Prevent app-limited API keys from leaking sibling app existence

[riderx]

Summary

• Deny app-limited API keys before statistics app lookups when the requested app is outside the key scope.
• Keep sibling-app and nonexistent-app requests indistinguishable for scoped keys.
• Add a regression test covering a real sibling app and a fake app under the same limited subkey.

Testing

• bun lint
• bun lint:backend
• bunx eslint tests/statistics.test.ts
• bunx vitest run tests/statistics-retries.unit.test.ts
• bunx vitest run tests/bundle-usage.unit.test.ts
• git diff --check
• Not run: tests/statistics.test.ts integration suite, because local Supabase could not start without Docker

Summary by CodeRabbit

Release Notes

• Security
  • Enhanced API key validation to properly enforce app-limited scope restrictions. API keys restricted to specific apps now correctly deny access when querying unauthorized apps, returning a 401 error.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 13045a41-d7a9-41a6-b659-82f58ddcd291

📥 Commits

Reviewing files that changed from the base of the PR and between 97ee8f0 and 5742c01.

📒 Files selected for processing (2)

• supabase/functions/_backend/public/statistics/index.ts
• tests/statistics.test.ts

---

📝 Walkthrough

Walkthrough

A new helper function denyAppLimitedApiKeyOutsideScope blocks API key requests when the key is restricted to specific apps but the requested app is outside that scope. The check is added to two statistics endpoints and verified with tests ensuring out-of-scope access returns 401 no_access_to_app.

Changes

API Key Scope Enforcement

Layer / File(s)	Summary
Access Control Helper supabase/functions/_backend/public/statistics/index.ts (156–168)	New denyAppLimitedApiKeyOutsideScope helper validates that apikey-authenticated requests specify an app_id within the key's limited_to_apps scope; throws 401 no_access_to_app if not.
Endpoint Integration supabase/functions/_backend/public/statistics/index.ts (770–774, 844–848)	Helper is invoked at the start of /app/:app_id and /app/:app_id/bundle_usage endpoints, before permission checks and downstream logic.
Test Coverage tests/statistics.test.ts (1–3, 25–45, 168–194)	Added randomUUID import, helper functions to create/delete test sibling apps, and test case verifying 401 no_access_to_app is returned when accessing sibling or non-existent apps with an app-limited API key.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• [codex] fix scoped API key org boundary bypass #1951: Both PRs enforce API key scope boundaries to prevent out-of-scope access; this PR adds the check at statistics endpoints while the related PR enforces scope within RBAC handlers, addressing the same underlying security concern.

Poem

🐰 A key guards its realm with scope so tight,
No sneaking past boundaries—security's might!
Tests confirm the walls stand strong,
Apps stay hidden when you don't belong. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly identifies the security issue being addressed: preventing app-limited API keys from revealing the existence of sibling apps.
Description check	✅ Passed	The description includes a comprehensive Summary section and detailed Testing section documenting all tests run, though it deviates from the template structure.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-ghsa-73p9-mprg-7r75

---

_{Review rate limit: 3/5 reviews remaining, refill in 22 minutes and 42 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/fix-ghsa-73p9-mprg-7r75 (5742c01) with main (17d36c6)¹}

Footnotes

1. No successful run was found on main (97ee8f0) during the generation of this report, so 17d36c6 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud