feat: introduce organization access tokens (#2391)

* Create schema and migration for organization access tokens

* Add helpers for creating and authenticating OATs

* Adapt the auth service to also accept OATs

* Accept OATs in the whoami v2 endpoint

* Enable deployments with the CLI using OATs

* Avoid reading env variables directly in the token utils

* Remove duplicate cli token utils

* Validate ENCRYPTION_KEY length when parsing env vars

* Make token utils a server-only module

* Disallow revoking already revoked OATs

* Simplify generics in authenticateRequest

* Use 32 bytes mock encryption key in the test setup

* Update dummy encryption key values in tests and templates

* Add a column in the OATs table to differentiate between user and system generated

* Simplify args for v3ProjectPath

Co-authored-by: Matt Aitken <[email protected]>

* Add index on org id and createdAt

* Avoid storing the encrypted oat token and its obfuscated version in the DB at all

It is a safer approach. Also we do not need to ever read the decrypted token value after creation.

* Fix prisma update condition

* Add token type to the OAT table index

* Accept OATs in the mcp auth flow

* Simplify env auth flow around the /projects endpoints

---------

Co-authored-by: Matt Aitken <[email protected]>

Author: myftija

.github/workflows/unit-tests-webapp.yml

@@ -85,7 +85,7 @@ jobs:
           DIRECT_URL: postgresql://postgres:postgres@localhost:5432/postgres
           SESSION_SECRET: "secret"
           MAGIC_LINK_SECRET: "secret"
-          ENCRYPTION_KEY: "secret"
+          ENCRYPTION_KEY: "dummy-encryption-keeeey-32-bytes"
           DEPLOY_REGISTRY_HOST: "docker.io"
           CLICKHOUSE_URL: "http://default:password@localhost:8123"
 

apps/webapp/app/env.server.ts

@@ -23,7 +23,12 @@ const EnvironmentSchema = z.object({
   DATABASE_READ_REPLICA_URL: z.string().optional(),
   SESSION_SECRET: z.string(),
   MAGIC_LINK_SECRET: z.string(),
-  ENCRYPTION_KEY: z.string(),
+  ENCRYPTION_KEY: z
+    .string()
+    .refine(
+      (val) => Buffer.from(val, "utf8").length === 32,
+      "ENCRYPTION_KEY must be exactly 32 bytes"
+    ),
   WHITELISTED_EMAILS: z
     .string()
     .refine(isValidRegex, "WHITELISTED_EMAILS must be a valid regex.")

apps/webapp/app/routes/api.v1.projects.$projectRef.$env.jwt.ts

@@ -1,9 +1,10 @@
-import { ActionFunctionArgs, json } from "@remix-run/node";
+import { type ActionFunctionArgs, json } from "@remix-run/node";
 import { generateJWT as internal_generateJWT } from "@trigger.dev/core/v3";
 import { z } from "zod";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
-import { getEnvironmentFromEnv } from "./api.v1.projects.$projectRef.$env";
+import {
+  authenticatedEnvironmentForAuthentication,
+  authenticateRequest,
+} from "~/services/apiAuth.server";
 
 const ParamsSchema = z.object({
   projectRef: z.string(),
@@ -20,7 +21,11 @@ const RequestBodySchema = z.object({
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
+  const authenticationResult = await authenticateRequest(request, {
+    personalAccessToken: true,
+    organizationAccessToken: true,
+    apiKey: false,
+  });
 
   if (!authenticationResult) {
     return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
@@ -33,35 +38,14 @@ export async function action({ request, params }: ActionFunctionArgs) {
   }
 
   const { projectRef, env } = parsedParams.data;
+  const triggerBranch = request.headers.get("x-trigger-branch") ?? undefined;
 
-  const project = await prisma.project.findFirst({
-    where: {
-      externalRef: projectRef,
-      organization: {
-        members: {
-          some: {
-            userId: authenticationResult.userId,
-          },
-        },
-      },
-    },
-  });
-
-  if (!project) {
-    return json({ error: "Project not found" }, { status: 404 });
-  }
-
-  const envResult = await getEnvironmentFromEnv({
-    projectId: project.id,
-    userId: authenticationResult.userId,
+  const runtimeEnv = await authenticatedEnvironmentForAuthentication(
+    authenticationResult,
+    projectRef,
     env,
-  });
-
-  if (!envResult.success) {
-    return json({ error: envResult.error }, { status: 404 });
-  }
-
-  const runtimeEnv = envResult.environment;
+    triggerBranch
+  );
 
   const parsedBody = RequestBodySchema.safeParse(await request.json());
 
@@ -72,29 +56,8 @@ export async function action({ request, params }: ActionFunctionArgs) {
     );
   }
 
-  const triggerBranch = request.headers.get("x-trigger-branch") ?? undefined;
-
-  let previewBranchEnvironmentId: string | undefined;
-
-  if (triggerBranch) {
-    const previewBranch = await prisma.runtimeEnvironment.findFirst({
-      where: {
-        projectId: project.id,
-        branchName: triggerBranch,
-        parentEnvironmentId: runtimeEnv.id,
-        archivedAt: null,
-      },
-    });
-
-    if (previewBranch) {
-      previewBranchEnvironmentId = previewBranch.id;
-    } else {
-      return json({ error: `Preview branch ${triggerBranch} not found` }, { status: 404 });
-    }
-  }
-
   const claims = {
-    sub: previewBranchEnvironmentId ?? runtimeEnv.id,
+    sub: runtimeEnv.id,
     pub: true,
     ...parsedBody.data.claims,
   };

apps/webapp/app/routes/api.v1.projects.$projectRef.$env.ts

@@ -1,11 +1,11 @@
 import { json, type LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { type GetProjectEnvResponse } from "@trigger.dev/core/v3";
-import { type RuntimeEnvironment } from "@trigger.dev/database";
 import { z } from "zod";
-import { prisma } from "~/db.server";
 import { env as processEnv } from "~/env.server";
-import { logger } from "~/services/logger.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import {
+  authenticatedEnvironmentForAuthentication,
+  authenticateRequest,
+} from "~/services/apiAuth.server";
 
 const ParamsSchema = z.object({
   projectRef: z.string(),
@@ -15,14 +15,6 @@ const ParamsSchema = z.object({
 type ParamsSchema = z.infer<typeof ParamsSchema>;
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
-  logger.info("projects get env", { url: request.url });
-
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
-  }
-
   const parsedParams = ParamsSchema.safeParse(params);
 
   if (!parsedParams.success) {
@@ -31,162 +23,24 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
 
   const { projectRef, env } = parsedParams.data;
 
-  const project = await prisma.project.findFirst({
-    where: {
-      externalRef: projectRef,
-      organization: {
-        members: {
-          some: {
-            userId: authenticationResult.userId,
-          },
-        },
-      },
-    },
-  });
-
-  if (!project) {
-    return json({ error: "Project not found" }, { status: 404 });
-  }
-
-  const envResult = await getEnvironmentFromEnv({
-    projectId: project.id,
-    userId: authenticationResult.userId,
-    env,
-  });
+  const authenticationResult = await authenticateRequest(request);
 
-  if (!envResult.success) {
-    return json({ error: envResult.error }, { status: 404 });
+  if (!authenticationResult) {
+    return json({ error: "Invalid or Missing API key" }, { status: 401 });
   }
 
-  const runtimeEnv = envResult.environment;
+  const environment = await authenticatedEnvironmentForAuthentication(
+    authenticationResult,
+    projectRef,
+    env
+  );
 
   const result: GetProjectEnvResponse = {
-    apiKey: runtimeEnv.apiKey,
-    name: project.name,
+    apiKey: environment.apiKey,
+    name: environment.project.name,
     apiUrl: processEnv.API_ORIGIN ?? processEnv.APP_ORIGIN,
-    projectId: project.id,
+    projectId: environment.project.id,
   };
 
   return json(result);
 }
-
-export async function getEnvironmentFromEnv({
-  projectId,
-  userId,
-  env,
-  branch,
-}: {
-  projectId: string;
-  userId: string;
-  env: ParamsSchema["env"];
-  branch?: string;
-}): Promise<
-  | {
-      success: true;
-      environment: RuntimeEnvironment;
-    }
-  | {
-      success: false;
-      error: string;
-    }
-> {
-  if (env === "dev") {
-    const environment = await prisma.runtimeEnvironment.findFirst({
-      where: {
-        projectId,
-        orgMember: {
-          userId: userId,
-        },
-      },
-    });
-
-    if (!environment) {
-      return {
-        success: false,
-        error: "Dev environment not found",
-      };
-    }
-
-    return {
-      success: true,
-      environment,
-    };
-  }
-
-  let slug: "stg" | "prod" | "preview" = "prod";
-  switch (env) {
-    case "staging":
-      slug = "stg";
-      break;
-    case "prod":
-      slug = "prod";
-      break;
-    case "preview":
-      slug = "preview";
-      break;
-    default:
-      break;
-  }
-
-  if (slug === "preview") {
-    const previewEnvironment = await prisma.runtimeEnvironment.findFirst({
-      where: {
-        projectId,
-        slug: "preview",
-      },
-    });
-
-    if (!previewEnvironment) {
-      return {
-        success: false,
-        error: "Preview environment not found",
-      };
-    }
-
-    // If no branch is provided, just return the parent preview environment
-    if (!branch) {
-      return {
-        success: true,
-        environment: previewEnvironment,
-      };
-    }
-
-    const branchEnvironment = await prisma.runtimeEnvironment.findFirst({
-      where: {
-        parentEnvironmentId: previewEnvironment.id,
-        branchName: branch,
-      },
-    });
-
-    if (!branchEnvironment) {
-      return {
-        success: false,
-        error: `Preview branch ${branch} not found`,
-      };
-    }
-
-    return {
-      success: true,
-      environment: branchEnvironment,
-    };
-  }
-
-  const environment = await prisma.runtimeEnvironment.findFirst({
-    where: {
-      projectId,
-      slug,
-    },
-  });
-
-  if (!environment) {
-    return {
-      success: false,
-      error: `${env === "staging" ? "Staging" : "Production"} environment not found`,
-    };
-  }
-
-  return {
-    success: true,
-    environment,
-  };
-}