fix(webapp): migrate snapshot-url PUT to createActionApiRoute

ericallam · ericallam · commit b589739850da · 2026-05-20T18:51:26.000+01:00
Address Devin findings on PR #3679: - Migrate the PUT action handler from the deprecated `authenticateApiRequest` to `createActionApiRoute` so it picks up `allowJWT: true` symmetrically with the GET loader. Without this, the SDK's run-scoped JWT (which is how chat.agent workers authenticate against the API) was rejected on every snapshot upload — the PR worked in tests against the dev API key but would have 401'd in real run-scoped contexts. - Both PUT and GET now go through the same builder pattern with the same config (`findResource`, CORS, JWT), eliminating the style drift the initial implementation introduced.
diff --git a/apps/webapp/app/routes/api.v1.sessions.$sessionId.snapshot-url.ts b/apps/webapp/app/routes/api.v1.sessions.$sessionId.snapshot-url.ts
@@ -1,13 +1,14 @@
-import type { ActionFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { $replica } from "~/db.server";
-import { authenticateApiRequest } from "~/services/apiAuth.server";
 import {
   chatSnapshotStoragePathForSession,
   resolveSessionByIdOrExternalId,
 } from "~/services/realtime/sessions.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  createActionApiRoute,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 import { generatePresignedUrl } from "~/v3/objectStore.server";
 
 const ParamsSchema = z.object({
@@ -22,47 +23,16 @@ function snapshotKey(session: { friendlyId: string; chatSnapshotStoragePath: str
   return session.chatSnapshotStoragePath ?? chatSnapshotStoragePathForSession(session.friendlyId);
 }
 
-export async function action({ request, params }: ActionFunctionArgs) {
-  if (request.method.toUpperCase() !== "PUT") {
-    return json({ error: "Method Not Allowed" }, { status: 405 });
-  }
-
-  const auth = await authenticateApiRequest(request);
-  if (!auth) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const parsed = ParamsSchema.parse(params);
-  const session = await resolveSessionByIdOrExternalId(
-    $replica,
-    auth.environment.id,
-    parsed.sessionId
-  );
-  if (!session) {
-    return json({ error: "Session not found" }, { status: 404 });
-  }
+const routeConfig = {
+  params: ParamsSchema,
+  allowJWT: true,
+  corsStrategy: "all" as const,
+  findResource: async (params: z.infer<typeof ParamsSchema>, auth: { environment: { id: string } }) =>
+    resolveSessionByIdOrExternalId($replica, auth.environment.id, params.sessionId),
+};
 
-  const signed = await generatePresignedUrl(
-    auth.environment.project.externalRef,
-    auth.environment.slug,
-    snapshotKey(session),
-    "PUT"
-  );
-  if (!signed.success) {
-    return json({ error: `Failed to generate presigned URL: ${signed.error}` }, { status: 500 });
-  }
-
-  return json({ presignedUrl: signed.url });
-}
-
-export const loader = createLoaderApiRoute(
-  {
-    params: ParamsSchema,
-    allowJWT: true,
-    corsStrategy: "all",
-    findResource: async (params, auth) =>
-      resolveSessionByIdOrExternalId($replica, auth.environment.id, params.sessionId),
-  },
+export const { action } = createActionApiRoute(
+  { ...routeConfig, method: "PUT" },
   async ({ authentication, resource: session }) => {
     if (!session) {
       return json({ error: "Session not found" }, { status: 404 });
@@ -72,7 +42,7 @@ export const loader = createLoaderApiRoute(
       authentication.environment.project.externalRef,
       authentication.environment.slug,
       snapshotKey(session),
-      "GET"
+      "PUT"
     );
     if (!signed.success) {
       return json({ error: `Failed to generate presigned URL: ${signed.error}` }, { status: 500 });
@@ -81,3 +51,21 @@ export const loader = createLoaderApiRoute(
     return json({ presignedUrl: signed.url });
   }
 );
+
+export const loader = createLoaderApiRoute(routeConfig, async ({ authentication, resource: session }) => {
+  if (!session) {
+    return json({ error: "Session not found" }, { status: 404 });
+  }
+
+  const signed = await generatePresignedUrl(
+    authentication.environment.project.externalRef,
+    authentication.environment.slug,
+    snapshotKey(session),
+    "GET"
+  );
+  if (!signed.success) {
+    return json({ error: `Failed to generate presigned URL: ${signed.error}` }, { status: 500 });
+  }
+
+  return json({ presignedUrl: signed.url });
+});
