feat: Add organization-wide API keys with uniform permissions#2
feat: Add organization-wide API keys with uniform permissions#2
Conversation
- Add allProjects and allProjectsPermission fields to ApiKey model - Update Zod schemas to support new fields - Modify API key creation to handle all-projects mode - Enhance authentication to dynamically generate permissions for all org projects - Add UI toggle for 'All Projects Access' in AddApiKeyModal with permission level selection - Ensure newly created projects are automatically accessible with existing API keys - Maintain backward compatibility with environment-specific API keys This allows API keys to grant access to all current and future projects in an organization with a uniform permission level (read/write/manage). Co-Authored-By: syed.abid@earnestdata-analytics.in <syedabid22@gmail.com>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
|
@codex review |
|
❌ Cannot revive Devin session - the session is too old. Please start a new session instead. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3728a35b8a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| allProjects Boolean @default(false) | ||
| allProjectsPermission ApiKeyPermission? |
There was a problem hiding this comment.
This change introduces allProjects and allProjectsPermission on the Prisma model, and the same commit starts reading/writing those fields in API-key creation/auth paths, but no corresponding schema migration is added under packages/database/migration. In environments that apply migrations from that directory, the DB schema will remain unchanged and these Prisma queries will fail at runtime with missing-column errors.
Useful? React with 👍 / 👎.
| organization: { | ||
| include: { | ||
| projects: { | ||
| include: { | ||
| environments: true, |
There was a problem hiding this comment.
getApiKeyWithPermissions now eagerly includes every project and environment in the organization for every API key lookup, even when the key is not allProjects. Because this function is used by v1/v2 authentication on request paths, this adds org-size-dependent query cost to normal API traffic and can cause significant latency for large organizations; fetch these relations only when allProjects is actually enabled.
Useful? React with 👍 / 👎.
1 participant
What does this PR do?
This PR implements organization-wide API keys that grant access to all projects within an organization, including projects created after the API key is generated. Users can now create API keys with uniform permission levels (read/write/manage) that automatically apply to all current and future projects.
Key Features:
Link to Devin run: https://app.devin.ai/sessions/d09fc93c64894880be0d2f67e0978dcf
Requested by: @Abid10892
How should this be tested?
Test Cases:
Organization-wide API Key Creation:
Future Project Access:
Backward Compatibility:
UI Functionality:
Checklist
Required
pnpm build(blocked by local environment setup)console.logsgit pull origin mainAppreciated
High Priority:
allProjectsandallProjectsPermissionfields are added correctlygetApiKeyWithPermissions- this dynamically creates environment permissions for all organization projectsMedium Priority: