Remove global-api-key-authn-handler.ts and related env variables (#1763)

bigfluffycookie · web-flow · commit ce03f391c807 · 2025-12-12T09:17:51.000+01:00
Fixes OPS-3239
diff --git a/.env.template b/.env.template
@@ -4,7 +4,6 @@
 NODE_OPTIONS=--no-node-snapshot
 
 
-OPS_API_KEY="api-key"
 OPS_CACHE_PATH="./dev/cache"
 OPS_CONFIG_PATH="./dev/config"
 OPS_ENVIRONMENT="dev"
diff --git a/deploy/docker-compose/.env.defaults b/deploy/docker-compose/.env.defaults
@@ -22,7 +22,6 @@ OPS_NGINX_CONFIG_FILE=nginx.gateway.conf
 # Authentication
 # ---------------------------------------------------------
 
-OPS_API_KEY="api-key"
 OPS_ENCRYPTION_KEY=abcdef123456789abcdef123456789ab
 OPS_JWT_SECRET=please-change-this-secret
 OPS_OPENOPS_ADMIN_EMAIL=admin@openops.com
diff --git a/deploy/helm/openops/values.yaml b/deploy/helm/openops/values.yaml
@@ -20,7 +20,6 @@ openopsEnv:
   OPS_ANALYTICS_VERSION: "{{ .Values.analytics.tag }}"
 
   # Authentication
-  OPS_API_KEY: "api-key"
   OPS_ENCRYPTION_KEY: abcdef123456789abcdef123456789ab
   OPS_JWT_SECRET: please-change-this-secret
   OPS_OPENOPS_ADMIN_EMAIL: admin@openops.com
diff --git a/packages/blocks/common/src/lib/http/core/http-header.ts b/packages/blocks/common/src/lib/http/core/http-header.ts
@@ -1,6 +1,5 @@
 export enum HttpHeader {
   AUTHORIZATION = 'Authorization',
   ACCEPT = 'Accept',
-  API_KEY = 'Api-Key',
   CONTENT_TYPE = 'Content-Type',
 }
diff --git a/packages/cli/src/lib/commands/sync-blocks.ts b/packages/cli/src/lib/commands/sync-blocks.ts
@@ -74,12 +74,8 @@ export const syncBlockCommand = new Command('sync')
     '-h, --apiUrl <url>',
     'API URL ex: https://app.openops.com/api',
   )
+  .requiredOption('-t, --token <token>', 'Access token for authentication')
   .action(async (options) => {
-    const apiKey = process.env.OPS_API_KEY;
     const apiUrlWithoutTrailSlash = options.apiUrl.replace(/\/$/, '');
-    if (!apiKey) {
-      console.error(chalk.red('OPS_API_KEY environment variable is required'));
-      process.exit(1);
-    }
-    await syncBlocks(apiUrlWithoutTrailSlash, apiKey);
+    await syncBlocks(apiUrlWithoutTrailSlash, options.token);
   });
diff --git a/packages/server/api/.env.tests b/packages/server/api/.env.tests
@@ -1,4 +1,3 @@
-OPS_API_KEY=api-key
 OPS_QUEUE_MODE=MEMORY
 OPS_DB_TYPE=SQLITE3
 OPS_ENVIRONMENT=test
@@ -16,7 +15,6 @@ OPS_JWT_SECRET=secret
 OPS_BILLING_SETTINGS={\"nickname\":\"test-flow-plan\",\"tasks\":1000,\"activeFlows\":20,\"minimumPollingInterval\":5,\"connections\":50,\"teamMembers\":1,\"type\":\"FLOWS\"}
 OPS_STRIPE_SECRET_KEY=invalid-key
 OPS_FIREBASE_HASH_PARAMETERS={\"memCost\":14,\"rounds\":8,\"signerKey\":\"YE0dO4bwD4JnJafh6lZZfkp1MtKzuKAXQcDCJNJNyeCHairWHKENOkbh3dzwaCdizzOspwr/FITUVlnOAwPKyw==\",\"saltSeparator\":\"Bw==\"}
-OPS_API_KEY="api-key"
 OPS_CLOUD_ORGANIZATION_ID="cloud-id"
 OPS_BLOCKS_SYNC_MODE=NONE
 OPS_CONTAINER_TYPE=WORKER_AND_APP
diff --git a/packages/server/api/src/app/core/security/authn/global-api-key-authn-handler.ts b/packages/server/api/src/app/core/security/authn/global-api-key-authn-handler.ts
diff --git a/packages/server/api/src/app/core/security/security-handler-chain.ts b/packages/server/api/src/app/core/security/security-handler-chain.ts
@@ -2,12 +2,10 @@ import { Principal } from '@openops/shared';
 import { FastifyRequest } from 'fastify';
 import { AccessTokenAuthnHandler } from './authn/access-token-authn-handler';
 import { AnonymousAuthnHandler } from './authn/anonymous-authn-handler';
-import { GlobalApiKeyAuthnHandler } from './authn/global-api-key-authn-handler';
 import { PrincipalTypeAuthzHandler } from './authz/principal-type-authz-handler';
 import { ProjectAuthzHandler } from './authz/project-authz-handler';
 
 const AUTHN_HANDLERS = [
-  new GlobalApiKeyAuthnHandler(),
   new AccessTokenAuthnHandler(),
   new AnonymousAuthnHandler(),
 ];
diff --git a/packages/server/api/src/app/helper/error-handler.ts b/packages/server/api/src/app/helper/error-handler.ts
@@ -75,7 +75,6 @@ const isValidationError = (error: unknown): error is FastifyValidationError => {
 };
 
 const statusCodeMap: Partial<Record<ErrorCode, StatusCodes>> = {
-  [ErrorCode.INVALID_API_KEY]: StatusCodes.UNAUTHORIZED,
   [ErrorCode.INVALID_BEARER_TOKEN]: StatusCodes.UNAUTHORIZED,
   [ErrorCode.FEATURE_DISABLED]: StatusCodes.PAYMENT_REQUIRED,
   [ErrorCode.PERMISSION_DENIED]: StatusCodes.FORBIDDEN,
diff --git a/packages/server/api/src/app/workers/machine/machine-controller.ts b/packages/server/api/src/app/workers/machine/machine-controller.ts
@@ -55,8 +55,7 @@ export const workerMachineController: FastifyPluginAsyncTypebox = async (
 
 const GenerateWorkerTokenParams = {
   config: {
-    // TODO this should be replaced with the user
-    allowedPrincipals: [PrincipalType.SUPER_USER],
+    allowedPrincipals: [PrincipalType.USER],
   },
   schema: {
     description:
diff --git a/packages/server/shared/src/lib/system/system-prop.ts b/packages/server/shared/src/lib/system/system-prop.ts
@@ -1,7 +1,6 @@
 export type SystemProp = AppSystemProp | SharedSystemProp | WorkerSystemProps;
 
 export enum AppSystemProp {
-  API_KEY = 'API_KEY',
   API_RATE_LIMIT_AUTHN_ENABLED = 'API_RATE_LIMIT_AUTHN_ENABLED',
   API_RATE_LIMIT_AUTHN_MAX = 'API_RATE_LIMIT_AUTHN_MAX',
   API_RATE_LIMIT_AUTHN_WINDOW = 'API_RATE_LIMIT_AUTHN_WINDOW',
diff --git a/packages/shared/src/lib/authentication/model/principal-type.ts b/packages/shared/src/lib/authentication/model/principal-type.ts
@@ -4,11 +4,6 @@ export enum PrincipalType {
   SERVICE = 'SERVICE',
   WORKER = 'WORKER',
   UNKNOWN = 'UNKNOWN',
-
-  /**
-   * @deprecated
-   */
-  SUPER_USER = 'SUPER_USER',
 }
 
 export const ALL_PRINCIPAL_TYPES = Object.values(PrincipalType);
diff --git a/packages/shared/src/lib/common/application-error.ts b/packages/shared/src/lib/common/application-error.ts
@@ -33,7 +33,6 @@ export type ApplicationErrorParams =
   | InvalidUserEmailErrorParams
   | InvalidUserPasswordErrorParams
   | InvalidNameForUserErrorParams
-  | InvalidApiKeyParams
   | InvalidAppConnectionParams
   | InvalidBearerTokenParams
   | InvalidClaimParams
@@ -352,11 +351,6 @@ export type PauseMetadataMissingErrorParams = BaseErrorParams<
   Record<string, never>
 >;
 
-export type InvalidApiKeyParams = BaseErrorParams<
-  ErrorCode.INVALID_API_KEY,
-  Record<string, never>
->;
-
 export type EngineOperationFailureParams = BaseErrorParams<
   ErrorCode.ENGINE_OPERATION_FAILURE,
   {
@@ -469,7 +463,6 @@ export enum ErrorCode {
   FLOW_INTERNAL_FORBIDDEN = 'FLOW_INTERNAL_FORBIDDEN',
   FLOW_RUN_NOT_FOUND = 'FLOW_RUN_NOT_FOUND',
   FLOW_RUN_ENDED = 'FLOW_RUN_ENDED',
-  INVALID_API_KEY = 'INVALID_API_KEY',
   INVALID_USER_EMAIL = 'INVALID_USER_EMAIL',
   INVALID_USER_PASSWORD = 'INVALID_USER_PASSWORD',
   INVALID_NAME_FOR_USER = 'INVALID_NAME_FOR_USER',

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,5 @@`
`1`	`1`	`export enum HttpHeader {`
`2`	`2`	`AUTHORIZATION = 'Authorization',`
`3`	`3`	`ACCEPT = 'Accept',`
`4`		`- API_KEY = 'Api-Key',`
`5`	`4`	`CONTENT_TYPE = 'Content-Type',`
`6`	`5`	`}`