Skip to content

fix(auth): Honor deployment scope on keys minted by admin users#132

Merged
nfebe merged 1 commit into
mainfrom
fix/deployment-scoped-key-auth
May 25, 2026
Merged

fix(auth): Honor deployment scope on keys minted by admin users#132
nfebe merged 1 commit into
mainfrom
fix/deployment-scoped-key-auth

Conversation

@nfebe
Copy link
Copy Markdown
Contributor

@nfebe nfebe commented May 25, 2026

A deployment-scoped API key minted by an admin user was rejected with 403 when used. The check required an explicit per-deployment grant on the underlying user record, which admin users do not have because their access is granted implicitly by role. Admins now satisfy the user side of the check unconditionally, and the key's per-deployment scope is applied as a cap on top, so a scoped key works as intended from any user role.

The mirror condition is fixed too: an admin-role key with a per-deployment scope is now capped by that scope rather than short-circuiting the check. A scoped key cannot grant more access than either side of the pair allows; the effective level is the lower of the two.

@nfebe
fix(auth): Honor deployment scope on keys minted by admin users
4e07b50 
A deployment-scoped API key minted by an admin user was rejected with
403 when used. The check required an explicit per-deployment grant on
the underlying user record, which admin users do not have because
their access is granted implicitly by role. Admins now satisfy the
user side of the check unconditionally, and the key's per-deployment
scope is applied as a cap on top, so a scoped key works as intended
from any user role.

The mirror condition is fixed too: an admin-role key with a
per-deployment scope is now capped by that scope rather than
short-circuiting the check. A scoped key cannot grant more access
than either side of the pair allows; the effective level is the
lower of the two.
@sourceant
Copy link
Copy Markdown

sourceant Bot commented May 25, 2026

Code Review Summary

This PR successfully addresses a bug where deployment-scoped API keys minted by administrators were incorrectly rejected. It also strengthens security by ensuring that any scoped key acts as a 'cap' on the user's permissions, rather than a separate grant.

🚀 Key Improvements

  • Implemented a 'Least Privilege' model where effective access is the intersection of User and API Key permissions.
  • Refactored authorization logic into testable helper functions (actorUserDeploymentLevel, actorAPIKeyDeploymentLevel).
  • Added comprehensive test cases in internal/auth/models_test.go covering admin users, scoped keys, and operator restrictions.

💡 Minor Suggestions

  • Consider using a map for level ranking for minor performance gains.

sourceant[bot]
sourceant Bot approved these changes May 25, 2026
View reviewed changes
Copy link
Copy Markdown

@sourceant sourceant Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. No specific code suggestions were generated. See the overview comment for a summary.

@nfebe nfebe merged commit be85323 into main May 25, 2026
5 checks passed
@nfebe nfebe deleted the fix/deployment-scoped-key-auth branch May 25, 2026 19:33
@nfebe nfebe mentioned this pull request May 30, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sourceant sourceant[bot] sourceant[bot] approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nfebe