Skip to content

fix: auth inconcistency around API keys & manager role#7634

Closed
jobenjada wants to merge 3 commits intomainfrom
fix/managers-to-create-api-keys
Closed

fix: auth inconcistency around API keys & manager role#7634
jobenjada wants to merge 3 commits intomainfrom
fix/managers-to-create-api-keys

Conversation

@jobenjada
Copy link
Copy Markdown
Member

@jobenjada jobenjada commented Mar 31, 2026

Lets managers create API keys

@jobenjada jobenjada marked this pull request as ready for review March 31, 2026 13:38
@jobenjada jobenjada requested a review from mattinannt March 31, 2026 13:38
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Mar 31, 2026
edited
Loading

Caution

Review failed

An error occurred during the review process. Please try again later.

Walkthrough

The pull request extends API key management capabilities to users with manager roles. In the navigation component, isManager is derived from access flags and used to compute isOwnerOrManager. The API keys navigation item's visibility condition is updated to display for both owners and managers. Additionally, the authorization checks for API key operations—create, update, and delete—are modified to include "manager" alongside "owner" in the required organization roles.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is minimal and vague. It lacks required sections such as issue reference, testing instructions, and completion of the required checklist items. Add issue reference (Fixes #...), detailed testing instructions in 'How should this be tested?' section, and check off required checklist items to demonstrate code review practices were followed.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: updating authorization checks to allow managers (in addition to owners) to access API keys, fixing an authentication inconsistency.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
apps/web/modules/organization/settings/api-keys/actions.ts (1)

23-32: 🧹 Nitpick | 🔵 Trivial

Extract repeated org-role access config to a shared constant.

The same access block is duplicated three times. Centralizing it reduces auth drift risk.

♻️ Proposed refactor 
 const ZDeleteApiKeyAction = z.object({
   id: ZId,
 });
 
+const OWNER_MANAGER_ORG_ACCESS = [
+  {
+    type: "organization" as const,
+    roles: ["owner", "manager"] as const,
+  },
+];
+
 export const deleteApiKeyAction = authenticatedActionClient.inputSchema(ZDeleteApiKeyAction).action(
   withAuditLogging("deleted", "apiKey", async ({ ctx, parsedInput }) => {
     const organizationId = await getOrganizationIdFromApiKeyId(parsedInput.id);
     await checkAuthorizationUpdated({
       userId: ctx.user.id,
       organizationId,
-      access: [
-        {
-          type: "organization",
-          roles: ["owner", "manager"],
-        },
-      ],
+      access: OWNER_MANAGER_ORG_ACCESS,
     });
@@
     await checkAuthorizationUpdated({
       userId: ctx.user.id,
       organizationId: parsedInput.organizationId,
-      access: [
-        {
-          type: "organization",
-          roles: ["owner", "manager"],
-        },
-      ],
+      access: OWNER_MANAGER_ORG_ACCESS,
     });
@@
     await checkAuthorizationUpdated({
       userId: ctx.user.id,
       organizationId,
-      access: [
-        {
-          type: "organization",
-          roles: ["owner", "manager"],
-        },
-      ],
+      access: OWNER_MANAGER_ORG_ACCESS,
     });

As per coding guidelines "Keep code DRY (Don't Repeat Yourself) and small; remove dead code and unused imports".

Also applies to: 50-59, 78-87

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@apps/web/modules/organization/settings/api-keys/actions.ts` around lines 23 -
32, Extract the repeated access block into a shared constant (e.g.,
ORG_OWNER_MANAGER_ACCESS) and replace the three inline usages passed to
checkAuthorizationUpdated(...) with that constant; locate the occurrences where
checkAuthorizationUpdated is called (the calls that pass access: [{ type:
"organization", roles: ["owner","manager"] }]) and import/define the constant
adjacent to the module-level scope so all calls use the same reference to avoid
duplication and future drift.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@apps/web/modules/organization/settings/api-keys/actions.ts`:
- Around line 23-32: Extract the repeated access block into a shared constant
(e.g., ORG_OWNER_MANAGER_ACCESS) and replace the three inline usages passed to
checkAuthorizationUpdated(...) with that constant; locate the occurrences where
checkAuthorizationUpdated is called (the calls that pass access: [{ type:
"organization", roles: ["owner","manager"] }]) and import/define the constant
adjacent to the module-level scope so all calls use the same reference to avoid
duplication and future drift.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 303e15a1-3af7-4a22-baf9-2983018cd9ee

📥 Commits

Reviewing files that changed from the base of the PR and between 5bb8119 and 99b2441.

📒 Files selected for processing (2)
  • apps/web/app/(app)/environments/[environmentId]/settings/(organization)/components/OrganizationSettingsNavbar.tsx
  • apps/web/modules/organization/settings/api-keys/actions.ts

mattinannt
mattinannt previously approved these changes Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mattinannt mattinannt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good; thank you for the fix :-)

@mattinannt mattinannt added this pull request to the merge queue Apr 2, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to no response for status checks Apr 2, 2026
@pandeymangg pandeymangg added this pull request to the merge queue Apr 3, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to no response for status checks Apr 3, 2026
@Dhruwang
Copy link
Copy Markdown
Member

Dhruwang commented Apr 15, 2026

These changes were already added in #7635

@Dhruwang Dhruwang closed this Apr 15, 2026
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 15, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@mattinannt mattinannt mattinannt left review comments

Assignees

@mattinannt mattinannt

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jobenjada @Dhruwang @mattinannt @pandeymangg