Skip to content

fix(api): harden apikey_manager RBAC follow-ups#2570

Merged
riderx merged 21 commits into
codex/rbac-apikey-management-hardeningfrom
fix/rbac-apikey-manager-hardening-v2
Jun 29, 2026
Merged

fix(api): harden apikey_manager RBAC follow-ups#2570
riderx merged 21 commits into
codex/rbac-apikey-management-hardeningfrom
fix/rbac-apikey-manager-hardening-v2

Conversation

@riderx

@riderx riderx commented Jun 23, 2026

Copy link
Copy Markdown
Member

Summary (AI generated)

  • Adds org.manage_apikeys / apikey_manager RBAC support with API-key management endpoints, seed data, and SQL/HTTP tests
  • Hardens binding assignment: strips client allowSystemRole, blocks admin-tier role escalation from apikey_manager, grants org.read for expiration policy enforcement
  • Introduces channel_developer / channel_uploader roles and restores narrow legacy channel mappings
  • Fixes seed repopulation for apikey_manager bindings, org_admin channel settings permissions, and JWT/API-key owner mismatch in app_versions_readable_app_ids()

Motivation (AI generated)

PR #2548 review and Bugbot flagged remaining security and CI issues: seed binding drift, allowSystemRole bypass, org_admin permission drift on db reset, and bundle RLS principal mismatch when JWT and capgkey disagree. This PR consolidates the follow-up work with those fixes in one branch.

Business Impact (AI generated)

Closes privilege-escalation paths for CI API keys, keeps local seed state aligned with production RBAC, and restores correct bundle/manifest RLS behavior for mixed auth requests. Enables safe rollout of dedicated API-key management roles.

Test Plan (AI generated)

  • bun test:backend -- tests/apikeys.test.ts (apikey_manager management + allowSystemRole bypass)
  • supabase test db57_test_rbac_apikey_manage_and_2fa.sql passes (seed key 113 binding)
  • Verify apikey_manager cannot create keys with app_admin / org_super_admin bindings
  • Verify JWT session + foreign capgkey cannot read bundles via optimized app_versions RLS
  • Fresh bun run supabase:db:reset — org_admin can update channel settings

Generated with AI

Made with Cursor

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 20083b7b-c3e2-4f62-a41a-515f189d418f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Comment @coderabbitai help to get the list of available commands.

@cursor

cursor Bot commented Jun 23, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_1b0382b4-4327-4e36-b247-1083a7352a59)

@codspeed-hq

codspeed-hq Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Merging this PR will degrade performance by 51.13%

❌ 1 regressed benchmark
✅ 42 untouched benchmarks
⏩ 2 skipped benchmarks1

Warning

Please fix the performance issues or acknowledge them on CodSpeed.

Performance Changes

Benchmark BASE HEAD Efficiency
/updates manifest response with metadata 115 µs 235.4 µs -51.13%

Tip

Investigate this regression by commenting @codspeedbot fix this regression on this PR, or directly use the CodSpeed MCP with your agent.


Comparing fix/rbac-apikey-manager-hardening-v2 (baa4b60) with codex/rbac-apikey-management-hardening (b6bf7d5)

Open in CodSpeed

Footnotes

  1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit ae6fc27. Configure here.

Comment thread supabase/functions/_backend/public/apikey/put.ts
@cursor cursor Bot requested a review from WcaleNieWolny June 23, 2026 14:48

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Risk: high. Not approving: Cursor Bugbot finished skipped and left one unresolved finding (JWT binding update permission mismatch on PUT vs POST). Human review is required for this RBAC/security migration change.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Risk: high. Not approving: Cursor Bugbot finished skipped (usage limit) and reported one unresolved finding (JWT binding permission mismatch on PUT vs POST). Human review is required for this RBAC/security migration change; WcaleNieWolny is requested as reviewer.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver External

riderx and others added 7 commits June 26, 2026 22:03
Introduce org.manage_apikeys and apikey_manager so legacy broad keys and
dedicated CI keys can create and manage sibling keys without user-role
assignment rights. Skip 2FA enforcement on API-key auth paths, optimize
manifest/app_versions RLS with readable app id helpers, and align seed
data with app_uploader channel promote and channel_admin legacy mapping.

Co-authored-by: Cursor <cursoragent@cursor.com>
Seed API key 113 with the apikey_manager role and add vitest/SQL checks
that CI keys can manage siblings without role escalation privileges.

Co-authored-by: Cursor <cursoragent@cursor.com>
Re-apply org-scoped RBAC bindings for the dedicated apikey management
seed keys after permissions are repopulated, and assert by key UUID in
the SQL test instead of a fixed apikeys.id.

Co-authored-by: Cursor <cursoragent@cursor.com>
Grant apikey_manager org.read for expiration policy enforcement, block
admin-tier role assignment from apikey_manager callers, and restore
narrow channel_developer/uploader legacy mappings with first-class roles.

Co-authored-by: Cursor <cursoragent@cursor.com>
Only evaluate denied assignable roles for bindings in orgs where the
caller lacks org.update_user_roles.

Co-authored-by: Cursor <cursoragent@cursor.com>
Strip client-controlled allowSystemRole from binding input, upsert the
apikey_manager role during seed repopulation, restore org_admin channel
settings permissions in seed, and reject JWT/API-key owner mismatches in
app_versions_readable_app_ids().

Co-authored-by: Cursor <cursoragent@cursor.com>
Skip server key regeneration for seeded management API keys and repair
bindings by stable apikey id so CI seed assertions stay deterministic.

Co-authored-by: Cursor <cursoragent@cursor.com>
@riderx riderx force-pushed the fix/rbac-apikey-manager-hardening-v2 branch from ae6fc27 to 9b07906 Compare June 26, 2026 20:12
@cursor

cursor Bot commented Jun 26, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_f5066b4a-268e-43ec-b13e-e5e5e40dc3e5)

@cursor cursor Bot requested a review from daxia778 June 26, 2026 20:16

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Risk: high. Not approving: Cursor Bugbot finished skipped on the latest push and both Run tests jobs failed. Human review is still required for this RBAC/security migration; WcaleNieWolny is already requested and daxia778 is assigned as a second reviewer.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Risk: high. Not approving: Cursor Bugbot finished skipped on this sync and Run tests CI is failing. Human review is required for this RBAC/security migration; WcaleNieWolny is already requested as reviewer.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver External

Re-apply management key bindings after seed completes with a fail-fast
check, and use app_reader in channel-promotion CLI tests now that
app_uploader includes channel.promote_bundle.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursor

cursor Bot commented Jun 26, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_4d0aa4d1-455e-4318-b778-6e4041a03b84)

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Risk: high. Not approving: Cursor Bugbot finished skipped on this sync (usage limit) and there is no clean Bugbot review for the latest commit. Human review is required for this RBAC/security migration; WcaleNieWolny and daxia778 are already requested as reviewers.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver External

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Risk: high. Not approving: Cursor Bugbot finished skipped on the latest push with no clean review for the current commit, and both Run tests CI jobs failed. WcaleNieWolny and daxia778 are already requested as reviewers.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver

Ensure test 8 is self-contained inside its transaction so parallel pgTAP
files cannot leave apikey 113 without the apikey_manager org binding.

Co-authored-by: Cursor <cursoragent@cursor.com>

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Risk: high. Not approving: Cursor Bugbot finished skipped on this sync with no clean Bugbot review for commit 7fdfae9, and this RBAC/security migration exceeds the medium-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver

rbac_check_permission_request now skips 2FA enforcement for API key
principals, including channel-scoped keys without app.read bindings.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursor

cursor Bot commented Jun 26, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_f548e4f0-a9cd-45dd-b3ad-3b7bb7f41bb8)

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Risk: high. Not approving: Cursor Bugbot finished skipped on this sync with no clean Bugbot review for commit 33cde81, and this RBAC/security migration exceeds the medium-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Risk: high. Not approving: Cursor Bugbot finished skipped on this sync (usage limit) with no clean Bugbot review for the latest commit, and this RBAC/security migration exceeds the low-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver External

org_super_admin API keys can now create sibling keys, so use org_member
test keys and expect 401 cannot_create_apikey for nested creation.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursor

cursor Bot commented Jun 26, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_6a437f8c-94e7-47dd-a75e-7ba4fc591909)

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Risk: high. Not approving: Cursor Bugbot finished skipped on this sync with no clean Bugbot review for the latest commit, and this RBAC/security migration exceeds the low-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver External

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Risk: high. Not approving: Cursor Bugbot finished skipped on this sync with no clean Bugbot review for commit 0b9f382, and this RBAC/security migration exceeds the medium-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver

riderx and others added 6 commits June 27, 2026 01:11
…2585)

* fix(security): restrict group metadata access to members and admins

Prevent org members from reading groups and group_members via PostgREST unless they belong to the group or hold org admin rights.

Co-authored-by: Cursor <cursoragent@cursor.com>

* test(security): run group RLS tests sequentially

Avoid parallel fixture mutation when the join regression test temporarily adds a group member.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(security): address group RLS review findings

Tighten regression tests for admin-only group visibility, update pgTAP expectations, add private groups API coverage, and rethrow quickError from the members handler catch block.

Co-authored-by: Cursor <cursoragent@cursor.com>

* test(security): use non-admin pgTAP user for group RLS denial

test_user is demo org super_admin and bypasses the member-only groups policy; use test_user2 instead.

Co-authored-by: Cursor <cursoragent@cursor.com>

* test(security): tighten group access test assertions

Assert quickError payload on forbidden private API responses and ensure pooled pg clients are always released during cleanup.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
* feat(cli): add preview QR PNG/web URL and missing app set options

Expose console app settings and richer preview output from the CLI so teams can enable preview, print web URLs, save QR PNGs, and manage download channels without the dashboard.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(cli): trim preview-subdomain exports and remove unused import

Keeps knip and oxlint clean after adding CLI preview web URL helpers.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(cli): escape hostname regex in app set test for CodeQL

CodeQL flags unescaped dots in /apps.apple.com/ as an incomplete hostname regexp.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(cli): address PR review feedback on store URL, PNG output, docs

Use exact hostname matching, create parent dirs for --png output, and escape MDX path placeholders.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Resolve conflicts in cli/package.json and supabase/tests/34_test_rbac_rls.sql
by keeping main's group RLS coverage plus the org_users escalation tests.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursor

cursor Bot commented Jun 27, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_f0900551-80a6-4a20-b914-cf7f3735678f)

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: high. Not approving: Cursor Bugbot finished skipped on this sync with no clean Bugbot review for commit 86c8f4c, and this RBAC/security migration exceeds the low-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver External

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: high. Not approving: Cursor Bugbot finished skipped on this sync with no clean Bugbot review for commit 86c8f4c, and this RBAC/security migration exceeds the medium-risk approval threshold. WcaleNieWolny and daxia778 are already requested as reviewers.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver

…drop

Main's group member-only RLS migration cast to user_min_right, which is
removed by the RBAC hardening migration that runs earlier on this branch.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursor

cursor Bot commented Jun 29, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_57b9f4ee-bfe4-4cf2-836f-b3015fb67a7d)

Remove legacy use_new_rbac and user_right columns dropped by the RBAC
hardening migration so groups RLS regression tests run against current schema.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursor

cursor Bot commented Jun 29, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_f96533b3-32e1-4241-9523-8f1155d0b077)

@riderx riderx merged commit 24b9fa5 into codex/rbac-apikey-management-hardening Jun 29, 2026
42 of 43 checks passed
@riderx riderx deleted the fix/rbac-apikey-manager-hardening-v2 branch June 29, 2026 23:21
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant