RBAC: API auth e2e coverage — action + PAT + edge cases (TRI-8716)

Close the coverage gap identified in the TRI-8716 audit before TRI-8719
swaps apiBuilder.server.ts to rbac.authenticateBearer. All new tests run
against the legacy authenticateApiRequestWithFailure /
authenticateApiRequestWithPersonalAccessToken path and must stay green
after the migration.

- Action requests (createActionApiRoute) via POST /api/v1/idempotencyKeys/:key/reset:
  * Valid private API key → passes auth (400 on zod body validation, not 401/403).
  * Missing Authorization → 401.
  * Invalid API key → 401.
- JWT on the same action route (allowJWT: true, superScopes write:runs, admin):
  * JWT with matching scope → passes auth.
  * JWT with read-only scope → 403.
- Personal access tokens (createLoaderPATApiRoute) via GET /api/v1/projects/:ref/runs:
  * Missing Authorization → 401.
  * API key (tr_dev_*) on PAT-only route → 401.
  * Wrong-prefix or malformed PAT → 401.
  * Well-formed but unknown PAT → 401.
  * Revoked PAT → 401.
  * Valid PAT on unknown project → 404 (auth passes).
- Edge case: valid API key whose project.deletedAt is set → 401.

Also fix the TRI-8715 redirect assertion: the webapp sends clients to
/login?redirectTo=... so compare by pathname rather than exact string.

New helper test/helpers/seedTestPAT.ts seeds a User + PersonalAccessToken
row using the same hashing/encryption scheme the webapp uses (shared
test ENCRYPTION_KEY), so the webapp subprocess can authenticate against
the seeded token.

otu and realtime.skipColumns propagation are deferred: they're only
observable via real trigger / realtime-stream flows, which need
workers/streams enabled and are out of scope for a coverage PR. The
migration preserves those fields via BearerAuthResult.jwt; dedicated
coverage can ride with TRI-8719 if needed.

Author: matt-aitken

apps/webapp/test/api-auth.e2e.test.ts

@@ -11,6 +11,7 @@ import type { TestServer } from "@internal/testcontainers/webapp";
 import { startTestServer } from "@internal/testcontainers/webapp";
 import { generateJWT } from "@trigger.dev/core/v3/jwt";
 import { seedTestEnvironment } from "./helpers/seedTestEnvironment";
+import { seedTestPAT, seedTestUser } from "./helpers/seedTestPAT";
 
 vi.setConfig({ testTimeout: 180_000 });
 
@@ -129,6 +130,144 @@ describe("RBAC plugin — fallback wiring", () => {
   it("unauthenticated dashboard route redirects to /login via the OSS fallback", async () => {
     const res = await server.webapp.fetch("/admin/concurrency", { redirect: "manual" });
     expect(res.status).toBe(302);
-    expect(res.headers.get("location")).toBe("/login");
+    const location = res.headers.get("location") ?? "";
+    expect(new URL(location, "http://placeholder").pathname).toBe("/login");
+  });
+});
+
+// Covers createActionApiRoute's bearer auth path. The target route is
+// POST /api/v1/idempotencyKeys/:key/reset — allowJWT: true, superScopes: ["write:runs", "admin"].
+// Tests assert HTTP-observable behavior so they remain valid after TRI-8719 swaps
+// authenticateApiRequestWithFailure for rbac.authenticateBearer.
+describe("API bearer auth — action requests", () => {
+  const targetPath = "/api/v1/idempotencyKeys/does-not-exist/reset";
+
+  it("valid API key: auth passes (body validation fails, not 401/403)", async () => {
+    const { apiKey } = await seedTestEnvironment(server.prisma);
+    const res = await server.webapp.fetch(targetPath, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${apiKey}`, "content-type": "application/json" },
+      body: JSON.stringify({}), // missing taskIdentifier → zod validation error
+    });
+    expect(res.status).not.toBe(401);
+    expect(res.status).not.toBe(403);
+  });
+
+  it("missing Authorization header: 401", async () => {
+    const res = await server.webapp.fetch(targetPath, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ taskIdentifier: "noop" }),
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("invalid API key: 401", async () => {
+    const res = await server.webapp.fetch(targetPath, {
+      method: "POST",
+      headers: {
+        Authorization: "Bearer tr_dev_completely_invalid_key_xyz_not_real",
+        "content-type": "application/json",
+      },
+      body: JSON.stringify({ taskIdentifier: "noop" }),
+    });
+    expect(res.status).toBe(401);
+  });
+
+});
+
+describe("JWT bearer auth — action requests", () => {
+  const targetPath = "/api/v1/idempotencyKeys/does-not-exist/reset";
+
+  it("JWT with matching scope: auth passes", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    const jwt = await generateTestJWT(environment, { scopes: ["write:runs"] });
+    const res = await server.webapp.fetch(targetPath, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${jwt}`, "content-type": "application/json" },
+      body: JSON.stringify({}),
+    });
+    expect(res.status).not.toBe(401);
+    expect(res.status).not.toBe(403);
+  });
+
+  it("JWT with wrong scope (read-only) on write route: 403", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    const jwt = await generateTestJWT(environment, { scopes: ["read:runs"] });
+    const res = await server.webapp.fetch(targetPath, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${jwt}`, "content-type": "application/json" },
+      body: JSON.stringify({ taskIdentifier: "noop" }),
+    });
+    expect(res.status).toBe(403);
+  });
+});
+
+// Covers createLoaderPATApiRoute via GET /api/v1/projects/:projectRef/runs.
+// authenticateApiRequestWithPersonalAccessToken rejects anything that isn't tr_pat_-prefixed
+// or doesn't match a non-revoked PersonalAccessToken row.
+describe("Personal access token auth", () => {
+  const pathFor = (ref: string) => `/api/v1/projects/${ref}/runs`;
+
+  it("missing Authorization header: 401", async () => {
+    const res = await server.webapp.fetch(pathFor("nonexistent"));
+    expect(res.status).toBe(401);
+  });
+
+  it("API key (tr_dev_*) on PAT-only route: 401", async () => {
+    const { apiKey } = await seedTestEnvironment(server.prisma);
+    const res = await server.webapp.fetch(pathFor("nonexistent"), {
+      headers: { Authorization: `Bearer ${apiKey}` },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("malformed PAT (wrong prefix): 401", async () => {
+    const res = await server.webapp.fetch(pathFor("nonexistent"), {
+      headers: { Authorization: "Bearer not_a_pat_at_all_random_string" },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("well-formed but unknown PAT: 401", async () => {
+    const res = await server.webapp.fetch(pathFor("nonexistent"), {
+      headers: {
+        Authorization: "Bearer tr_pat_0000000000000000000000000000000000000000",
+      },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("revoked PAT: 401", async () => {
+    const user = await seedTestUser(server.prisma);
+    const { token } = await seedTestPAT(server.prisma, user.id, { revoked: true });
+    const res = await server.webapp.fetch(pathFor("nonexistent"), {
+      headers: { Authorization: `Bearer ${token}` },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("valid PAT on nonexistent project: 404 (auth passes)", async () => {
+    const user = await seedTestUser(server.prisma);
+    const { token } = await seedTestPAT(server.prisma, user.id);
+    const res = await server.webapp.fetch(pathFor("nonexistent"), {
+      headers: { Authorization: `Bearer ${token}` },
+    });
+    expect(res.status).toBe(404);
+  });
+});
+
+// Edge cases where auth-path DB state should cause 401 even with a valid-looking token.
+describe("API bearer auth — environment/project edge cases", () => {
+  it("valid API key whose project is soft-deleted: 401", async () => {
+    const { apiKey, project } = await seedTestEnvironment(server.prisma);
+    await server.prisma.project.update({
+      where: { id: project.id },
+      data: { deletedAt: new Date() },
+    });
+    const res = await server.webapp.fetch("/api/v1/runs/run_doesnotexist/result", {
+      headers: { Authorization: `Bearer ${apiKey}` },
+    });
+    expect(res.status).toBe(401);
   });
 });

apps/webapp/test/helpers/seedTestPAT.ts

@@ -0,0 +1,59 @@
+import type { PrismaClient } from "@trigger.dev/database";
+import { createCipheriv, createHash, randomBytes } from "node:crypto";
+
+// Must match ENCRYPTION_KEY in internal-packages/testcontainers/src/webapp.ts
+const ENCRYPTION_KEY = "test-encryption-key-for-e2e!!!!!";
+
+function hashToken(token: string): string {
+  return createHash("sha256").update(token).digest("hex");
+}
+
+function encryptToken(value: string, key: string) {
+  const nonce = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, nonce);
+  let encrypted = cipher.update(value, "utf8", "hex");
+  encrypted += cipher.final("hex");
+  return {
+    nonce: nonce.toString("hex"),
+    ciphertext: encrypted,
+    tag: cipher.getAuthTag().toString("hex"),
+  };
+}
+
+function obfuscate(token: string): string {
+  return `${token.slice(0, 11)}${"•".repeat(20)}${token.slice(-4)}`;
+}
+
+export async function seedTestUser(prisma: PrismaClient, overrides?: { admin?: boolean }) {
+  const suffix = randomBytes(6).toString("hex");
+  return prisma.user.create({
+    data: {
+      email: `pat-user-${suffix}@test.local`,
+      authenticationMethod: "MAGIC_LINK",
+      admin: overrides?.admin ?? false,
+    },
+  });
+}
+
+// Seeds a PersonalAccessToken row using the same hashing/encryption scheme as
+// webapp's services/personalAccessToken.server.ts so the webapp subprocess can
+// authenticate against it.
+export async function seedTestPAT(
+  prisma: PrismaClient,
+  userId: string,
+  opts: { revoked?: boolean } = {}
+): Promise<{ token: string; id: string }> {
+  const token = `tr_pat_${randomBytes(20).toString("hex")}`;
+  const encrypted = encryptToken(token, ENCRYPTION_KEY);
+  const row = await prisma.personalAccessToken.create({
+    data: {
+      name: "e2e-test-pat",
+      userId,
+      encryptedToken: encrypted,
+      hashedToken: hashToken(token),
+      obfuscatedToken: obfuscate(token),
+      revokedAt: opts.revoked ? new Date() : null,
+    },
+  });
+  return { token, id: row.id };
+}