feat(webapp): enforce env-tier access on environment credential endpoints

The endpoints that hand a personal access token an environment's secret
key or a key-signed JWT now apply the caller's role for that environment
tier. A restricted role can't pull deployed-environment credentials, which
is what stops it deploying via the CLI (deploy authenticates with the
environment secret key). Environment API keys are scoped to a single
environment already, so they are unaffected.

Author: matt-aitken

apps/webapp/app/routes/api.v1.projects.$projectRef.$env.jwt.ts

@@ -6,6 +6,7 @@ import {
   authenticateRequest,
 } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
+import { authorizePatEnvironmentAccess } from "~/services/environmentVariableApiAccess.server";
 
 const ParamsSchema = z.object({
   projectRef: z.string(),
@@ -49,6 +50,20 @@ export async function action({ request, params }: ActionFunctionArgs) {
       triggerBranch
     );
 
+    // This mints a JWT signed with the environment's secret key. For a PAT
+    // (a user), gate it on env-tier read:apiKeys so a restricted role can't
+    // obtain deployed-environment credentials (and therefore can't deploy).
+    const denied = await authorizePatEnvironmentAccess({
+      request,
+      authType: authenticationResult.type,
+      organizationId: runtimeEnv.organizationId,
+      projectId: runtimeEnv.project.id,
+      envType: runtimeEnv.type,
+      resource: "apiKeys",
+      action: "read",
+    });
+    if (denied) return denied;
+
     const parsedBody = RequestBodySchema.safeParse(await request.json());
 
     if (!parsedBody.success) {

apps/webapp/app/routes/api.v1.projects.$projectRef.$env.ts

@@ -8,6 +8,7 @@ import {
   branchNameFromRequest,
 } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
+import { authorizePatEnvironmentAccess } from "~/services/environmentVariableApiAccess.server";
 
 const ParamsSchema = z.object({
   projectRef: z.string(),
@@ -26,7 +27,11 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
   const { projectRef, env } = parsedParams.data;
 
   try {
-    const authenticationResult = await authenticateRequest(request);
+    const authenticationResult = await authenticateRequest(request, {
+      personalAccessToken: true,
+      organizationAccessToken: true,
+      apiKey: true,
+    });
 
     if (!authenticationResult) {
       return json({ error: "Invalid or Missing API key" }, { status: 401 });
@@ -39,6 +44,20 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
       branchNameFromRequest(request)
     );
 
+    // This endpoint hands the caller the environment's secret key. For a PAT
+    // (a user), gate it on env-tier read:apiKeys — so a restricted role can't
+    // pull deployed credentials (and therefore can't deploy) via the CLI.
+    const denied = await authorizePatEnvironmentAccess({
+      request,
+      authType: authenticationResult.type,
+      organizationId: environment.organizationId,
+      projectId: environment.project.id,
+      envType: environment.type,
+      resource: "apiKeys",
+      action: "read",
+    });
+    if (denied) return denied;
+
     const result: GetProjectEnvResponse = {
       apiKey: environment.apiKey,
       name: environment.project.name,

apps/webapp/app/services/environmentVariableApiAccess.server.ts

@@ -2,31 +2,43 @@ import { json } from "@remix-run/server-runtime";
 import type { RuntimeEnvironmentType } from "@trigger.dev/database";
 import { rbac } from "~/services/rbac.server";
 
+type EnvironmentScopedResource = "envvars" | "apiKeys";
+
+const RESOURCE_LABELS: Record<EnvironmentScopedResource, string> = {
+  envvars: "environment variables",
+  apiKeys: "API keys",
+};
+
 /**
- * Env-tier RBAC for the environment-variable API routes.
+ * Env-tier RBAC for environment-scoped API routes (env vars, and the endpoints
+ * that hand out an environment's secret credentials).
  *
  * Machine credentials (an environment's secret/public API key) are already
  * scoped to a single environment, so they pass through unchanged. A personal
  * access token carries a user, so enforce that user's role for the targeted
- * environment tier — e.g. a Developer can't read or write deployed env vars
- * via the API, matching the dashboard restriction.
+ * environment tier — e.g. a Developer can't read deployed env vars or API keys
+ * via the API, matching the dashboard restriction. Blocking the credential read
+ * for deployed tiers is also what stops a restricted role deploying via the CLI
+ * (deploy needs the environment's secret key).
  *
  * Returns a `Response` to short-circuit with when access is denied, or
  * `undefined` when the request may proceed.
  */
-export async function authorizeEnvVarApiRequest({
+export async function authorizePatEnvironmentAccess({
   request,
   authType,
   organizationId,
   projectId,
   envType,
+  resource,
   action,
 }: {
   request: Request;
   authType: "personalAccessToken" | "organizationAccessToken" | "apiKey";
   organizationId: string;
   projectId: string;
   envType: RuntimeEnvironmentType;
+  resource: EnvironmentScopedResource;
   action: "read" | "write";
 }): Promise<Response | undefined> {
   if (authType !== "personalAccessToken") {
@@ -38,12 +50,26 @@ export async function authorizeEnvVarApiRequest({
     return json({ error: patAuth.error }, { status: patAuth.status });
   }
 
-  if (!patAuth.ability.can(action, { type: "envvars", envType })) {
+  if (!patAuth.ability.can(action, { type: resource, envType })) {
     return json(
-      { error: "You don't have permission to manage environment variables in this environment." },
+      {
+        error: `You don't have permission to access this environment's ${RESOURCE_LABELS[resource]}.`,
+      },
       { status: 403 }
     );
   }
 
   return undefined;
 }
+
+/** Env-tier env var access for the env var API routes. */
+export function authorizeEnvVarApiRequest(opts: {
+  request: Request;
+  authType: "personalAccessToken" | "organizationAccessToken" | "apiKey";
+  organizationId: string;
+  projectId: string;
+  envType: RuntimeEnvironmentType;
+  action: "read" | "write";
+}): Promise<Response | undefined> {
+  return authorizePatEnvironmentAccess({ ...opts, resource: "envvars" });
+}