fix: Allow using CST created with PAT to authenticate requests (#233)

Co-authored-by: Seam Bot <[email protected]>

Author: andrii-balitskyi

src/lib/middleware/with-client-session.ts

@@ -99,13 +99,6 @@ export const withClientSession: Middleware<
     })
   }
 
-  if (publishable_key == null && api_key_id == null) {
-    throw new UnauthorizedException({
-      type: "unauthorized",
-      message: "publishable key or api key must be set",
-    })
-  }
-
   req.auth = {
     type: "client_session",
     client_session_id,

test/api/client_sessions/create.test.ts

@@ -54,3 +54,33 @@ test("POST /client_sessions/create api key", async (t: ExecutionContext) => {
     "Client session is correctly associated with the api key that was used to create it",
   )
 })
+
+test("POST /client_sessions/create with PAT with workspace", async (t) => {
+  const { axios, db } = await getTestServer(t, { seed: false })
+  const seed_result = seedDatabase(db)
+
+  const {
+    data: { client_session },
+  } = await axios.post(
+    "/client_sessions/create",
+    {
+      user_identifier_key: "[email protected]",
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${seed_result.seam_at1_token}`,
+        "Seam-Workspace": seed_result.seed_workspace_1,
+      },
+    },
+  )
+
+  t.truthy(client_session.token)
+  t.truthy(client_session.created_at)
+
+  // Verify that the CST can be used to authenticate requests
+  axios.defaults.headers.common.Authorization = `Bearer ${client_session.token}`
+  const {
+    data: { devices },
+  } = await axios.get("/devices/list")
+  t.is(devices.length, 0)
+})

test/middleware/with-client-session.test.ts

@@ -85,26 +85,4 @@ test("withClientSession middleware - successful auth", async (t) => {
   )
   t.is(revokedErr?.status, 401)
   t.is(revokedErr?.response.error.type, "client_session_revoked")
-
-  // Test client session without api key or publishable key
-  const invalid_session = db.addClientSession({
-    workspace_id: seed_result.seed_workspace_1,
-  })
-
-  const invalidSessionErr = await t.throwsAsync<SimpleAxiosError>(
-    axios.get("/connected_accounts/get", {
-      params: {
-        connected_account_id: seed_result.john_connected_account_id,
-      },
-      headers: {
-        Authorization: `Bearer ${invalid_session.token}`,
-      },
-    }),
-  )
-  t.is(invalidSessionErr?.status, 401)
-  t.is(invalidSessionErr?.response.error.type, "unauthorized")
-  t.is(
-    invalidSessionErr?.response.error.message,
-    "publishable key or api key must be set",
-  )
 })