test(e2e): scoped admin-owned API key cannot escalate past its allowlist

viktormarinho · claude · viktormarinho · commit b30b57f8afa0 · 2026-06-27T17:18:36.000-03:00
Black-box HTTP regression for the privilege-escalation fix: an admin-owned key
scoped to AUTOMATION_LIST is denied MONITORING_STATS and API_KEY_CREATE (403),
while a key created with the default permission set still reaches a
non-basic-usage tool via the owner's role (not 403) — guarding the default-key
fleet (orgfs-&lt;org&gt;) from being retroactively locked down.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/e2e/tests/apikey-scope-enforcement.spec.ts b/packages/e2e/tests/apikey-scope-enforcement.spec.ts
@@ -0,0 +1,116 @@
+/**
+ * E2E: a deliberately-scoped API key is capped at its allowlist even when its
+ * owner is an org admin/owner.
+ *
+ * Regression for the privilege-escalation bug where the admin/owner role bypass
+ * fired before a key's stored `permissions` were checked — so a "read-only" key
+ * minted by an admin acted with full org power (could call API_KEY_CREATE,
+ * MONITORING_STATS, etc.). See apps/mesh/src/auth/api-key-permissions.ts.
+ *
+ * Contract proven over HTTP only:
+ *   - a key narrowed past the default set is denied an out-of-scope tool (403),
+ *     including the exact escalation (API_KEY_CREATE), and
+ *   - a key created WITHOUT explicit scope (the default permission set, which
+ *     the large `orgfs-<org>` fleet uses) still inherits the owner's role and is
+ *     NOT denied — so the fix doesn't retroactively lock down default keys.
+ */
+import { signUpViaApi } from "../fixtures/auth-api";
+import { expect, newApiContext, test } from "../fixtures/test";
+
+test.describe("API key scope enforcement", () => {
+  test("an admin-owned scoped key cannot escalate past its allowlist", async ({
+    playwright,
+  }) => {
+    const ownerCtx = await newApiContext(playwright);
+    const owner = await signUpViaApi(ownerCtx);
+    const stamp = `${Date.now()}-${Math.floor(Math.random() * 1e6)}`;
+
+    // The owner is admin/owner of their auto-created org. Mint a key DELIBERATELY
+    // scoped to a single tool. Scoped keys must be created server-side via the
+    // tool (Better Auth blocks `permissions` on cookie/client requests), and the
+    // owner's admin role authorizes the cookie-session call here.
+    const createScoped = await ownerCtx.post(
+      `/api/${owner.orgSlug}/tools/API_KEY_CREATE`,
+      {
+        data: {
+          name: `scoped-${stamp}`,
+          permissions: { self: ["AUTOMATION_LIST"] },
+        },
+      },
+    );
+    expect(
+      createScoped.ok(),
+      `API_KEY_CREATE(scoped): HTTP ${createScoped.status()} — ${await createScoped.text().catch(() => "")}`,
+    ).toBe(true);
+    const scopedKey = ((await createScoped.json()) as { key?: string }).key;
+    expect(scopedKey, "scoped key value returned").toBeTruthy();
+
+    // A key created WITHOUT explicit scope gets the system default permission
+    // set. The fleet of default keys (e.g. orgfs-<org>) relies on inheriting the
+    // owner's role, so this must remain un-enforced.
+    const createDefault = await ownerCtx.post(
+      `/api/${owner.orgSlug}/tools/API_KEY_CREATE`,
+      { data: { name: `default-${stamp}` } },
+    );
+    expect(
+      createDefault.ok(),
+      `API_KEY_CREATE(default): HTTP ${createDefault.status()}`,
+    ).toBe(true);
+    const defaultKey = ((await createDefault.json()) as { key?: string }).key;
+    expect(defaultKey, "default key value returned").toBeTruthy();
+
+    // Bearer-auth context with no session cookie → auth is purely the API key.
+    const apiCtx = await newApiContext(playwright);
+    const auth = (key: string) => ({ Authorization: `Bearer ${key}` });
+
+    // In allowlist → allowed (the key authenticates and works).
+    const inScope = await apiCtx.post(
+      `/api/${owner.orgSlug}/tools/AUTOMATION_LIST`,
+      { headers: auth(scopedKey!), data: {} },
+    );
+    expect(
+      inScope.ok(),
+      `scoped AUTOMATION_LIST: HTTP ${inScope.status()}`,
+    ).toBe(true);
+
+    // Out of allowlist AND not a basic-usage tool → DENIED, even though the
+    // owner is an admin. This is the fix.
+    const outOfScope = await apiCtx.post(
+      `/api/${owner.orgSlug}/tools/MONITORING_STATS`,
+      { headers: auth(scopedKey!), data: {} },
+    );
+    expect(
+      outOfScope.status(),
+      `scoped MONITORING_STATS should be 403, got ${outOfScope.status()}`,
+    ).toBe(403);
+    const deniedBody = (await outOfScope.json()) as { error?: string };
+    expect(deniedBody.error ?? "").toMatch(
+      /access denied|permission|forbidden/i,
+    );
+
+    // The exact escalation from the report: a scoped key must not mint keys.
+    const escalate = await apiCtx.post(
+      `/api/${owner.orgSlug}/tools/API_KEY_CREATE`,
+      { headers: auth(scopedKey!), data: { name: `should-not-work-${stamp}` } },
+    );
+    expect(
+      escalate.status(),
+      `scoped API_KEY_CREATE should be 403, got ${escalate.status()}`,
+    ).toBe(403);
+
+    // Regression guard: the default-permission key still reaches a non-basic-usage
+    // tool via the owner's admin role (NOT denied). Status may be 200 or a
+    // downstream error, but never 403.
+    const defaultReach = await apiCtx.post(
+      `/api/${owner.orgSlug}/tools/MONITORING_STATS`,
+      { headers: auth(defaultKey!), data: {} },
+    );
+    expect(
+      defaultReach.status(),
+      `default key MONITORING_STATS must not be 403, got ${defaultReach.status()}`,
+    ).not.toBe(403);
+
+    await ownerCtx.dispose();
+    await apiCtx.dispose();
+  });
+});
