Skip to content

[Duplicate]: Protect api key routes#69

Closed
resolvicomai wants to merge 2 commits into
VeriWorkly:masterfrom
resolvicomai:fix/protect-api-keys-route
Closed

[Duplicate]: Protect api key routes#69
resolvicomai wants to merge 2 commits into
VeriWorkly:masterfrom
resolvicomai:fix/protect-api-keys-route

Conversation

@resolvicomai
Copy link
Copy Markdown
Contributor

@resolvicomai resolvicomai commented May 21, 2026

Summary

  • add /api-keys and /api-keys/:path* to the Studio proxy matcher
  • add a contract test covering API key route protection

Fixes #65

Validation

  • npm run test:contracts -w @veriworkly/studio -- proxy-auth.contract.test.ts
  • npm run test:contracts -w @veriworkly/studio
  • npm run lint -w @veriworkly/studio
  • npm run format -w @veriworkly/studio -- proxy.ts tests/contracts/proxy-auth.contract.test.ts

Note: npm audit signatures currently fails before signature validation because npm cannot resolve @types/node@25.8.0 from the existing dependency graph.

Gautam25Raj
Gautam25Raj requested changes May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@Gautam25Raj Gautam25Raj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @resolvicomai, thanks for submitting this PR to address the API key route protection!

Before we merge, we have a few pieces of feedback regarding the implementation and the test:

  1. Workflow Reminder: For future contributions, please comment on the issue and wait to be assigned before opening a PR. This helps us coordinate and prevents overlapping work.

  2. Redundant Route Matchers: In Next.js middleware, the :path* syntax matches zero or more path segments. * "/api-keys/:path*" already covers both /api-keys and all of its subpaths (like /api-keys/create).

    • Please remove the redundant base path matchers (e.g., "/api-keys", "/admin", "/profile") from config.matcher and stick to the wildcards (e.g., "/api-keys/:path*").

If you can update the PR to clean up the matcher array and remove the test file, we'll be ready to get this formatted and merged!

@Gautam25Raj Gautam25Raj added enhancement New feature or request frontend UI/client-side code labels May 21, 2026
@resolvicomai
Copy link
Copy Markdown
Contributor Author

resolvicomai commented May 21, 2026

Updated in b5cfb3c. Removed the redundant /api-keys matcher so the route is covered only by /api-keys/:path*, and deleted the contract test file as requested.

Re-validated:

  • npm run test:contracts -w @veriworkly/studio
  • npm run lint
  • git diff --check

@Gautam25Raj Gautam25Raj changed the title fix: protect api key routes [Fix] [Studio]: Protect api key routes May 21, 2026
@Gautam25Raj
Copy link
Copy Markdown
Collaborator

Gautam25Raj commented May 21, 2026

Hi @resolvicomai, thank you for the PR!

Unfortunately, we already have an open PR addressing this issue, so we will be closing this one to avoid duplicate work.

However, we currently have an unassigned open issue (#61). If you'd like to work on that one, please drop a comment directly on #61 requesting assignment so we can assign it to you. Thanks!

@Gautam25Raj Gautam25Raj added invalid This doesn't seem right and removed enhancement New feature or request frontend UI/client-side code labels May 21, 2026
@Gautam25Raj Gautam25Raj changed the title [Fix] [Studio]: Protect api key routes [Duplicate] [Fix] [Studio]: Protect api key routes May 21, 2026
@Gautam25Raj Gautam25Raj changed the title [Duplicate] [Fix] [Studio]: Protect api key routes [Duplicate]: Protect api key routes May 21, 2026
@Gautam25Raj Gautam25Raj added the duplicate This issue or pull request already exists label May 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Gautam25Raj Gautam25Raj Gautam25Raj approved these changes

Assignees

No one assigned

Labels

duplicate This issue or pull request already exists invalid This doesn't seem right

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG]: Protect /api-keys page from unauthenticated access

2 participants

@resolvicomai @Gautam25Raj