Fix issues with project keys (#35726)

The previous code was mistakenly always returning "does not have access to project" instead of "cannot determine if has access" for project keys.

Additionally, we'd prompt for opt ins with preview or project keys, which wouldn't work. Also we'd try and check usage which would fail with the project key.

GitOrigin-RevId: 5079ce3b28d4d6686de351722b1e27789ac5cfb4

Author: sshader

npm-packages/convex/src/cli/configure.ts

@@ -108,8 +108,8 @@ export async function deploymentCredentialsOrConfigure(
     deploymentFields: {
       deploymentName: DeploymentName;
       deploymentType: string;
-      projectSlug: string;
-      teamSlug: string;
+      projectSlug: string | null;
+      teamSlug: string | null;
     } | null;
   }
 > {
@@ -174,11 +174,11 @@ export async function deploymentCredentialsOrConfigure(
         overrideAuthUsername: cmdOptions.overrideAuthUsername,
         overrideAuthPassword: cmdOptions.overrideAuthPassword,
       });
-      const projectSlugs = await checkAccessToSelectedProject(
+      const accessResult = await checkAccessToSelectedProject(
         ctx,
         deploymentSelection.targetProject,
       );
-      if (projectSlugs === null) {
+      if (accessResult.kind === "noAccess") {
         logMessage(ctx, "You don't have access to the selected project.");
         const result = await handleChooseProject(
           ctx,
@@ -614,8 +614,8 @@ async function updateEnvAndConfigForDeploymentSelection(
   options: {
     url: string;
     deploymentName: string;
-    teamSlug: string;
-    projectSlug: string;
+    teamSlug: string | null;
+    projectSlug: string | null;
     deploymentType: DeploymentType;
   },
   existingValue: string | null,

npm-packages/convex/src/cli/lib/api.ts

@@ -208,31 +208,43 @@ async function hasAccessToProject(
 export async function checkAccessToSelectedProject(
   ctx: Context,
   projectSelection: ProjectSelection,
-): Promise<{ teamSlug: string; projectSlug: string } | null> {
+): Promise<
+  | { kind: "hasAccess"; teamSlug: string; projectSlug: string }
+  | { kind: "noAccess" }
+  | { kind: "unknown" }
+> {
   switch (projectSelection.kind) {
     case "deploymentName": {
       const result = await getTeamAndProjectSlugForDeployment(ctx, {
         deploymentName: projectSelection.deploymentName,
       });
-      return result;
+      if (result === null) {
+        return { kind: "noAccess" };
+      }
+      return {
+        kind: "hasAccess",
+        teamSlug: result.teamSlug,
+        projectSlug: result.projectSlug,
+      };
     }
     case "teamAndProjectSlugs": {
       const hasAccess = await hasAccessToProject(ctx, {
         teamSlug: projectSelection.teamSlug,
         projectSlug: projectSelection.projectSlug,
       });
       if (!hasAccess) {
-        return null;
+        return { kind: "noAccess" };
       }
       return {
+        kind: "hasAccess",
         teamSlug: projectSelection.teamSlug,
         projectSlug: projectSelection.projectSlug,
       };
     }
     case "projectDeployKey":
       // Ideally we would be able to do an explicit check here, but if the key is invalid,
       // it will instead fail as soon as we try to use the key.
-      return null;
+      return { kind: "unknown" };
     default: {
       const _exhaustivenessCheck: never = projectSelection;
       return await ctx.crash({
@@ -603,12 +615,12 @@ async function _loadExistingDeploymentCredentialsForProject(
   deploymentFields: {
     deploymentName: string;
     deploymentType: string;
-    projectSlug: string;
-    teamSlug: string;
+    projectSlug: string | null;
+    teamSlug: string | null;
   } | null;
 }> {
-  const projectSlugs = await checkAccessToSelectedProject(ctx, targetProject);
-  if (projectSlugs === null) {
+  const accessResult = await checkAccessToSelectedProject(ctx, targetProject);
+  if (accessResult.kind === "noAccess") {
     return await ctx.crash({
       exitCode: 1,
       errorType: "fatal",
@@ -636,8 +648,11 @@ async function _loadExistingDeploymentCredentialsForProject(
     deploymentFields: {
       deploymentName: result.deploymentName,
       deploymentType: result.deploymentType,
-      projectSlug: projectSlugs.projectSlug,
-      teamSlug: projectSlugs.teamSlug,
+
+      projectSlug:
+        accessResult.kind === "hasAccess" ? accessResult.projectSlug : null,
+      teamSlug:
+        accessResult.kind === "hasAccess" ? accessResult.teamSlug : null,
     },
   };
 }
@@ -655,8 +670,8 @@ export async function loadSelectedDeploymentCredentials(
   deploymentFields: {
     deploymentName: string;
     deploymentType: string;
-    projectSlug: string;
-    teamSlug: string;
+    projectSlug: string | null;
+    teamSlug: string | null;
   } | null;
 }> {
   switch (deploymentSelection.kind) {

npm-packages/convex/src/cli/lib/deployment.ts

@@ -31,7 +31,11 @@ export function getDeploymentTypeFromConfiguredDeployment(raw: string) {
 export async function writeDeploymentEnvVar(
   ctx: Context,
   deploymentType: DeploymentType,
-  deployment: { team: string; project: string; deploymentName: string },
+  deployment: {
+    team: string | null;
+    project: string | null;
+    deploymentName: string;
+  },
   existingValue: string | null,
 ): Promise<{ wroteToGitIgnore: boolean; changedDeploymentEnvVar: boolean }> {
   const existingFile = ctx.fs.exists(ENV_VAR_FILE_PATH)
@@ -101,18 +105,21 @@ export function changesToEnvVarFile(
     team,
     project,
     deploymentName,
-  }: { team: string; project: string; deploymentName: string },
+  }: { team: string | null; project: string | null; deploymentName: string },
 ): string | null {
   const deploymentValue = deploymentType + ":" + deploymentName;
   const commentOnPreviousLine = "# Deployment used by `npx convex dev`";
-  const commentAfterValue = `team: ${team}, project: ${project}`;
-  return changedEnvVarFile(
-    existingFile,
-    CONVEX_DEPLOYMENT_ENV_VAR_NAME,
-    deploymentValue,
+  const commentAfterValue =
+    team !== null && project !== null
+      ? `team: ${team}, project: ${project}`
+      : null;
+  return changedEnvVarFile({
+    existingFileContent: existingFile,
+    envVarName: CONVEX_DEPLOYMENT_ENV_VAR_NAME,
+    envVarValue: deploymentValue,
     commentAfterValue,
     commentOnPreviousLine,
-  );
+  });
 }
 
 // exported for tests

npm-packages/convex/src/cli/lib/envvars.ts

@@ -35,23 +35,35 @@ export async function writeConvexUrlToEnvFile(
   }
 
   const { envFile, envVar, existingFileContent } = writeConfig;
-  const modified = changedEnvVarFile(existingFileContent, envVar, value)!;
+  const modified = changedEnvVarFile({
+    existingFileContent,
+    envVarName: envVar,
+    envVarValue: value,
+    commentAfterValue: null,
+    commentOnPreviousLine: null,
+  })!;
   ctx.fs.writeUtf8File(envFile, modified);
   return writeConfig;
 }
 
-export function changedEnvVarFile(
-  existingFileContent: string | null,
-  envVarName: string,
-  envVarValue: string,
-  commentAfterValue?: string,
-  commentOnPreviousLine?: string,
-): string | null {
+export function changedEnvVarFile({
+  existingFileContent,
+  envVarName,
+  envVarValue,
+  commentAfterValue,
+  commentOnPreviousLine,
+}: {
+  existingFileContent: string | null;
+  envVarName: string;
+  envVarValue: string;
+  commentAfterValue: string | null;
+  commentOnPreviousLine: string | null;
+}): string | null {
   const varAssignment = `${envVarName}=${envVarValue}${
-    commentAfterValue === undefined ? "" : ` # ${commentAfterValue}`
+    commentAfterValue === null ? "" : ` # ${commentAfterValue}`
   }`;
   const commentOnPreviousLineWithLineBreak =
-    commentOnPreviousLine === undefined ? "" : `${commentOnPreviousLine}\n`;
+    commentOnPreviousLine === null ? "" : `${commentOnPreviousLine}\n`;
   if (existingFileContent === null) {
     return `${commentOnPreviousLineWithLineBreak}${varAssignment}\n`;
   }

npm-packages/convex/src/cli/lib/login.ts

@@ -446,6 +446,28 @@ type AcceptOptInsArgs = {
 
 // Returns whether we can proceed or not.
 async function optins(ctx: Context, acceptOptIns: boolean): Promise<boolean> {
+  const bbAuth = ctx.bigBrainAuth();
+  if (bbAuth === null) {
+    // This should never happen, but if we're not even logged in, we can't proceed.
+    return false;
+  }
+  switch (bbAuth.kind) {
+    case "accessToken":
+      break;
+    case "projectKey":
+    case "previewDeployKey":
+      // If we have a key configured as auth, we do not need to check opt ins.
+      return true;
+    default: {
+      const _exhaustivenessCheck: never = bbAuth;
+      return await ctx.crash({
+        exitCode: 1,
+        errorType: "fatal",
+        errForSentry: `Unexpected auth kind ${(bbAuth as any).kind}`,
+        printedMessage: "Hit an unexpected error while logging in.",
+      });
+    }
+  }
   const data = await bigBrainAPI({
     ctx,
     method: "POST",

npm-packages/convex/src/cli/lib/usage.ts

@@ -48,8 +48,8 @@ export async function usageStateWarning(
 ) {
   // Skip the warning if the user doesn’t have an auth token
   // (which can happen for instance when using a deploy key)
-  const auth = ctx.bigBrainAuth()?.header ?? null;
-  if (auth === null) {
+  const auth = ctx.bigBrainAuth();
+  if (auth === null || auth.kind === "projectKey") {
     return;
   }
   const { teamId, team } = await fetchTeamAndProject(ctx, targetDeployment);