fix: exchange token authz, remove n+1 tenant lookup for organizations, slack oauth casing (#3631)

* fix: remove n+1 tenant lookup for organizations

* fix build

* remove loading state

* fix: exchange tokens should not case on restrictedWithBearerToken

* add slack webhook sync

* Revert "add slack webhook sync"

This reverts commit 42557ae.

* make security on list integrations endpoint optional

* case slack alert linking on control plane

* update api generation

* fix: exchange token PAT behavior

Author: abelanger5

api/v1/server/authn/middleware.go

@@ -213,16 +213,7 @@ func (a *AuthN) handleCookieAuth(c echo.Context) error {
 func (a *AuthN) handleBearerAuth(c echo.Context) error {
 	forbidden := echo.NewHTTPError(http.StatusForbidden, "Please provide valid credentials")
 
-	// a tenant id must exist in the context in order for the bearer auth to succeed, since
-	// these tokens are tenant-scoped
 	ctx := c.Request().Context()
-	queriedTenant, ok := c.Get("tenant").(*sqlcv1.Tenant)
-
-	if !ok {
-		a.l.Debug().Ctx(ctx).Msgf("tenant not found in context")
-
-		return fmt.Errorf("tenant not found in context")
-	}
 
 	token, isExchangeToken, err := getBearerTokenFromRequest(c.Request())
 
@@ -232,6 +223,8 @@ func (a *AuthN) handleBearerAuth(c echo.Context) error {
 		return forbidden
 	}
 
+	queriedTenant, isTenantScoped := c.Get("tenant").(*sqlcv1.Tenant)
+
 	if isExchangeToken {
 		if a.config.Auth.ExchangeTokenClient == nil {
 			a.l.Error().Msgf("exchange token client is not configured")
@@ -247,7 +240,9 @@ func (a *AuthN) handleBearerAuth(c echo.Context) error {
 			return forbidden
 		}
 
-		if *tenantId != queriedTenant.ID {
+		// we permit exchange token auth if the token is valid and represents a user if the endpoint is not tenant-scoped, because
+		// this is effectively a PAT without the tenant scoping
+		if isTenantScoped && *tenantId != queriedTenant.ID {
 			a.l.Error().Msgf("tenant id in token does not match tenant id in context")
 
 			return forbidden
@@ -284,6 +279,13 @@ func (a *AuthN) handleBearerAuth(c echo.Context) error {
 		return nil
 	}
 
+	// If we've reached this point, and it's not tenant-scoped, this endpoint is forbidden
+	if !isTenantScoped {
+		a.l.Debug().Ctx(ctx).Msgf("bearer token auth attempted on non-tenant-scoped endpoint")
+
+		return forbidden
+	}
+
 	// Validate the token.
 	tenantId, tokenUUID, err := a.config.Auth.JWTManager.ValidateTenantToken(c.Request().Context(), token)
 

api/v1/server/authz/middleware.go

@@ -92,6 +92,8 @@ var restrictedWithBearerToken = []string{
 // and we check that the bearer token has access to the tenant in the authn step.
 func (a *AuthZ) handleBearerAuth(c echo.Context, r *middleware.RouteInfo) error {
 	// check for is_exchange_token set in the context, in which case we need to validate the user set in the context
+	// exchange tokens are subject to the same RBAC restrictions as cookie auth, since they represent a user. only
+	// regular bearer tokens should be subject to the additional restrictions in restrictedWithBearerToken
 	if isExchangeToken, ok := c.Get(middleware.IsExchangeTokenContextKey).(bool); ok && isExchangeToken {
 		if a.config.Auth.ExchangeTokenClient == nil {
 			a.l.Error().Msgf("exchange token client is not configured, but is_exchange_token is set in context")
@@ -107,10 +109,10 @@ func (a *AuthZ) handleBearerAuth(c echo.Context, r *middleware.RouteInfo) error
 			a.l.Debug().Ctx(c.Request().Context()).Err(err).Msgf("error validating user tenant permissions for exchange token user")
 			return echo.NewHTTPError(http.StatusUnauthorized, "Not authorized to view this resource")
 		}
-	}
-
-	if rbac.OperationIn(r.OperationID, restrictedWithBearerToken) {
-		return echo.NewHTTPError(http.StatusUnauthorized, "Not authorized to perform this operation")
+	} else if !isExchangeToken {
+		if rbac.OperationIn(r.OperationID, restrictedWithBearerToken) {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Not authorized to perform this operation")
+		}
 	}
 
 	return nil

frontend/app/src/lib/api/generated/control-plane/data-contracts.ts

@@ -126,6 +126,10 @@ export interface OrganizationTenant {
    * @format uuid
    */
   id: string;
+  /** Name of the tenant */
+  name?: string;
+  /** Slug of the tenant */
+  slug?: string;
   /** Status of the tenant */
   status: TenantStatusType;
   /**

frontend/app/src/pages/main/v1/tenant-settings/alerting/index.tsx

@@ -13,6 +13,7 @@ import { SimpleTable } from '@/components/v1/molecules/simple-table/simple-table
 import { Button } from '@/components/v1/ui/button';
 import { Spinner } from '@/components/v1/ui/loading';
 import { Separator } from '@/components/v1/ui/separator';
+import useControlPlane from '@/hooks/use-control-plane';
 import { useCurrentTenantId, useTenantDetails } from '@/hooks/use-tenant';
 import api, {
   CreateTenantAlertEmailGroupRequest,
@@ -311,6 +312,7 @@ function DeleteEmailGroup({
 
 function SlackWebhooksList() {
   const { tenantId } = useCurrentTenantId();
+  const { isControlPlaneEnabled } = useControlPlane();
   const [deleteSlack, setDeleteSlack] = useState<SlackWebhook | null>(null);
 
   const listWebhooksQuery = useQuery({
@@ -356,7 +358,13 @@ function SlackWebhooksList() {
         <h3 className="text-xl font-semibold leading-tight text-foreground">
           Slack Webhooks
         </h3>
-        <a href={'/api/v1/tenants/' + tenantId + '/slack/start'}>
+        <a
+          href={
+            isControlPlaneEnabled
+              ? '/api/v1/control-plane/tenants/' + tenantId + '/slack/start'
+              : '/api/v1/tenants/' + tenantId + '/slack/start'
+          }
+        >
           <Button key="create-slack-webhook">Add Slack Webhook</Button>
         </a>
       </div>

frontend/app/src/pages/organizations/$organization/index.tsx

@@ -23,7 +23,6 @@ import {
 } from '@/components/v1/ui/tooltip';
 import { useCurrentUser } from '@/hooks/use-current-user';
 import { useOrganizations } from '@/hooks/use-organizations';
-import api from '@/lib/api';
 import {
   OrganizationMember,
   ManagementToken,
@@ -50,7 +49,7 @@ import {
   ArrowRightIcon,
 } from '@heroicons/react/24/outline';
 import { EllipsisVerticalIcon, TrashIcon } from '@heroicons/react/24/outline';
-import { useQuery, useQueries, useQueryClient } from '@tanstack/react-query';
+import { useQuery, useQueryClient } from '@tanstack/react-query';
 import { useParams, useNavigate } from '@tanstack/react-router';
 import { isAxiosError } from 'axios';
 import { formatDistanceToNow } from 'date-fns';
@@ -145,25 +144,6 @@ export default function OrganizationPage() {
     enabled: !!orgId,
   });
 
-  const tenantQueries = useQueries({
-    queries: (organizationQuery.data?.tenants || [])
-      .filter((tenant) => tenant.status !== TenantStatusType.ARCHIVED)
-      .map((tenant) => ({
-        queryKey: ['tenant:get', tenant.id],
-        queryFn: async () => {
-          const result = await api.tenantGet(tenant.id);
-          return result.data;
-        },
-        enabled: !!tenant.id && !!organizationQuery.data,
-      })),
-  });
-
-  const tenantsLoading = tenantQueries.some((query) => query.isLoading);
-
-  const detailedTenants = tenantQueries
-    .filter((query) => query.data)
-    .map((query) => query.data);
-
   const managementTokensQuery = useQuery({
     ...orgApi.managementTokenListQuery(orgId),
     enabled: !!orgId,
@@ -233,10 +213,7 @@ export default function OrganizationPage() {
       cellRenderer: (
         row: OrganizationTenant & { metadata: { id: string } },
       ) => {
-        const detailed = detailedTenants.find((t) => t?.metadata.id === row.id);
-        return (
-          <span className="font-medium">{detailed?.name || 'Loading...'}</span>
-        );
+        return <span className="font-medium">{row.name || row.id}</span>;
       },
     },
     {
@@ -255,10 +232,7 @@ export default function OrganizationPage() {
       cellRenderer: (
         row: OrganizationTenant & { metadata: { id: string } },
       ) => {
-        const detailed = detailedTenants.find((t) => t?.metadata.id === row.id);
-        return (
-          <span className="text-muted-foreground">{detailed?.slug || '-'}</span>
-        );
+        return <span className="text-muted-foreground">{row.slug || '-'}</span>;
       },
     },
     {
@@ -578,11 +552,7 @@ export default function OrganizationPage() {
           <div className="flex-1 overflow-y-auto px-8">
             {activeSection === 'tenants' && (
               <>
-                {tenantsLoading ? (
-                  <div className="flex items-center justify-center py-8">
-                    <Loading />
-                  </div>
-                ) : organization.tenants && organization.tenants.length > 0 ? (
+                {organization.tenants && organization.tenants.length > 0 ? (
                   <SimpleTable
                     data={organization.tenants
                       .filter(
@@ -738,8 +708,13 @@ export default function OrganizationPage() {
 
       {(() => {
         const foundTenant = tenantToArchive
-          ? detailedTenants.find((t) => t?.metadata.id === tenantToArchive.id)
+          ? organization.tenants?.find((t) => t?.id === tenantToArchive.id)
           : undefined;
+
+        if (!foundTenant) {
+          return null;
+        }
+
         return (
           tenantToArchive &&
           organization &&
@@ -748,7 +723,7 @@ export default function OrganizationPage() {
               open={!!tenantToArchive}
               onOpenChange={(open) => !open && setTenantToArchive(null)}
               tenant={tenantToArchive}
-              tenantName={foundTenant.name}
+              tenantName={foundTenant.name || foundTenant.id}
               organizationName={organization.name}
               onSuccess={() => {
                 queryClient.invalidateQueries({