feat(webapp): enforce env var permissions on the API routes

The environment variable API routes now apply the caller's role to the
targeted environment tier when authenticated with a personal access token,
so a restricted role can't read or write deployed env vars via the API.
Environment API keys are scoped to a single environment already, so they
are unaffected.

Author: matt-aitken

apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.$name.ts

@@ -8,6 +8,7 @@ import {
   branchNameFromRequest,
 } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
+import { authorizeEnvVarApiRequest } from "~/services/environmentVariableApiAccess.server";
 import { EnvironmentVariablesRepository } from "~/v3/environmentVariables/environmentVariablesRepository.server";
 
 const ParamsSchema = z.object({
@@ -24,7 +25,11 @@ export async function action({ params, request }: ActionFunctionArgs) {
   }
 
   try {
-    const authenticationResult = await authenticateRequest(request);
+    const authenticationResult = await authenticateRequest(request, {
+      personalAccessToken: true,
+      organizationAccessToken: true,
+      apiKey: true,
+    });
 
     if (!authenticationResult) {
       return json({ error: "Invalid or Missing API key" }, { status: 401 });
@@ -37,6 +42,16 @@ export async function action({ params, request }: ActionFunctionArgs) {
       branchNameFromRequest(request)
     );
 
+    const denied = await authorizeEnvVarApiRequest({
+      request,
+      authType: authenticationResult.type,
+      organizationId: environment.organizationId,
+      projectId: environment.project.id,
+      envType: environment.type,
+      action: "write",
+    });
+    if (denied) return denied;
+
     // Find the environment variable
     const variable = await prisma.environmentVariable.findFirst({
       where: {
@@ -110,7 +125,11 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
   }
 
   try {
-    const authenticationResult = await authenticateRequest(request);
+    const authenticationResult = await authenticateRequest(request, {
+      personalAccessToken: true,
+      organizationAccessToken: true,
+      apiKey: true,
+    });
 
     if (!authenticationResult) {
       return json({ error: "Invalid or Missing API key" }, { status: 401 });
@@ -123,6 +142,16 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
       branchNameFromRequest(request)
     );
 
+    const denied = await authorizeEnvVarApiRequest({
+      request,
+      authType: authenticationResult.type,
+      organizationId: environment.organizationId,
+      projectId: environment.project.id,
+      envType: environment.type,
+      action: "read",
+    });
+    if (denied) return denied;
+
     // Find the environment variable
     const variable = await prisma.environmentVariable.findFirst({
       where: {

apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.import.ts

@@ -7,6 +7,7 @@ import {
   authenticatedEnvironmentForAuthentication,
   branchNameFromRequest,
 } from "~/services/apiAuth.server";
+import { authorizeEnvVarApiRequest } from "~/services/environmentVariableApiAccess.server";
 import { EnvironmentVariablesRepository } from "~/v3/environmentVariables/environmentVariablesRepository.server";
 
 const ParamsSchema = z.object({
@@ -21,7 +22,11 @@ export async function action({ params, request }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  const authenticationResult = await authenticateRequest(request);
+  const authenticationResult = await authenticateRequest(request, {
+    personalAccessToken: true,
+    organizationAccessToken: true,
+    apiKey: true,
+  });
 
   if (!authenticationResult) {
     return json({ error: "Invalid or Missing API key" }, { status: 401 });
@@ -34,6 +39,16 @@ export async function action({ params, request }: ActionFunctionArgs) {
     branchNameFromRequest(request)
   );
 
+  const denied = await authorizeEnvVarApiRequest({
+    request,
+    authType: authenticationResult.type,
+    organizationId: environment.organizationId,
+    projectId: environment.project.id,
+    envType: environment.type,
+    action: "write",
+  });
+  if (denied) return denied;
+
   const repository = new EnvironmentVariablesRepository();
 
   const body = await parseImportBody(request);

apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts

@@ -6,6 +6,7 @@ import {
   authenticatedEnvironmentForAuthentication,
   branchNameFromRequest,
 } from "~/services/apiAuth.server";
+import { authorizeEnvVarApiRequest } from "~/services/environmentVariableApiAccess.server";
 import { EnvironmentVariablesRepository } from "~/v3/environmentVariables/environmentVariablesRepository.server";
 
 const ParamsSchema = z.object({
@@ -20,7 +21,11 @@ export async function action({ params, request }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  const authenticationResult = await authenticateRequest(request);
+  const authenticationResult = await authenticateRequest(request, {
+    personalAccessToken: true,
+    organizationAccessToken: true,
+    apiKey: true,
+  });
 
   if (!authenticationResult) {
     return json({ error: "Invalid or Missing API key" }, { status: 401 });
@@ -33,6 +38,16 @@ export async function action({ params, request }: ActionFunctionArgs) {
     branchNameFromRequest(request)
   );
 
+  const denied = await authorizeEnvVarApiRequest({
+    request,
+    authType: authenticationResult.type,
+    organizationId: environment.organizationId,
+    projectId: environment.project.id,
+    envType: environment.type,
+    action: "write",
+  });
+  if (denied) return denied;
+
   const jsonBody = await request.json();
 
   const body = CreateEnvironmentVariableRequestBody.safeParse(jsonBody);
@@ -68,7 +83,11 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  const authenticationResult = await authenticateRequest(request);
+  const authenticationResult = await authenticateRequest(request, {
+    personalAccessToken: true,
+    organizationAccessToken: true,
+    apiKey: true,
+  });
 
   if (!authenticationResult) {
     return json({ error: "Invalid or Missing API key" }, { status: 401 });
@@ -81,6 +100,16 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
     branchNameFromRequest(request)
   );
 
+  const denied = await authorizeEnvVarApiRequest({
+    request,
+    authType: authenticationResult.type,
+    organizationId: environment.organizationId,
+    projectId: environment.project.id,
+    envType: environment.type,
+    action: "read",
+  });
+  if (denied) return denied;
+
   const repository = new EnvironmentVariablesRepository();
 
   const variables = await repository.getEnvironmentWithRedactedSecrets(

apps/webapp/app/services/environmentVariableApiAccess.server.ts

@@ -0,0 +1,49 @@
+import { json } from "@remix-run/server-runtime";
+import type { RuntimeEnvironmentType } from "@trigger.dev/database";
+import { rbac } from "~/services/rbac.server";
+
+/**
+ * Env-tier RBAC for the environment-variable API routes.
+ *
+ * Machine credentials (an environment's secret/public API key) are already
+ * scoped to a single environment, so they pass through unchanged. A personal
+ * access token carries a user, so enforce that user's role for the targeted
+ * environment tier — e.g. a Developer can't read or write deployed env vars
+ * via the API, matching the dashboard restriction.
+ *
+ * Returns a `Response` to short-circuit with when access is denied, or
+ * `undefined` when the request may proceed.
+ */
+export async function authorizeEnvVarApiRequest({
+  request,
+  authType,
+  organizationId,
+  projectId,
+  envType,
+  action,
+}: {
+  request: Request;
+  authType: "personalAccessToken" | "organizationAccessToken" | "apiKey";
+  organizationId: string;
+  projectId: string;
+  envType: RuntimeEnvironmentType;
+  action: "read" | "write";
+}): Promise<Response | undefined> {
+  if (authType !== "personalAccessToken") {
+    return undefined;
+  }
+
+  const patAuth = await rbac.authenticatePat(request, { organizationId, projectId });
+  if (!patAuth.ok) {
+    return json({ error: patAuth.error }, { status: patAuth.status });
+  }
+
+  if (!patAuth.ability.can(action, { type: "envvars", envType })) {
+    return json(
+      { error: "You don't have permission to manage environment variables in this environment." },
+      { status: 403 }
+    );
+  }
+
+  return undefined;
+}