add env var to restrict api key creation

msukkari · msukkari · commit f3c2881f9641 · 2025-10-28T15:27:30.000-07:00
diff --git a/packages/web/src/actions.ts b/packages/web/src/actions.ts
@@ -393,7 +393,16 @@ export const verifyApiKey = async (apiKeyPayload: ApiKeyPayload): Promise<{ apiK
 
 export const createApiKey = async (name: string, domain: string): Promise<{ key: string } | ServiceError> => sew(() =>
     withAuth((userId) =>
-        withOrgMembership(userId, domain, async ({ org }) => {
+        withOrgMembership(userId, domain, async ({ org, userRole }) => {
+            if (env.EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS === 'true' && userRole !== OrgRole.OWNER) {
+               logger.error(`API key creation is disabled for non-admin users. User ${userId} is not an owner.`);
+               return {
+                statusCode: StatusCodes.FORBIDDEN,
+                errorCode: ErrorCode.INSUFFICIENT_PERMISSIONS,
+                message: "API key creation is disabled for non-admin users.",
+               } satisfies ServiceError;
+            }
+
             const existingApiKey = await prisma.apiKey.findFirst({
                 where: {
                     createdById: userId,
diff --git a/packages/web/src/env.mjs b/packages/web/src/env.mjs
@@ -18,7 +18,7 @@ export const env = createEnv({
         
         // Auth
         FORCE_ENABLE_ANONYMOUS_ACCESS: booleanSchema.default('false'),
-        
+
         AUTH_SECRET: z.string(),
         AUTH_URL: z.string().url(),
         AUTH_CREDENTIALS_LOGIN_ENABLED: booleanSchema.default('true'),
@@ -130,10 +130,12 @@ export const env = createEnv({
 
         SOURCEBOT_DEMO_EXAMPLES_PATH: z.string().optional(),
 
+        // Experimental Environment Variables
+        // @note: These environment variables are subject to change at any time and are not garunteed to be backwards compatible.
+        EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS: booleanSchema.default('false'),
         EXPERIMENT_SELF_SERVE_REPO_INDEXING_ENABLED: booleanSchema.default('false'),
         // @NOTE: Take care to update actions.ts when changing the name of this.
         EXPERIMENT_SELF_SERVE_REPO_INDEXING_GITHUB_TOKEN: z.string().optional(),
-
         EXPERIMENT_EE_PERMISSION_SYNC_ENABLED: booleanSchema.default('false'),
     },
     // @NOTE: Please make sure of the following:
