See if we can write without a user (using api keys)

[benmerckx]

No description provided.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/alinea@489

commit: 5d03bda

[cloetensbrecht]

I can confirm that this is working as expected

[Copilot]

Pull request overview

This PR adjusts the backend handler’s mutate endpoint to allow write operations when no authenticated user is present, relying on API-key-based authorization instead.

Changes:

• Removes the hard requirement for mutate requests to have an authenticated user.
• Makes policy creation conditional on the presence of a user context (roles).

Comments suppressed due to low confidence (1)

src/backend/Handler.ts:174

• When userCtx is absent (API-key auth path), policy becomes undefined, and local.request(mutations, policy) will create an EntryTransaction with its default policy (Policy.ALLOW_ALL). This effectively bypasses all permission checks for API-key requests (previously expectUser() + role-based policy enforced permissions). If API keys should not be full-admin, pass an explicit restrictive policy (e.g., await local.createPolicy([]) / Policy.ALLOW_NONE) or derive a dedicated API-key role/policy; if they should be full-admin, consider passing Policy.ALLOW_ALL explicitly here to make the escalation intentional and auditable.

        const user = userCtx?.user
        expectJson()
        const policy = user && (await local.createPolicy(user.roles))
        const mutations = await body
        const attempt = async (retry = 0) => {
          await local.syncWith(cnx)
          const request = await local.request(mutations, policy)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This change introduces a new auth mode for mutate (API key without a user), but there are no tests covering the permission behavior and expected status codes for this path. Please add handler tests exercising action=mutate with (1) a verified user (policy enforced) and (2) API-key-only auth, asserting the intended permission model (deny by default vs allow-all vs specific role).

[benmerckx]

@copilot write tests for this change

[Copilot]

@copilot write tests for this change

Added two tests to Handler.test.ts (commit 5d03bda):

1. mutate with authenticated user creates and enforces policy — mocks a remote that verifies a viewer user, and asserts that createPolicy is called with the user's roles and the resulting Policy instance is forwarded to local.request.

2. mutate with api key only skips policy creation — mocks a remote that always throws MissingCredentialsError, and asserts that with a valid API key bearer token, createPolicy is not called and local.request receives undefined as the policy (meaning Policy.ALLOW_ALL in EntryTransaction).