remove api-key-org association for root keys

2025-08-26 12:15:35 +02:00 · 2025-08-01 15:55:47 -07:00 · 2025-08-01 15:55:47 -07:00 · 7402590f49
commit 7402590f49
parent 6d359b6bb9
11 changed files with 47 additions and 26 deletions
--- a/server/middlewares/integration/verifyApiKeyApiKeyAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyApiKeyAccess.ts
@ -35,6 +35,11 @@ export async function verifyApiKeyApiKeyAccess(
            );
        }

+        if (callerApiKey.isRoot) {
+            // Root keys can access any key in any org
+            return next();
+        }
+
        const [callerApiKeyOrg] = await db
            .select()
            .from(apiKeyOrg)
--- a/server/middlewares/integration/verifyApiKeyClientAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyClientAccess.ts
@ -28,6 +28,11 @@ export async function verifyApiKeyClientAccess(
            );
        }

+        if (apiKey.isRoot) {
+            // Root keys can access any key in any org
+            return next();
+        }
+
        const client = await db
            .select()
            .from(clients)
--- a/server/middlewares/integration/verifyApiKeyOrgAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyOrgAccess.ts
@ -27,6 +27,11 @@ export async function verifyApiKeyOrgAccess(
            );
        }

+        if (req.apiKey?.isRoot) {
+            // Root keys can access any key in any org
+            return next();
+        }
+
        if (!req.apiKeyOrg) {
            const apiKeyOrgRes = await db
                .select()
--- a/server/middlewares/integration/verifyApiKeyResourceAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyResourceAccess.ts
@ -37,6 +37,11 @@ export async function verifyApiKeyResourceAccess(
            );
        }

+        if (apiKey.isRoot) {
+            // Root keys can access any key in any org
+            return next();
+        }
+
        if (!resource.orgId) {
            return next(
                createHttpError(
--- a/server/middlewares/integration/verifyApiKeyRoleAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyRoleAccess.ts
@ -45,6 +45,11 @@ export async function verifyApiKeyRoleAccess(
            );
        }

+        if (apiKey.isRoot) {
+            // Root keys can access any key in any org
+            return next();
+        }
+
        const orgIds = new Set(rolesData.map((role) => role.orgId));

        for (const role of rolesData) {
--- a/server/middlewares/integration/verifyApiKeySetResourceUsers.ts
+++ b/server/middlewares/integration/verifyApiKeySetResourceUsers.ts
@ -32,6 +32,11 @@ export async function verifyApiKeySetResourceUsers(
        return next(createHttpError(HttpCode.BAD_REQUEST, "Invalid user IDs"));
    }

+    if (apiKey.isRoot) {
+        // Root keys can access any key in any org
+        return next();
+    }
+
    if (userIds.length === 0) {
        return next();
    }
--- a/server/middlewares/integration/verifyApiKeySiteAccess.ts
+++ b/server/middlewares/integration/verifyApiKeySiteAccess.ts
@ -1,9 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
-import {
-    sites,
-    apiKeyOrg
-} from "@server/db";
+import { sites, apiKeyOrg } from "@server/db";
 import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
@ -31,6 +28,11 @@ export async function verifyApiKeySiteAccess(
            );
        }

+        if (apiKey.isRoot) {
+            // Root keys can access any key in any org
+            return next();
+        }
+
        const site = await db
            .select()
            .from(sites)
--- a/server/middlewares/integration/verifyApiKeyTargetAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyTargetAccess.ts
@ -66,6 +66,11 @@ export async function verifyApiKeyTargetAccess(
            );
        }

+        if (apiKey.isRoot) {
+            // Root keys can access any key in any org
+            return next();
+        }
+
        if (!resource.orgId) {
            return next(
                createHttpError(
--- a/server/middlewares/integration/verifyApiKeyUserAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyUserAccess.ts
@ -27,6 +27,11 @@ export async function verifyApiKeyUserAccess(
            );
        }

+        if (apiKey.isRoot) {
+            // Root keys can access any key in any org
+            return next();
+        }
+
        if (!req.apiKeyOrg || !req.apiKeyOrg.orgId) {
            return next(
                createHttpError(
--- a/server/routers/apiKeys/createRootApiKey.ts
+++ b/server/routers/apiKeys/createRootApiKey.ts
@ -63,15 +63,6 @@ export async function createRootApiKey(
            lastChars,
            isRoot: true
        });
-
-        const allOrgs = await trx.select().from(orgs);
-
-        for (const org of allOrgs) {
-            await trx.insert(apiKeyOrg).values({
-                apiKeyId,
-                orgId: org.orgId
-            });
-        }
    });

    try {
--- a/server/routers/org/createOrg.ts
+++ b/server/routers/org/createOrg.ts
@ -234,18 +234,6 @@ export async function createOrg(
                    orgId
                }))
            );
-
-            const rootApiKeys = await trx
-                .select()
-                .from(apiKeys)
-                .where(eq(apiKeys.isRoot, true));
-
-            for (const apiKey of rootApiKeys) {
-                await trx.insert(apiKeyOrg).values({
-                    apiKeyId: apiKey.apiKeyId,
-                    orgId: newOrg[0].orgId
-                });
-            }
        });

        if (!org) {