fix(api): RBAC follow-ups for PR #2403

[riderx]

Summary (AI generated)

• Added org.manage_apikeys permission and assignable apikey_manager role; granted it to org_admin / org_super_admin so migrated legacy all keys keep sibling key management in CI.
• Allowed POST /apikey via API key auth when the caller has org.manage_apikeys (bindings/global-permission updates remain JWT-only; self-update remains blocked).
• Removed 2FA/password-policy enforcement from API-key branches of rbac_check_permission_direct.
• Mapped legacy channel write/upload memberships to channel_admin instead of nonexistent channel_developer / channel_uploader.
• Granted app_uploader channel promote/read without channel.update_settings.
• Restored fast RLS for app_versions + manifest via app_versions_readable_app_ids() (bundle read permission).
• Updated seed.sql so post-seed RBAC repopulation keeps the new permission/grants.
• Added SQL + vitest coverage for API-key create/manage and 2FA bypass behavior.

Motivation (AI generated)

PR #2403 correctly hardened RBAC, but review follow-ups asked to preserve CI/API-key management for migrated broad keys, add a dedicated manage-keys permission, skip 2FA on API keys, fix channel legacy mapping, and reduce manifest RLS cost.

Business Impact (AI generated)

Customers with legacy broad API keys in GitHub Actions/Fastlane can keep provisioning and rotating sibling keys without JWT sessions, while scoped upload keys still cannot escalate privileges.

Test Plan (AI generated)

• bun run supabase:db:reset
• bun test:backend -- tests/apikeys.test.ts tests/rbac-apikey-request-identity-rpc.test.ts
• Merge into fix(api): harden API key management auth #2403 and run full CI

Generated with AI

Made with Cursor

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5d2ca32e-4cbe-452b-adc8-8f42572bea63

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 43 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing fix/rbac-apikey-hardening-followups (08a0488) with codex/rbac-apikey-management-hardening (789881a)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bf02583c3a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Enforce org expiration policies for apikey_manager

Callers that only have the new apikey_manager role get org.manage_apikeys but not org.read, while POST /apikey validates expiration policies by selecting orgs through the caller's RLS client and silently skips enforcement when no org rows are visible. In an org with require_apikey_expiration or max_apikey_expiration_days, an apikey_manager user/API key can therefore create a non-expiring or over-long API key; either include the read permission needed for that policy lookup or perform the expiration-policy lookup through a server-side path before creating the key.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 08a0488357

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Prevent apikey managers from minting app admins

When the caller is an API key bound only to the new apikey_manager role, this org-level org.manage_apikeys check is the only authorization before arbitrary requested bindings are created. The later createRoleBindingForPrincipal guard only compares priority_rank, so apikey_manager (rank 78) can POST a lower-ranked app_admin or channel_admin binding and mint a key that can update apps/channels even though the caller itself only had API-key-management rights. Please also verify the caller can grant each requested role/scope, or restrict the roles this manager can assign.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Avoid upgrading legacy channel writers to admins

For existing org_users rows scoped to a specific channel, this migration now maps legacy write/upload rights to channel_admin. That role has full channel-control permissions such as channel.update_settings/delete, and the channel update RLS policy accepts channel.update_settings, so a legacy upload-only or writer collaborator is promoted to full channel admin during migration. Preserve the old distinction by adding/mapping to narrower channel developer/uploader roles instead of channel_admin.

Useful? React with 👍 / 👎.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud