feat(api-key): allow apiKey mode on api-key management commands#238
Conversation
ApiKeyList/Fetch/Create/Edit/Delete were bearer-only, so FlowcoreClient in apiKey mode threw 'Not allowed in "apiKey" mode' before any request was made. The tenant-store now accepts api-key principals on these routes (IAM-gated on frn::<tenantId>:tenant), so the client-side gate no longer reflects the backend. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01MmTkzbSACo6PhBj9o1Sr8A
📝 WalkthroughWalkthroughThis PR updates the ChangesAPI Key allowedModes update
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
src/commands/api-key/api-key.create.ts (1)
47-51: 🧹 Nitpick | 🔵 TrivialConfirm tenant-store deployment before merge.
This change relies on tenant-store already accepting
AuthType.ApiKeyon these routes. If merged/released ahead of that server-side deploy, api-key-mode calls will pass the client check here but fail server-side with a possibly less clear error. Worth confirming rollout order before shipping this package version.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/commands/api-key/api-key.create.ts` around lines 47 - 51, The Api-key command in api-key.create.ts is now allowed in apiKey mode, but it depends on tenant-store already accepting AuthType.ApiKey on the management routes. Before merging or releasing this package version, verify the tenant-store rollout is complete and coordinated; if deployment order cannot be guaranteed, add a version/feature gate around the apiKey path in the command so it only becomes available once the server side is ready.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@src/commands/api-key/api-key.create.ts`:
- Around line 47-51: The Api-key command in api-key.create.ts is now allowed in
apiKey mode, but it depends on tenant-store already accepting AuthType.ApiKey on
the management routes. Before merging or releasing this package version, verify
the tenant-store rollout is complete and coordinated; if deployment order cannot
be guaranteed, add a version/feature gate around the apiKey path in the command
so it only becomes available once the server side is ready.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c63706b1-8975-4e7d-bd22-13ce2458af76
📒 Files selected for processing (5)
src/commands/api-key/api-key.create.tssrc/commands/api-key/api-key.delete.tssrc/commands/api-key/api-key.edit.tssrc/commands/api-key/api-key.fetch.tssrc/commands/api-key/api-key.list.ts
Problem
ApiKeyListCommand,ApiKeyFetchCommand,ApiKeyCreateCommand,ApiKeyEditCommand, andApiKeyDeleteCommanddeclareallowedModes: ["bearer"], so aFlowcoreClientauthenticated with an api key throwsNot allowed in "apiKey" modeclient-side before any request is made. This blocks api-key-driven IAM automation (e.g. listing keys to link policies to them).Change
Relax
allowedModesto["apiKey", "bearer"]on the five api-key management commands. Server-side authorization is unchanged and mandatory: tenant-store gates these routes on IAM grants (frn::<tenantId>:tenantread/write), and api-key principals never get the flowcore-admin bypass.Dependencies — merge order
Requires the tenant-store release that accepts
AuthType.ApiKeyon the api-key management routes (flowcore-io/service-tenant-store-api,feat/api-key-auth-on-api-key-routes, built on @flowcore/hono-api 0.4.0). Hold merge until that is deployed — otherwise clients get server-side 401s instead of the clear client-side mode error.Part of the fc_ api-key enablement series: flowcore-io/service-iam-service#89 (deployed, v1.34.0), flowcore-io/hono-api#37 (v0.4.0), tenant-store PR (pending).
🤖 Generated with Claude Code
https://claude.ai/code/session_01MmTkzbSACo6PhBj9o1Sr8A
Summary by CodeRabbit