fix(rest): REST data API honors sys_api_key — shared verifier with MCP (closes #1633)#1634
Merged
Merged
Conversation
closes #1633) Staging e2e found MCP authenticated a sys_api_key but REST /api/v1/data 401'd the same key — rest's resolveExecCtx only checked the better-auth session. Converged both surfaces onto ONE verifier (no drift): - @objectstack/core/security: shared key primitives + new resolveApiKeyPrincipal(ql, headers, nowMs?) (hash→lookup→reject unknown/revoked/expired/owner-less, fail-closed). core = cycle-free shared home (rest→core, runtime→core, core→neither; server-side). - runtime: api-key.ts re-exports core (stable surface); resolveExecutionContext delegates its key branch to resolveApiKeyPrincipal. - rest: resolveExecCtx tries resolveApiKeyPrincipal before getSession → /data + /meta authenticate the key under its permissions + RLS, like MCP. Tests: core api-key.test.ts (9, primitives+verifier); runtime 381 + rest 88 green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
github-actions
Bot
added
documentation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| * cannot recover the raw key by probing for partial matches. | ||
| */ | ||
| export function hashApiKey(raw: string): string { | ||
| return createHash('sha256').update(raw, 'utf8').digest('hex'); |
| if (x && x.trim()) return x.trim(); | ||
| const auth = readHeader(headers, 'authorization'); | ||
| if (!auth) return undefined; | ||
| const m = auth.match(/^ApiKey\s+(.+)$/i); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #1633. Staging e2e found MCP authenticated a sys_api_key but REST /api/v1/data 401'd the same key. Converged both onto ONE verifier: @objectstack/core/security owns the shared primitives + new resolveApiKeyPrincipal (fail-closed); runtime re-exports core + resolveExecutionContext delegates to it; rest's resolveExecCtx tries it before getSession so /data+/meta authenticate the key under permissions+RLS like MCP. Tests: core 9 + runtime 381 + rest 88 green.
🤖 Generated with Claude Code