Skip to content

feat(api-key): allow apiKey mode on api-key management commands#238

Merged
jbiskur merged 1 commit into
mainfrom
feat/api-key-mode-for-key-management
Jul 5, 2026
Merged

feat(api-key): allow apiKey mode on api-key management commands#238
jbiskur merged 1 commit into
mainfrom
feat/api-key-mode-for-key-management

Conversation

@jbiskur

@jbiskur jbiskur commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Problem

ApiKeyListCommand, ApiKeyFetchCommand, ApiKeyCreateCommand, ApiKeyEditCommand, and ApiKeyDeleteCommand declare allowedModes: ["bearer"], so a FlowcoreClient authenticated with an api key throws Not allowed in "apiKey" mode client-side before any request is made. This blocks api-key-driven IAM automation (e.g. listing keys to link policies to them).

Change

Relax allowedModes to ["apiKey", "bearer"] on the five api-key management commands. Server-side authorization is unchanged and mandatory: tenant-store gates these routes on IAM grants (frn::<tenantId>:tenant read/write), and api-key principals never get the flowcore-admin bypass.

Dependencies — merge order

Requires the tenant-store release that accepts AuthType.ApiKey on the api-key management routes (flowcore-io/service-tenant-store-api, feat/api-key-auth-on-api-key-routes, built on @flowcore/hono-api 0.4.0). Hold merge until that is deployed — otherwise clients get server-side 401s instead of the clear client-side mode error.

Part of the fc_ api-key enablement series: flowcore-io/service-iam-service#89 (deployed, v1.34.0), flowcore-io/hono-api#37 (v0.4.0), tenant-store PR (pending).

🤖 Generated with Claude Code

https://claude.ai/code/session_01MmTkzbSACo6PhBj9o1Sr8A

Summary by CodeRabbit

  • New Features
    • API key management actions now support both API key and bearer authentication modes.
    • Create, view, edit, list, and delete flows can work with newer API key authorization paths where available.
    • Existing bearer-based access remains supported, with authorization restrictions unchanged where applicable.

ApiKeyList/Fetch/Create/Edit/Delete were bearer-only, so FlowcoreClient
in apiKey mode threw 'Not allowed in "apiKey" mode' before any request
was made. The tenant-store now accepts api-key principals on these
routes (IAM-gated on frn::<tenantId>:tenant), so the client-side gate
no longer reflects the backend.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01MmTkzbSACo6PhBj9o1Sr8A
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates the allowedModes property in five API-key command classes (create, delete, edit, fetch, list) to permit both "apiKey" and "bearer" authorization modes, previously restricted to "bearer" only, alongside expanded documentation comments describing IAM gating conditions.

Changes

API Key allowedModes update

Layer / File(s) Summary
Expand allowedModes to permit apiKey mode
src/commands/api-key/api-key.create.ts, src/commands/api-key/api-key.delete.ts, src/commands/api-key/api-key.edit.ts, src/commands/api-key/api-key.fetch.ts, src/commands/api-key/api-key.list.ts
Each command's allowedModes property is changed from ["bearer"] to ["apiKey", "bearer"], with documentation comments expanded to note that apiKey mode is supported only on newer tenant-store releases and remains gated by IAM grants.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: enabling apiKey mode for api-key management commands.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/api-key-mode-for-key-management

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
src/commands/api-key/api-key.create.ts (1)

47-51: 🧹 Nitpick | 🔵 Trivial

Confirm tenant-store deployment before merge.

This change relies on tenant-store already accepting AuthType.ApiKey on these routes. If merged/released ahead of that server-side deploy, api-key-mode calls will pass the client check here but fail server-side with a possibly less clear error. Worth confirming rollout order before shipping this package version.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/commands/api-key/api-key.create.ts` around lines 47 - 51, The Api-key
command in api-key.create.ts is now allowed in apiKey mode, but it depends on
tenant-store already accepting AuthType.ApiKey on the management routes. Before
merging or releasing this package version, verify the tenant-store rollout is
complete and coordinated; if deployment order cannot be guaranteed, add a
version/feature gate around the apiKey path in the command so it only becomes
available once the server side is ready.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/commands/api-key/api-key.create.ts`:
- Around line 47-51: The Api-key command in api-key.create.ts is now allowed in
apiKey mode, but it depends on tenant-store already accepting AuthType.ApiKey on
the management routes. Before merging or releasing this package version, verify
the tenant-store rollout is complete and coordinated; if deployment order cannot
be guaranteed, add a version/feature gate around the apiKey path in the command
so it only becomes available once the server side is ready.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c63706b1-8975-4e7d-bd22-13ce2458af76

📥 Commits

Reviewing files that changed from the base of the PR and between 6c3f8d4 and 3d55b6c.

📒 Files selected for processing (5)
  • src/commands/api-key/api-key.create.ts
  • src/commands/api-key/api-key.delete.ts
  • src/commands/api-key/api-key.edit.ts
  • src/commands/api-key/api-key.fetch.ts
  • src/commands/api-key/api-key.list.ts

@jbiskur jbiskur merged commit e3b2de1 into main Jul 5, 2026
2 checks passed
@jbiskur jbiskur deleted the feat/api-key-mode-for-key-management branch July 5, 2026 21:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant