refactor: replace global API_KEY with per-app clientApiKey

Remove global API_KEY env var and its validation in checkAuth. Auth via x-api-key now exclusively uses clientApiKey per-app validated inline on POST /api/bugs.
2026-04-30 15:16:54 +08:00
parent 6124ee5bf6
commit 722bca8a61
2 changed files with 1 additions and 9 deletions
--- a/src/app.ts
+++ b/src/app.ts
@@ -36,13 +36,6 @@ async function checkAuth(request: Request): Promise<AuthResult | null> {
    }
  }

-  const apiKey = request.headers.get('x-api-key')
-  if (apiKey && apiKey === env.API_KEY) {
-    const developer = await prisma.user.findFirst({ where: { role: 'DEVELOPER' } })
-    if (!developer) return null
-    return { actingUserId: developer.id, reporterUserId: null, isApiKey: true }
-  }
-
  return null
 }

@@ -885,7 +878,7 @@ export function createApp() {
        set.status = 401
        return { error: 'Unauthorized: provide session cookie or valid X-API-Key' }
      }
-      const { actingUserId, reporterUserId, isApiKey } = auth
+      const { actingUserId, reporterUserId } = auth

      const bug = await prisma.bug.create({
        data: {
--- a/src/lib/env.ts
+++ b/src/lib/env.ts
@@ -17,7 +17,6 @@ export const env = {
  GOOGLE_CLIENT_ID: required('GOOGLE_CLIENT_ID'),
  GOOGLE_CLIENT_SECRET: required('GOOGLE_CLIENT_SECRET'),
  SUPER_ADMIN_EMAILS: optional('SUPER_ADMIN_EMAIL', '').split(',').map(e => e.trim()).filter(Boolean),
-  API_KEY: required('API_KEY'),
  MINIO_ENDPOINT: required('MINIO_ENDPOINT'),
  MINIO_PORT: parseInt(optional('MINIO_PORT', '443'), 10),
  MINIO_USE_SSL: optional('MINIO_USE_SSL', 'true') === 'true',