Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

fix: scope org-only v1 API key auth#7961

Open
xernobyl wants to merge 5 commits intomainformbricks/formbricks:mainfrom
chore/readonly_org_fixformbricks/formbricks:chore/readonly_org_fixCopy head branch name to clipboard
Open

fix: scope org-only v1 API key auth#7961
xernobyl wants to merge 5 commits intomainformbricks/formbricks:mainfrom
chore/readonly_org_fixformbricks/formbricks:chore/readonly_org_fixCopy head branch name to clipboard

Conversation

@xernobyl
Copy link
Copy Markdown
Contributor

@xernobyl xernobyl commented May 8, 2026

What does this PR do?

Fixes ENG-857

This PR fixes read-only organization API keys returning errors for the scoped v1 GET endpoints:

  • GET /api/v1/management/me
  • GET /api/v1/management/surveys

It allows organization-only API keys to authenticate only where explicitly supported, instead of broadening v1 API-key behavior globally. /management/me opts in directly, and /management/surveys opts in through the v1 API wrapper. Other v1 management routes keep the previous environment-permission requirement.

How should this be tested?

  • Run the focused test suite:
pnpm --filter @formbricks/web test app/api/v1/auth.test.ts app/lib/api/with-api-logging.test.ts app/api/v1/management/me/route.test.ts

  • Manually create or modify an API key so it has:

    • Organization Access: Read
    • No workspace/environment permissions

  • Verify these endpoints return 200:

curl -i -H "x-api-key: YOUR_KEY" http://localhost:3000/api/v1/management/me
curl -i -H "x-api-key: YOUR_KEY" http://localhost:3000/api/v1/management/surveys
  • Verify org-only access did not broaden to unrelated v1 routes:
curl -i -H "x-api-key: YOUR_KEY" http://localhost:3000/api/v1/management/action-classes

Expected: 401.

Checklist

Required

  • Filled out the "How to test" section in this PR
  • Read How we Code at Formbricks
  • Self-reviewed my own code
  • Commented on my code in hard-to-understand bits
  • Ran pnpm build
  • Checked for warnings, there are none
  • Removed all console.logs
  • Merged the latest changes from main onto my branch with git pull origin main
  • My changes don't cause any responsiveness issues
  • First PR at Formbricks? Please sign the CLA! Without it we wont be able to merge it 🙏

Appreciated

  • If a UI change was made: Added a screen recording or screenshots to this PR
  • Updated the Formbricks Docs if changes were necessary

@xernobyl xernobyl requested a review from Dhruwang May 8, 2026 14:59
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 8, 2026

Review Change Stack

Walkthrough

This PR adds organization-only API key support to the Formbricks API authentication system. It introduces a new AuthenticateApiKeyOptions type with an allowOrganizationOnlyApiKey flag to control whether API keys lacking environment-specific permissions are accepted. A new authenticateApiKey function centralizes API key validation logic, while authenticateRequest is refactored to delegate to it. New helpers getEnvironmentIdsByOrganizationId and getReadableEnvironmentIds provide organization and access-aware environment lookups. The buildApiKeyMeResponse helper constructs responses for both new organization-only and legacy single-environment API key shapes. The API wrapper (withV1ApiWrapper) and route handlers for /api/v1/management/me and /api/v1/management/surveys are updated to use these helpers, enabling organization-level API key access while preserving backward compatibility.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title 'fix: scope org-only v1 API key auth' clearly and concisely summarizes the main change: scoping organization-only API key authentication to specific endpoints.
Description check ✅ Passed The description covers the issue fixed (ENG-857), the specific endpoints affected, the approach (opt-in to org-only keys), and provides comprehensive testing instructions with curl examples.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/web/app/api/v1/management/me/lib/api-key-response.test.ts`:
- Around line 35-160: Add a test to document the behavior where
organizationAccess.accessControl.read is true and environmentPermissions.length
=== 1: call buildApiKeyMeResponse with baseAuthentication plus
organizationAccess { accessControl: { read: true, write: false } } and a single
environmentPermission (use environmentPermission("env-id","read")), mock
getEnvironment to return the environment object (include createdAt/updatedAt
dates and projectId), and assert that the response is the legacy
environment-shaped payload (status 200 and JSON matching id, type,
createdAt/updatedAt ISO strings, appSetupCompleted, and project { id, name })
and that getEnvironment was called with "env-id"; place the test alongside the
other buildApiKeyMeResponse tests.

In `@apps/web/app/api/v1/management/me/lib/api-key-response.ts`:
- Around line 21-29: The current branching silently falls through when
hasOrganizationAccess(authentication, OrganizationAccessType.Read) is true and
authentication.environmentPermissions.length === 1, causing inconsistent
legacy-shaped responses; change the logic so that if hasOrganizationAccess(...,
OrganizationAccessType.Read) then always return
Response.json(buildApiKeyMetadataResponse(authentication)) (no nested length
check), otherwise keep the existing environmentPermissions length !== 1 =>
return null check and fall through to the legacy environment-shaped response for
length === 1; update the code paths around hasOrganizationAccess and
buildApiKeyMetadataResponse and add a unit test that constructs an
authentication with hasOrganizationAccess true and environmentPermissions.length
=== 1 asserting the metadata response is returned.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5beede62-61d0-4727-8408-eb8a59afcc0d

📥 Commits

Reviewing files that changed from the base of the PR and between 69ead97 and ff20e7b.

📒 Files selected for processing (14)
  • apps/web/app/api/v1/auth.test.ts
  • apps/web/app/api/v1/auth.ts
  • apps/web/app/api/v1/management/me/lib/api-key-response.test.ts
  • apps/web/app/api/v1/management/me/lib/api-key-response.ts
  • apps/web/app/api/v1/management/me/route.test.ts
  • apps/web/app/api/v1/management/me/route.ts
  • apps/web/app/api/v1/management/surveys/lib/access.test.ts
  • apps/web/app/api/v1/management/surveys/lib/access.ts
  • apps/web/app/api/v1/management/surveys/route.test.ts
  • apps/web/app/api/v1/management/surveys/route.ts
  • apps/web/app/lib/api/with-api-logging.test.ts
  • apps/web/app/lib/api/with-api-logging.ts
  • apps/web/lib/environment/organization.test.ts
  • apps/web/lib/environment/organization.ts

Comment thread apps/web/app/api/v1/management/me/lib/api-key-response.test.ts
Comment thread apps/web/app/api/v1/management/me/lib/api-key-response.ts Outdated
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 8, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
95.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@Dhruwang Dhruwang Awaiting requested review from Dhruwang

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xernobyl
Morty Proxy This is a proxified and sanitized view of the page, visit original site.