fix(api): harden apikey_manager RBAC follow-ups#2570
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Comment |
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_1b0382b4-4327-4e36-b247-1083a7352a59) |
Merging this PR will degrade performance by 51.13%
Warning Please fix the performance issues or acknowledge them on CodSpeed. Performance Changes
Tip Investigate this regression by commenting Comparing Footnotes
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ae6fc27. Configure here.
There was a problem hiding this comment.
Stale comment
Risk: high. Not approving: Cursor Bugbot finished skipped (usage limit) and reported one unresolved finding (JWT binding permission mismatch on PUT vs POST). Human review is required for this RBAC/security migration change; WcaleNieWolny is requested as reviewer.
Sent by Cursor Approval Agent: Pull Request Approver External
Introduce org.manage_apikeys and apikey_manager so legacy broad keys and dedicated CI keys can create and manage sibling keys without user-role assignment rights. Skip 2FA enforcement on API-key auth paths, optimize manifest/app_versions RLS with readable app id helpers, and align seed data with app_uploader channel promote and channel_admin legacy mapping. Co-authored-by: Cursor <cursoragent@cursor.com>
Seed API key 113 with the apikey_manager role and add vitest/SQL checks that CI keys can manage siblings without role escalation privileges. Co-authored-by: Cursor <cursoragent@cursor.com>
Re-apply org-scoped RBAC bindings for the dedicated apikey management seed keys after permissions are repopulated, and assert by key UUID in the SQL test instead of a fixed apikeys.id. Co-authored-by: Cursor <cursoragent@cursor.com>
Grant apikey_manager org.read for expiration policy enforcement, block admin-tier role assignment from apikey_manager callers, and restore narrow channel_developer/uploader legacy mappings with first-class roles. Co-authored-by: Cursor <cursoragent@cursor.com>
Only evaluate denied assignable roles for bindings in orgs where the caller lacks org.update_user_roles. Co-authored-by: Cursor <cursoragent@cursor.com>
Strip client-controlled allowSystemRole from binding input, upsert the apikey_manager role during seed repopulation, restore org_admin channel settings permissions in seed, and reject JWT/API-key owner mismatches in app_versions_readable_app_ids(). Co-authored-by: Cursor <cursoragent@cursor.com>
Skip server key regeneration for seeded management API keys and repair bindings by stable apikey id so CI seed assertions stay deterministic. Co-authored-by: Cursor <cursoragent@cursor.com>
ae6fc27 to
9b07906
Compare
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_f5066b4a-268e-43ec-b13e-e5e5e40dc3e5) |
There was a problem hiding this comment.
Stale comment
Risk: high. Not approving: Cursor Bugbot finished skipped on the latest push and both Run tests jobs failed. Human review is still required for this RBAC/security migration; WcaleNieWolny is already requested and daxia778 is assigned as a second reviewer.
Sent by Cursor Approval Agent: Pull Request Approver
Re-apply management key bindings after seed completes with a fail-fast check, and use app_reader in channel-promotion CLI tests now that app_uploader includes channel.promote_bundle. Co-authored-by: Cursor <cursoragent@cursor.com>
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_4d0aa4d1-455e-4318-b778-6e4041a03b84) |
There was a problem hiding this comment.
Stale comment
Risk: high. Not approving: Cursor Bugbot finished skipped on this sync (usage limit) and there is no clean Bugbot review for the latest commit. Human review is required for this RBAC/security migration; WcaleNieWolny and daxia778 are already requested as reviewers.
Sent by Cursor Approval Agent: Pull Request Approver External
Ensure test 8 is self-contained inside its transaction so parallel pgTAP files cannot leave apikey 113 without the apikey_manager org binding. Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Stale comment
Risk: high. Not approving: Cursor Bugbot finished skipped on this sync with no clean Bugbot review for commit 7fdfae9, and this RBAC/security migration exceeds the medium-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.
Sent by Cursor Approval Agent: Pull Request Approver
rbac_check_permission_request now skips 2FA enforcement for API key principals, including channel-scoped keys without app.read bindings. Co-authored-by: Cursor <cursoragent@cursor.com>
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_f548e4f0-a9cd-45dd-b3ad-3b7bb7f41bb8) |
There was a problem hiding this comment.
Stale comment
Risk: high. Not approving: Cursor Bugbot finished skipped on this sync with no clean Bugbot review for commit 33cde81, and this RBAC/security migration exceeds the medium-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.
Sent by Cursor Approval Agent: Pull Request Approver
There was a problem hiding this comment.
Stale comment
Risk: high. Not approving: Cursor Bugbot finished skipped on this sync (usage limit) with no clean Bugbot review for the latest commit, and this RBAC/security migration exceeds the low-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.
Sent by Cursor Approval Agent: Pull Request Approver External
org_super_admin API keys can now create sibling keys, so use org_member test keys and expect 401 cannot_create_apikey for nested creation. Co-authored-by: Cursor <cursoragent@cursor.com>
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_6a437f8c-94e7-47dd-a75e-7ba4fc591909) |
There was a problem hiding this comment.
Stale comment
Risk: high. Not approving: Cursor Bugbot finished skipped on this sync with no clean Bugbot review for the latest commit, and this RBAC/security migration exceeds the low-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.
Sent by Cursor Approval Agent: Pull Request Approver External
There was a problem hiding this comment.
Stale comment
Risk: high. Not approving: Cursor Bugbot finished skipped on this sync with no clean Bugbot review for commit 0b9f382, and this RBAC/security migration exceeds the medium-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.
Sent by Cursor Approval Agent: Pull Request Approver
…2585) * fix(security): restrict group metadata access to members and admins Prevent org members from reading groups and group_members via PostgREST unless they belong to the group or hold org admin rights. Co-authored-by: Cursor <cursoragent@cursor.com> * test(security): run group RLS tests sequentially Avoid parallel fixture mutation when the join regression test temporarily adds a group member. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(security): address group RLS review findings Tighten regression tests for admin-only group visibility, update pgTAP expectations, add private groups API coverage, and rethrow quickError from the members handler catch block. Co-authored-by: Cursor <cursoragent@cursor.com> * test(security): use non-admin pgTAP user for group RLS denial test_user is demo org super_admin and bypasses the member-only groups policy; use test_user2 instead. Co-authored-by: Cursor <cursoragent@cursor.com> * test(security): tighten group access test assertions Assert quickError payload on forbidden private API responses and ensure pooled pg clients are always released during cleanup. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com>
* feat(cli): add preview QR PNG/web URL and missing app set options Expose console app settings and richer preview output from the CLI so teams can enable preview, print web URLs, save QR PNGs, and manage download channels without the dashboard. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(cli): trim preview-subdomain exports and remove unused import Keeps knip and oxlint clean after adding CLI preview web URL helpers. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(cli): escape hostname regex in app set test for CodeQL CodeQL flags unescaped dots in /apps.apple.com/ as an incomplete hostname regexp. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(cli): address PR review feedback on store URL, PNG output, docs Use exact hostname matching, create parent dirs for --png output, and escape MDX path placeholders. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com>
Resolve conflicts in cli/package.json and supabase/tests/34_test_rbac_rls.sql by keeping main's group RLS coverage plus the org_users escalation tests. Co-authored-by: Cursor <cursoragent@cursor.com>
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_f0900551-80a6-4a20-b914-cf7f3735678f) |
There was a problem hiding this comment.
Risk: high. Not approving: Cursor Bugbot finished skipped on this sync with no clean Bugbot review for commit 86c8f4c, and this RBAC/security migration exceeds the low-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.
Sent by Cursor Approval Agent: Pull Request Approver External
There was a problem hiding this comment.
Risk: high. Not approving: Cursor Bugbot finished skipped on this sync with no clean Bugbot review for commit 86c8f4c, and this RBAC/security migration exceeds the medium-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.
Sent by Cursor Approval Agent: Pull Request Approver
…drop Main's group member-only RLS migration cast to user_min_right, which is removed by the RBAC hardening migration that runs earlier on this branch. Co-authored-by: Cursor <cursoragent@cursor.com>
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_57b9f4ee-bfe4-4cf2-836f-b3015fb67a7d) |
Remove legacy use_new_rbac and user_right columns dropped by the RBAC hardening migration so groups RLS regression tests run against current schema. Co-authored-by: Cursor <cursoragent@cursor.com>
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_f96533b3-32e1-4241-9523-8f1155d0b077) |
24b9fa5
into
codex/rbac-apikey-management-hardening
|






Summary (AI generated)
org.manage_apikeys/apikey_managerRBAC support with API-key management endpoints, seed data, and SQL/HTTP testsallowSystemRole, blocks admin-tier role escalation fromapikey_manager, grantsorg.readfor expiration policy enforcementchannel_developer/channel_uploaderroles and restores narrow legacy channel mappingsapikey_managerbindings,org_adminchannel settings permissions, and JWT/API-key owner mismatch inapp_versions_readable_app_ids()Motivation (AI generated)
PR #2548 review and Bugbot flagged remaining security and CI issues: seed binding drift,
allowSystemRolebypass,org_adminpermission drift ondb reset, and bundle RLS principal mismatch when JWT andcapgkeydisagree. This PR consolidates the follow-up work with those fixes in one branch.Business Impact (AI generated)
Closes privilege-escalation paths for CI API keys, keeps local seed state aligned with production RBAC, and restores correct bundle/manifest RLS behavior for mixed auth requests. Enables safe rollout of dedicated API-key management roles.
Test Plan (AI generated)
bun test:backend -- tests/apikeys.test.ts(apikey_manager management + allowSystemRole bypass)supabase test db—57_test_rbac_apikey_manage_and_2fa.sqlpasses (seed key 113 binding)apikey_managercannot create keys withapp_admin/org_super_adminbindingscapgkeycannot read bundles via optimized app_versions RLSbun run supabase:db:reset— org_admin can update channel settingsGenerated with AI
Made with Cursor