refactor(proxy): replace publicAPIKey with studioAuthKey for authentication in proxy

Author: jiashengguo

packages/cli/src/actions/proxy.ts

@@ -34,7 +34,7 @@ type Options = {
     port?: number;
     logLevel?: string[];
     databaseUrl?: string;
-    publicAPIKey?: string;
+    studioAuthKey?: string;
     signatureToleranceSecs?: number;
 };
 
@@ -59,13 +59,13 @@ function normalizePublicKey(key: string): string {
 }
 
 export async function run(options: Options) {
-    // Resolve public key: CLI arg takes precedence, then ZENSTACK_PUBLIC_KEY env var.
-    options = { ...options, publicAPIKey: options.publicAPIKey ?? process.env['ZENSTACK_PUBLIC_KEY'] };
-    if (!options.publicAPIKey) {
+    // Resolve public key: CLI arg takes precedence, then ZENSTACK_STUDIO_AUTH_KEY env var.
+    options = { ...options, studioAuthKey: options.studioAuthKey ?? process.env['ZENSTACK_STUDIO_AUTH_KEY'] };
+    if (!options.studioAuthKey) {
         console.warn(
             colors.yellow(
                 'Warning: This proxy has no authentication. Do not expose it to the public network.\n' +
-                    'To secure it, get an API key from ZenStack Studio and set it via the ZENSTACK_PUBLIC_KEY environment variable.',
+                    'To secure it, get an API key from ZenStack Studio and set it via the ZENSTACK_STUDIO_AUTH_KEY environment variable.',
             ),
         );
     }
@@ -139,9 +139,9 @@ export async function run(options: Options) {
         throw new CliError(`Failed to connect to the database: ${err instanceof Error ? err.message : String(err)}`);
     }
 
-    // If a publicAPIKey is provided, create an authDb with the policy plugin
+    // If a studioAuthKey is provided, create an authDb with the policy plugin
     let authDb: ClientContract<SchemaDef> | undefined;
-    if (options.publicAPIKey) {
+    if (options.studioAuthKey) {
         authDb = db.$use(new PolicyPlugin()) as ClientContract<SchemaDef>;
         console.log(colors.gray('Access policy plugin enabled for authorization.'));
     }
@@ -244,7 +244,7 @@ export function createProxyApp(
     client: ClientContract<SchemaDef>,
     schema: SchemaDef,
     options?: {
-        publicAPIKey?: string;
+        studioAuthKey?: string;
         authDb?: ClientContract<SchemaDef>;
         /** Seconds within which a signed request is considered valid. Defaults to 60. */
         signatureToleranceSecs?: number;
@@ -263,10 +263,10 @@ export function createProxyApp(
     );
     app.use(express.urlencoded({ extended: true, limit: '5mb' }));
 
-    if (options?.publicAPIKey) {
+    if (options?.studioAuthKey) {
         // Apply signature-verification middleware to all authenticated endpoints.
         const toleranceSecs = options.signatureToleranceSecs ?? 60;
-        const normalizedKey = normalizePublicKey(options.publicAPIKey);
+        const normalizedKey = normalizePublicKey(options.studioAuthKey);
         app.use(['/api/model', '/api/schema'], createSignatureMiddleware(normalizedKey, toleranceSecs));
     }
 
@@ -370,7 +370,7 @@ function createSignatureMiddleware(publicKey: string, toleranceSeconds: number)
 /**
  * Resolves the appropriate client for a request based on the Authorization header.
  *
- * - No publicAPIKey configured (authDb is undefined): always return the base client.
+ * - No studioAuthKey configured (authDb is undefined): always return the base client.
  * - SuperUser claim: return the base client (full access, no policy enforcement).
  * - Regular user claim: return authDb with the user identity set via $setAuth.
  * - No / invalid token: return the base client.
@@ -415,7 +415,7 @@ function startServer(
     authDb?: ClientContract<SchemaDef>,
 ) {
     const app = createProxyApp(client, schema, {
-        publicAPIKey: options.publicAPIKey,
+        studioAuthKey: options.studioAuthKey,
         authDb,
         signatureToleranceSecs: options.signatureToleranceSecs,
     });

packages/cli/src/index.ts

@@ -265,8 +265,8 @@ Arguments following -- are passed to the seed script. E.g.: "zen db seed -- --us
         .addOption(new Option('-l, --logLevel <level...>', 'Query log levels (e.g., query, error)'))
         .addOption(
             new Option(
-                '--publicAPIKey <key>',
-                'public key used to verify request signatures. Can also be set via the ZENSTACK_PUBLIC_KEY environment variable. ',
+                '--studioAuthKey <key>',
+                'Authentication key from ZenStack Studio. When set, the proxy will only accept requests signed by your Studio project.\nCan also be set via the ZENSTACK_STUDIO_AUTH_KEY environment variable. ',
             ),
         )
         .addOption(

packages/cli/test/proxy.test.ts

@@ -230,7 +230,7 @@ describe('CLI proxy tests', () => {
 
     // ─── AuthN: signature verification ─────────────────────────────────────────
 
-    describe('signature verification (publicAPIKey configured)', () => {
+    describe('signature verification (studioAuthKey configured)', () => {
         const zmodel = `
             model User {
                 id    String @id @default(cuid())
@@ -240,7 +240,7 @@ describe('CLI proxy tests', () => {
 
         it('should reject requests missing the signature header with 401', async () => {
             const client = await createTestClient(zmodel);
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY });
             const baseUrl = await startAt(app);
 
             const r = await fetch(`${baseUrl}/api/model/user/findMany`);
@@ -252,7 +252,7 @@ describe('CLI proxy tests', () => {
 
         it('should reject requests with an invalid signature with 401', async () => {
             const client = await createTestClient(zmodel);
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY });
             const baseUrl = await startAt(app);
 
             const r = await fetch(`${baseUrl}/api/model/user/findMany`, {
@@ -263,7 +263,7 @@ describe('CLI proxy tests', () => {
 
         it('should allow GET requests with a valid signature', async () => {
             const client = await createTestClient(zmodel);
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY });
             const baseUrl = await startAt(app);
 
             const path = '/api/model/user/findMany';
@@ -279,7 +279,7 @@ describe('CLI proxy tests', () => {
 
         it('should allow GET request with query params and a valid signature', async () => {
             const client = await createTestClient(zmodel);
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY });
             const baseUrl = await startAt(app);
 
             // Pre-seed a record directly via client
@@ -303,7 +303,7 @@ describe('CLI proxy tests', () => {
 
         it('should allow POST (create) requests with a valid signature', async () => {
             const client = await createTestClient(zmodel);
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY });
             const baseUrl = await startAt(app);
 
             const reqBody = { data: { email: 'bob@example.com' } };
@@ -327,7 +327,7 @@ describe('CLI proxy tests', () => {
 
         it('should allow PUT (update) requests with a valid signature', async () => {
             const client = await createTestClient(zmodel);
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY });
             const baseUrl = await startAt(app);
 
             // Seed a record
@@ -354,7 +354,7 @@ describe('CLI proxy tests', () => {
 
         it('should allow signed schema endpoint', async () => {
             const client = await createTestClient(zmodel);
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY });
             const baseUrl = await startAt(app);
 
             const pathWithQuery = '/api/schema';
@@ -368,9 +368,9 @@ describe('CLI proxy tests', () => {
             expect(body).toHaveProperty('models');
         });
 
-        it('should not require signatures when publicAPIKey is not configured', async () => {
+        it('should not require signatures when studioAuthKey is not configured', async () => {
             const client = await createTestClient(zmodel);
-            // No publicAPIKey — backwards-compatible mode
+            // No studioAuthKey — backwards-compatible mode
             const app = createProxyApp(client, client.$schema);
             const baseUrl = await startAt(app);
 
@@ -399,7 +399,7 @@ describe('CLI proxy tests', () => {
         it('should accept a raw base64 DER key (without PEM markers)', async () => {
             const client = await createTestClient(zmodel);
             // Pass the key as raw base64 DER — no PEM markers
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY_DER });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY_DER });
             const baseUrl = await startAt(app);
 
             const pathWithQuery = '/api/model/user/findMany';
@@ -410,16 +410,16 @@ describe('CLI proxy tests', () => {
             expect(r.status).toBe(200);
         });
 
-        it('should accept a key supplied via ZENSTACK_PUBLIC_KEY env variable', async () => {
+        it('should accept a key supplied via ZENSTACK_STUDIO_AUTH_KEY env variable', async () => {
             const client = await createTestClient(zmodel);
             // createProxyApp receives the already-resolved key (as run() would pass it),
             // so we simulate env var resolution by passing the PEM directly.
-            process.env['ZENSTACK_PUBLIC_KEY'] = TEST_PUBLIC_KEY;
+            process.env['ZENSTACK_STUDIO_AUTH_KEY'] = TEST_PUBLIC_KEY;
             try {
-                // No publicAPIKey option — would normally fall back to env var via run();
+                // No studioAuthKey option — would normally fall back to env var via run();
                 // here we verify the middleware still works when the resolved key is provided.
                 const app = createProxyApp(client, client.$schema, {
-                    publicAPIKey: process.env['ZENSTACK_PUBLIC_KEY'],
+                    studioAuthKey: process.env['ZENSTACK_STUDIO_AUTH_KEY'],
                 });
                 const baseUrl = await startAt(app);
 
@@ -430,7 +430,7 @@ describe('CLI proxy tests', () => {
                 });
                 expect(r.status).toBe(200);
             } finally {
-                delete process.env['ZENSTACK_PUBLIC_KEY'];
+                delete process.env['ZENSTACK_STUDIO_AUTH_KEY'];
             }
         });
     });
@@ -447,7 +447,7 @@ describe('CLI proxy tests', () => {
 
         it('should reject a request whose timestamp is older than the tolerance window', async () => {
             const client = await createTestClient(zmodel);
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY });
             const baseUrl = await startAt(app);
 
             // Timestamp 120 seconds ago — exceeds default 60-second tolerance
@@ -470,7 +470,7 @@ describe('CLI proxy tests', () => {
 
         it('should reject a request whose timestamp is too far in the future', async () => {
             const client = await createTestClient(zmodel);
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY });
             const baseUrl = await startAt(app);
 
             // Timestamp 120 seconds in the future — exceeds default 60-second tolerance
@@ -495,7 +495,7 @@ describe('CLI proxy tests', () => {
             const client = await createTestClient(zmodel);
             // Custom tolerance of 300 seconds
             const app = createProxyApp(client, client.$schema, {
-                publicAPIKey: TEST_PUBLIC_KEY,
+                studioAuthKey: TEST_PUBLIC_KEY,
                 signatureToleranceSecs: 300,
             });
             const baseUrl = await startAt(app);
@@ -520,7 +520,7 @@ describe('CLI proxy tests', () => {
             const client = await createTestClient(zmodel);
             // Very tight tolerance of 5 seconds
             const app = createProxyApp(client, client.$schema, {
-                publicAPIKey: TEST_PUBLIC_KEY,
+                studioAuthKey: TEST_PUBLIC_KEY,
                 signatureToleranceSecs: 5,
             });
             const baseUrl = await startAt(app);
@@ -554,7 +554,7 @@ describe('CLI proxy tests', () => {
 
         it('should reject a valid signature if it was produced without the Authorization token', async () => {
             const client = await createTestClient(zmodel);
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY });
             const baseUrl = await startAt(app);
 
             // Sign without including the auth token
@@ -580,7 +580,7 @@ describe('CLI proxy tests', () => {
 
         it('should accept a request where the signature covers the Authorization token', async () => {
             const client = await createTestClient(zmodel);
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY });
             const baseUrl = await startAt(app);
 
             const authToken = makeUserToken({ type: 'superUser' });
@@ -619,7 +619,7 @@ describe('CLI proxy tests', () => {
             const fullZmodel = extraZmodel ? `${zmodel}\n${extraZmodel}` : zmodel;
             const client = await createTestClient(fullZmodel);
             const authDb = client.$use(new PolicyPlugin());
-            return { client, app: createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY, authDb }) };
+            return { client, app: createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY, authDb }) };
         }
 
         async function signedFetch(baseUrl: string, path: string, init: RequestInit = {}): Promise<Response> {
@@ -742,7 +742,7 @@ describe('CLI proxy tests', () => {
             `;
             const client = await createTestClient(fullZmodel);
             const authDb = client.$use(new PolicyPlugin());
-            const app = createProxyApp(client, client.$schema, { publicAPIKey: TEST_PUBLIC_KEY, authDb });
+            const app = createProxyApp(client, client.$schema, { studioAuthKey: TEST_PUBLIC_KEY, authDb });
             const baseUrl = await startAt(app);
 
             // Seed users