Skip to content

feat: introduce organization access tokens #2391

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

feat: introduce organization access tokens #2391

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
db2d4b8
Create schema and migration for organization access tokens
myftija Aug 14, 2025
622b185
Add helpers for creating and authenticating OATs
myftija Aug 14, 2025
2243830
Adapt the auth service to also accept OATs
myftija Aug 14, 2025
7815a2f
Accept OATs in the whoami v2 endpoint
myftija Aug 14, 2025
b315656
Enable deployments with the CLI using OATs
myftija Aug 14, 2025
a52a78f
Avoid reading env variables directly in the token utils
myftija Aug 14, 2025
18fffd1
Remove duplicate cli token utils
myftija Aug 14, 2025
5dc174e
Validate ENCRYPTION_KEY length when parsing env vars
myftija Aug 14, 2025
d7b0a4d
Make token utils a server-only module
myftija Aug 14, 2025
0444571
Disallow revoking already revoked OATs
myftija Aug 14, 2025
4c1b5f1
Simplify generics in authenticateRequest
myftija Aug 14, 2025
5543da1
Use 32 bytes mock encryption key in the test setup
myftija Aug 14, 2025
7d97ebe
Update dummy encryption key values in tests and templates
myftija Aug 14, 2025
bb85727
Add a column in the OATs table to differentiate between user and syst…
myftija Aug 14, 2025
ef773a8
Simplify args for v3ProjectPath
myftija Aug 14, 2025
e1135d5
Add index on org id and createdAt
myftija Aug 14, 2025
71072c0
Avoid storing the encrypted oat token and its obfuscated version in t…
myftija Aug 14, 2025
0e4e994
Fix prisma update condition
myftija Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/unit-tests-webapp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ jobs:
DIRECT_URL: postgresql://postgres:postgres@localhost:5432/postgres
SESSION_SECRET: "secret"
MAGIC_LINK_SECRET: "secret"
ENCRYPTION_KEY: "secret"
ENCRYPTION_KEY: "dummy-encryption-keeeey-32-bytes"
DEPLOY_REGISTRY_HOST: "docker.io"
CLICKHOUSE_URL: "http://default:password@localhost:8123"

Expand Down
7 changes: 6 additions & 1 deletion apps/webapp/app/env.server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,12 @@ const EnvironmentSchema = z.object({
DATABASE_READ_REPLICA_URL: z.string().optional(),
SESSION_SECRET: z.string(),
MAGIC_LINK_SECRET: z.string(),
ENCRYPTION_KEY: z.string(),
ENCRYPTION_KEY: z
.string()
.refine(
(val) => Buffer.from(val, "utf8").length === 32,
"ENCRYPTION_KEY must be exactly 32 bytes"
),
WHITELISTED_EMAILS: z
.string()
.refine(isValidRegex, "WHITELISTED_EMAILS must be a valid regex.")
Expand Down
131 changes: 15 additions & 116 deletions apps/webapp/app/routes/api.v1.projects.$projectRef.$env.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
import { json, type LoaderFunctionArgs } from "@remix-run/server-runtime";
import { type GetProjectEnvResponse } from "@trigger.dev/core/v3";
import { type RuntimeEnvironment } from "@trigger.dev/database";
import { z } from "zod";
import { prisma } from "~/db.server";
import { env as processEnv } from "~/env.server";
import { logger } from "~/services/logger.server";
import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
import {
authenticatedEnvironmentForAuthentication,
authenticateRequest,
} from "~/services/apiAuth.server";

const ParamsSchema = z.object({
projectRef: z.string(),
Expand All @@ -15,14 +15,6 @@ const ParamsSchema = z.object({
type ParamsSchema = z.infer<typeof ParamsSchema>;

export async function loader({ request, params }: LoaderFunctionArgs) {
logger.info("projects get env", { url: request.url });

const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);

if (!authenticationResult) {
return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
}

const parsedParams = ParamsSchema.safeParse(params);

if (!parsedParams.success) {
Expand All @@ -31,117 +23,24 @@ export async function loader({ request, params }: LoaderFunctionArgs) {

const { projectRef, env } = parsedParams.data;

const project = await prisma.project.findFirst({
where: {
externalRef: projectRef,
organization: {
members: {
some: {
userId: authenticationResult.userId,
},
},
},
},
});
const authenticationResult = await authenticateRequest(request);

if (!project) {
return json({ error: "Project not found" }, { status: 404 });
}

const envResult = await getEnvironmentFromEnv({
projectId: project.id,
userId: authenticationResult.userId,
env,
});

if (!envResult.success) {
return json({ error: envResult.error }, { status: 404 });
if (!authenticationResult) {
return json({ error: "Invalid or Missing API key" }, { status: 401 });
}

const runtimeEnv = envResult.environment;
const environment = await authenticatedEnvironmentForAuthentication(
authenticationResult,
projectRef,
env
);

const result: GetProjectEnvResponse = {
apiKey: runtimeEnv.apiKey,
name: project.name,
apiKey: environment.apiKey,
name: environment.project.name,
apiUrl: processEnv.API_ORIGIN ?? processEnv.APP_ORIGIN,
projectId: project.id,
projectId: environment.project.id,
};

return json(result);
}

async function getEnvironmentFromEnv({
projectId,
userId,
env,
}: {
projectId: string;
userId: string;
env: ParamsSchema["env"];
}): Promise<
| {
success: true;
environment: RuntimeEnvironment;
}
| {
success: false;
error: string;
}
> {
if (env === "dev") {
const environment = await prisma.runtimeEnvironment.findFirst({
where: {
projectId,
orgMember: {
userId: userId,
},
},
});

if (!environment) {
return {
success: false,
error: "Dev environment not found",
};
}

return {
success: true,
environment,
};
}

let slug: "stg" | "prod" | "preview" = "prod";
switch (env) {
case "staging":
slug = "stg";
break;
case "prod":
slug = "prod";
break;
case "preview":
slug = "preview";
break;
default:
break;
}

const environment = await prisma.runtimeEnvironment.findFirst({
where: {
projectId,
slug,
},
});

if (!environment) {
return {
success: false,
error: `${env === "staging" ? "Staging" : "Production"} environment not found`,
};
}

return {
success: true,
environment,
};
}
4 changes: 2 additions & 2 deletions apps/webapp/app/routes/api.v1.projects.$projectRef.background-workers.$envSlug.$version.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ import { LoaderFunctionArgs, json } from "@remix-run/server-runtime";
import { z } from "zod";
import { prisma } from "~/db.server";
import {
authenticateProjectApiKeyOrPersonalAccessToken,
authenticateRequest,
authenticatedEnvironmentForAuthentication,
} from "~/services/apiAuth.server";
import zlib from "node:zlib";
Expand All @@ -20,7 +20,7 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
return json({ error: "Invalid params" }, { status: 400 });
}

const authenticationResult = await authenticateProjectApiKeyOrPersonalAccessToken(request);
const authenticationResult = await authenticateRequest(request);

if (!authenticationResult) {
return json({ error: "Invalid or Missing API key" }, { status: 401 });
Expand Down
6 changes: 3 additions & 3 deletions apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.$name.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import { UpdateEnvironmentVariableRequestBody } from "@trigger.dev/core/v3";
import { z } from "zod";
import { prisma } from "~/db.server";
import {
authenticateProjectApiKeyOrPersonalAccessToken,
authenticateRequest,
authenticatedEnvironmentForAuthentication,
} from "~/services/apiAuth.server";
import { EnvironmentVariablesRepository } from "~/v3/environmentVariables/environmentVariablesRepository.server";
Expand All @@ -21,7 +21,7 @@ export async function action({ params, request }: ActionFunctionArgs) {
return json({ error: "Invalid params" }, { status: 400 });
}

const authenticationResult = await authenticateProjectApiKeyOrPersonalAccessToken(request);
const authenticationResult = await authenticateRequest(request);

if (!authenticationResult) {
return json({ error: "Invalid or Missing API key" }, { status: 401 });
Expand Down Expand Up @@ -97,7 +97,7 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
return json({ error: "Invalid params" }, { status: 400 });
}

const authenticationResult = await authenticateProjectApiKeyOrPersonalAccessToken(request);
const authenticationResult = await authenticateRequest(request);

if (!authenticationResult) {
return json({ error: "Invalid or Missing API key" }, { status: 401 });
Expand Down
4 changes: 2 additions & 2 deletions apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.import.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import { ImportEnvironmentVariablesRequestBody } from "@trigger.dev/core/v3";
import { parse } from "dotenv";
import { z } from "zod";
import {
authenticateProjectApiKeyOrPersonalAccessToken,
authenticateRequest,
authenticatedEnvironmentForAuthentication,
branchNameFromRequest,
} from "~/services/apiAuth.server";
Expand All @@ -21,7 +21,7 @@ export async function action({ params, request }: ActionFunctionArgs) {
return json({ error: "Invalid params" }, { status: 400 });
}

const authenticationResult = await authenticateProjectApiKeyOrPersonalAccessToken(request);
const authenticationResult = await authenticateRequest(request);

if (!authenticationResult) {
return json({ error: "Invalid or Missing API key" }, { status: 401 });
Expand Down
6 changes: 3 additions & 3 deletions apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ import { ActionFunctionArgs, LoaderFunctionArgs, json } from "@remix-run/server-
import { CreateEnvironmentVariableRequestBody } from "@trigger.dev/core/v3";
import { z } from "zod";
import {
authenticateProjectApiKeyOrPersonalAccessToken,
authenticateRequest,
authenticatedEnvironmentForAuthentication,
} from "~/services/apiAuth.server";
import { EnvironmentVariablesRepository } from "~/v3/environmentVariables/environmentVariablesRepository.server";
Expand All @@ -19,7 +19,7 @@ export async function action({ params, request }: ActionFunctionArgs) {
return json({ error: "Invalid params" }, { status: 400 });
}

const authenticationResult = await authenticateProjectApiKeyOrPersonalAccessToken(request);
const authenticationResult = await authenticateRequest(request);

if (!authenticationResult) {
return json({ error: "Invalid or Missing API key" }, { status: 401 });
Expand Down Expand Up @@ -66,7 +66,7 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
return json({ error: "Invalid params" }, { status: 400 });
}

const authenticationResult = await authenticateProjectApiKeyOrPersonalAccessToken(request);
const authenticationResult = await authenticateRequest(request);

if (!authenticationResult) {
return json({ error: "Invalid or Missing API key" }, { status: 401 });
Expand Down
Loading
Loading