fix(auth): allow API keys to manage workspace variables and case attachments#2759
Open
mcm wants to merge 1 commit into
Open
fix(auth): allow API keys to manage workspace variables and case attachments#2759mcm wants to merge 1 commit into
mcm wants to merge 1 commit into
Conversation
…chments
The /variables/* and /cases/{id}/attachments/* routes were declared with
WorkspaceUserRouteRole, which sets allow_api_key=False — so even service
accounts holding the right scopes were 403'd before scope checks ran. This
blocks downstream integrations from writing per-workspace connection
variables or syncing case attachments via API key.
- Swap WorkspaceUserRouteRole -> WorkspaceActorRouteRole on both routers
- Add variable:{read,create,update,delete} to the workspace service-account
assignable-scope allowlist (the case:* scopes were already in it)
- Move variable:* scopes between the parametrized allow/reject test lists
|
✅ No security or compliance issues detected. Reviewed everything up to b496fff. Security Overview
Detected Code Changes
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This was referenced May 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
/variables/*and/cases/{id}/attachments/*routes are declared withWorkspaceUserRouteRole, which setsallow_api_key=False. The auth dispatcher intracecat/auth/credentials.py:892-907raises 403 Forbidden when a bearer token comes in as an API key but the route doesn't accept API keys — before any scope check runs. Service accounts can never reach these routes, regardless of granted scopes.This blocks downstream integrations from:
The
case:read/case:updatescopes the attachments router requires were already inWORKSPACE_SERVICE_ACCOUNT_ASSIGNABLE_SCOPES, so attachments was an obvious oversight. Thevariable:*scopes were absent from the allowlist, so this PR adds them too.Changes
tracecat/variables/router.py— swapWorkspaceUserRouteRole→WorkspaceActorRouteRoleon all 6 endpoints.tracecat/cases/attachments/router.py— swapWorkspaceUserRouteRole→WorkspaceActorRouteRoleon all 4 endpoints.tracecat/service_accounts/constants.py— addvariable:{read,create,update,delete}toWORKSPACE_SERVICE_ACCOUNT_ASSIGNABLE_SCOPES(the org allowlist inherits via union).tests/unit/test_service_accounts_validation.py— movevariable:*scopes from the "rejects user-only scopes" parametrize lists into the "allows supported API-key scopes" lists for both workspace and org variants.Compatibility
WorkspaceActorRouteRoleis a superset ofWorkspaceUserRouteRole(both haveallow_user=True, this one just also hasallow_api_key=True).variable:*scopes; admins need to grant them per service account.require_workspace="yes").Test plan
ruff checkclean on touched filesruff format --diffclean on touched filesbasedpyright --warningsclean on touched filesvariable:*scopesRelated
Follows the same pattern as #2755 ("fix: allow API keys to fetch workflow details").
There are a few other
WorkspaceUserRouteRoleroutes whose required scopes are already in the service-account assignable allowlist (cases/rows/router.py, several agent/* routers, three webhook endpoints inworkflow/management/router.py,POST /workflow-executions/draft, parts ofintegrations/router.py). Those weren't flipped here since I have no immediate use case for them — happy to follow up in separate PRs if the team agrees they should also be Actor-role.Summary by cubic
Fixes 403s for API-key requests to workspace variables and case attachments by allowing service accounts on those routes. Integrations can now manage variables and upload/download attachments with API keys.
Bug Fixes
/variables/*and/cases/{id}/attachments/*toWorkspaceActorRouteRoleso API keys are accepted.variable:{read,create,update,delete}toWORKSPACE_SERVICE_ACCOUNT_ASSIGNABLE_SCOPESand updated tests.Migration
variable:*scopes to service accounts that need variable access.Written for commit b496fff. Summary will update on new commits. Review in cubic