Skip to content

CV2-6604: Remove global keys permission#2379

Merged
melsawy merged 34 commits intodevelopfrom
CV2-6604-review-and-manage-api-keys
Feb 2, 2026
Merged

CV2-6604: Remove global keys permission#2379
melsawy merged 34 commits intodevelopfrom
CV2-6604-review-and-manage-api-keys

Conversation

@melsawy
Copy link
Contributor

@melsawy melsawy commented Oct 27, 2025
edited
Loading

Description

Check existing API keys and limit the usage of global keys.

  • Log ApiKey last activity date
  • Remove global API key permissions
  • Verify that API key belongs to team
  • Add rake task to set team_id for existing keys
  • Add rake task to list global keys

References: CV2-6604

How to test?

  • Re-run automated tests
  • Using UI
  • A) Generate API using workspace settings page(settings => Integrations => API Access)
  • B) Generate API key using this guide
    For both cases I used graphql UI to run different quires

Checklist

  • I have performed a self-review of my code and ensured that it is safe and runnable, that code coverage has not decreased, and that there are no new Code Climate issues. I have also followed Meedan's internal coding guidelines.

@melsawy melsawy changed the title CV2-6604: remove global keys permission CV2-6604: Remove global keys permission Nov 26, 2025
@melsawy melsawy marked this pull request as ready for review December 1, 2025 12:20
caiosba
caiosba requested changes Dec 2, 2025
View reviewed changes
Copy link
Contributor

@caiosba caiosba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sawy, to be extra safe, I think we should make the team_id column on ApiKey mandatory. This should simplify the implementation since you won’t need to filter by non-null team IDs, and it also avoids the risk of forgetting to update that logic somewhere. Of course, you’ll need to run the rake task before deploying the code change; otherwise, the database migration will fail. Also, please rebase the PR since you already handled the last activity part in another PR.

@melsawy
Copy link
Contributor Author

melsawy commented Dec 3, 2025

I think we should make the team_id column on ApiKey mandatory.

@caiosba for now I added a validation inside the model ApiKey so I can deploy and run the rake task and after deploying this PR I'll make the team_id column mandatory

@melsawy melsawy requested a review from caiosba December 3, 2025 15:11
caiosba
caiosba reviewed Dec 3, 2025
View reviewed changes
Copy link
Contributor

@caiosba caiosba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@melsawy , why not the opposite? A first PR with just the rake task, and then another PR that makes team_id mandatory?

@melsawy
Copy link
Contributor Author

melsawy commented Jan 6, 2026

@melsawy what's the status here?

Fixing tests (I have one test to fix) then run check-web tests

@melsawy melsawy requested a review from caiosba January 7, 2026 08:14
@caiosba
Copy link
Contributor

caiosba commented Jan 7, 2026

@vasconsaurus would be good to get your eyes here too

@vasconsaurus
Copy link
Contributor

vasconsaurus commented Jan 7, 2026

@vasconsaurus would be good to get your eyes here too

I'll take a look now during my morning.

caiosba
caiosba requested changes Jan 7, 2026
View reviewed changes
vasconsaurus
vasconsaurus reviewed Jan 7, 2026
View reviewed changes
vasconsaurus
vasconsaurus reviewed Jan 7, 2026
View reviewed changes
@vasconsaurus
Copy link
Contributor

vasconsaurus commented Jan 7, 2026

@melsawy, left a few questions just so I can better understand a few things. And one final question: are there any updates needed in the seeds script?

@melsawy
Copy link
Contributor Author

melsawy commented Jan 7, 2026

are there any updates needed in the seeds script?

No @vasconsaurus

vasconsaurus
vasconsaurus approved these changes Jan 7, 2026
View reviewed changes
Copy link
Contributor

@vasconsaurus vasconsaurus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As always, thanks for the patience @melsawy.
Looks good to me once @caiosba requests are dealt with.

@melsawy melsawy requested a review from caiosba January 8, 2026 05:43
caiosba
caiosba requested changes Jan 8, 2026
View reviewed changes
@caiosba
Copy link
Contributor

caiosba commented Jan 8, 2026

@melsawy as we discussed, please keep the GraphQL field dynamic_annotation_field (here) but make it return nil. This way we don't break API clients, but also don't surface any data. I confirmed this is just used by the Slack Bot. Please also add a comment to flag that the GraphQL field is deprecated.

@melsawy melsawy requested a review from caiosba January 8, 2026 16:58
caiosba
caiosba requested changes Jan 8, 2026
View reviewed changes
@melsawy melsawy requested a review from caiosba January 11, 2026 18:22
@melsawy
Copy link
Contributor Author

melsawy commented Jan 11, 2026

@caiosba please review latest changes while I am fixing a flaky test.

@melsawy melsawy merged commit 43fe1ce into develop Feb 2, 2026
10 checks passed
@melsawy melsawy deleted the CV2-6604-review-and-manage-api-keys branch February 2, 2026 08:33
melsawy added a commit that referenced this pull request Feb 5, 2026
@melsawy
Revert "CV2-6604: Remove global keys permission (#2379)"
709237f 
This reverts commit 43fe1ce.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vasconsaurus vasconsaurus vasconsaurus approved these changes

@caiosba caiosba caiosba approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@melsawy @caiosba @vasconsaurus