- Notifications
You must be signed in to change notification settings - Fork1k
feat: add legacy API key scope compatibility#20021
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Closed
ThomasK33 wants to merge1 commit intothomask33/09-29-feat_typed_rbac_allow_listfromthomask33/09-29-feat_legacy_apikey_backcompat
Closed
feat: add legacy API key scope compatibility#20021
ThomasK33 wants to merge1 commit intothomask33/09-29-feat_typed_rbac_allow_listfromthomask33/09-29-feat_legacy_apikey_backcompat
+136 −0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
This was referencedSep 29, 2025
MemberAuthor
ThomasK33 commentedSep 29, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stackon Graphite.
This stack of pull requests is managed byGraphite. Learn more aboutstacking. |
f38d137 tof8cddd7Compare9c44c4f tob11c4e8Compareb11c4e8 to0d9e60aCompare52770fc to8390b78Compare0d9e60a to90528a2Comparec410a2c to696cc1dComparea482459 to5e55406Compare
Don't we have a migration to update these scopes + allow lists to convert them to the new api key? Our customers get release by release, so there should be no window after the migration where the old api keys are created. |
ecdebc1 tob07d6f5Compare4bb9040 tocc44d1cCompare31570ef toab61e4eComparecc44d1c to4c9762eCompareab61e4e to009ef1cCompare4c9762e toc9ad043Compare009ef1c tof5bfb50Comparec9ad043 to610e5e7Comparef5bfb50 to5da9aa2Compare5da9aa2 to2307d62Compare14537db tofd7df7cCompared7b29da to2d313efCompare80f543a toc18adc2Compare2d313ef tod34dbe8CompareThis change introduces backwards compatibility for API keys createdbefore the scopes and allow-lists feature.Previously, these legacy keys had empty scope and allow-listdefinitions in the database. They are now dynamically interpreted ashaving `coder:all` scope, granting them full access. This ensures thatold, unscoped tokens continue to function as they did before theintroduction of fine-grained permissions.
c18adc2 todda7c9aCompared34dbe8 to47cccd7CompareSign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Labels
None yet
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add legacy API key compatibility
This PR adds support for legacy API keys that were created before the scopes migration. It ensures that API keys with empty scopes and allow lists are properly expanded to have full access permissions, maintaining backward compatibility.
Key changes:
LegacyTokento create API keys that mimic pre-migration database structurecoder:allin the API key conversion logicThis maintains compatibility with older API keys while preserving the new scopes functionality.