Skip to content

fix: api key security risk#1712

Merged
nikhilsinhaparseable merged 1 commit into
parseablehq:mainfrom
nikhilsinhaparseable:fix/api-key
Jul 1, 2026
Merged

fix: api key security risk#1712
nikhilsinhaparseable merged 1 commit into
parseablehq:mainfrom
nikhilsinhaparseable:fix/api-key

Conversation

@nikhilsinhaparseable

@nikhilsinhaparseable nikhilsinhaparseable commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

add tenant id to the header when sent in the request
otherwise server treats this as default tenant

Summary by CodeRabbit

  • Bug Fixes
    • Requests authenticated with an API key now carry the correct tenant information through the rest of the request flow.
    • Downstream features that depend on tenant context now reliably use the tenant associated with the API key user, improving consistency when a tenant header is also provided.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ea335922-7c31-4454-9f70-d2f4ec65e250

📥 Commits

Reviewing files that changed from the base of the PR and between 5961b33 and e9a7f16.

📒 Files selected for processing (1)
  • src/handlers/http/middleware.rs
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/handlers/http/middleware.rs

Walkthrough

AuthMiddleware now writes TENANT_ID from the tenant tied to an API-key-resolved user before session tracking continues in the HTTP auth flow.

Changes

Tenant Header Injection in Auth Middleware

Layer / File(s) Summary
Insert TENANT_ID from API key user
src/handlers/http/middleware.rs
When an incoming request's API key resolves to an ApiKey user, the middleware inserts a TENANT_ID header derived from that user's tenant before proceeding with session tracking and the rest of the auth flow.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Poem

A key comes hopping through the door,
Its tenant tag now seen once more.
I stamp the header, quick and neat,
Then auth continues on its feet. 🐇

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is too brief and misses the template's issue reference, detailed description, rationale, key changes, and checklist. Add a Fixes #XXXX reference if applicable, expand the Description with goal/rationale/key changes, and complete or remove the checklist items.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and reflects the API key/tenant header fix, though it is broad about the exact risk.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

add tenant id to the header when sent in the request
otherwise server treats this as default tenant
@nikhilsinhaparseable nikhilsinhaparseable merged commit 6dae911 into parseablehq:main Jul 1, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants