 +37,11 @@ export async function verifyApiKeyResourceAccess(
            );
        }
        if (apiKey.isRoot) {
            // Root keys can access any key in any org
            return next();
        }
        if (!resource.orgId) {
            return next(
                createHttpError(
--- a/server/middlewares/integration/verifyApiKeyRoleAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyRoleAccess.ts
@ -45,6 +45,11 @@ export async function verifyApiKeyRoleAccess(
            );
        }
        if (apiKey.isRoot) {
            // Root keys can access any key in any org
            return next();
        }
        const orgIds = new Set(rolesData.map((role) => role.orgId));
        for (const role of rolesData) {
--- a/server/middlewares/integration/verifyApiKeySetResourceUsers.ts
+++ b/server/middlewares/integration/verifyApiKeySetResourceUsers.ts
@ -32,6 +32,11 @@ export async function verifyApiKeySetResourceUsers(
        return next(createHttpError(HttpCode.BAD_REQUEST, "Invalid user IDs"));
    }
    if (apiKey.isRoot) {
        // Root keys can access any key in any org
        return next();
    }
    if (userIds.length === 0) {
        return next();
    }
--- a/server/middlewares/integration/verifyApiKeySiteAccess.ts
+++ b/server/middlewares/integration/verifyApiKeySiteAccess.ts
@ -1,9 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
-import {
+import { sites, apiKeyOrg } from "@server/db";
    sites,
    apiKeyOrg
 } from "@server/db";
 import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
@ -31,6 +28,11 @@ export async function verifyApiKeySiteAccess(
            );
        }
        if (apiKey.isRoot) {
            // Root keys can access any key in any org
            return next();
        }
        const site = await db
            .select()
            .from(sites)
--- a/server/middlewares/integration/verifyApiKeyTargetAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyTargetAccess.ts
@ -66,6 +66,11 @@ export async function verifyApiKeyTargetAccess(
            );
        }
        if (apiKey.isRoot) {
            // Root keys can access any key in any org
            return next();
        }
        if (!resource.orgId) {
            return next(
                createHttpError(
--- a/server/middlewares/integration/verifyApiKeyUserAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyUserAccess.ts
@ -27,6 +27,11 @@ export async function verifyApiKeyUserAccess(
            );
        }
        if (apiKey.isRoot) {
            // Root keys can access any key in any org
            return next();
        }
        if (!req.apiKeyOrg || !req.apiKeyOrg.orgId) {
            return next(
                createHttpError(
--- a/server/routers/apiKeys/createRootApiKey.ts
+++ b/server/routers/apiKeys/createRootApiKey.ts
@ -63,15 +63,6 @@ export async function createRootApiKey(
            lastChars,
            isRoot: true
        });
        const allOrgs = await trx.select().from(orgs);
        for (const org of allOrgs) {
            await trx.insert(apiKeyOrg).values({
                apiKeyId,
                orgId: org.orgId
            });
        }
    });
    try {
--- a/server/routers/org/createOrg.ts
+++ b/server/routers/org/createOrg.ts
@ -215,7 +215,7 @@ export async function createOrg(
                    orgId: newOrg[0].orgId,
                    roleId: roleId,
                    isOwner: true
-                }); 
+                });
            }
            const memberRole = await trx
@ -234,18 +234,6 @@ export async function createOrg(
                    orgId
                }))
            );
            const rootApiKeys = await trx
                .select()
                .from(apiKeys)
                .where(eq(apiKeys.isRoot, true));
            for (const apiKey of rootApiKeys) {
                await trx.insert(apiKeyOrg).values({
                    apiKeyId: apiKey.apiKeyId,
                    orgId: newOrg[0].orgId
                });
            }
        });
        if (!org) {