Skip to content

Commit 9fcb2f7

Browse files
steebchenclaude
andauthored
feat(sso): seed default developer API key limit (#2948)
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent c2e405f commit 9fcb2f7

4 files changed

Lines changed: 26443 additions & 1 deletion

File tree

apps/api/src/routes/sso.ts

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ import { maskToken } from "@/lib/maskToken.js";
99
import { getOrgProjectsOldestFirst } from "@/lib/sso-default-projects.js";
1010

1111
import { logAuditEvent } from "@llmgateway/audit";
12-
import { and, db, eq, shortid, tables } from "@llmgateway/db";
12+
import { and, db, eq, isNull, shortid, tables } from "@llmgateway/db";
1313
import { getApiKeyFingerprint } from "@llmgateway/shared/api-key-hash";
1414

1515
import type { ServerTypes } from "@/vars.js";
@@ -19,6 +19,12 @@ export const sso = new OpenAPIHono<ServerTypes>();
1919

2020
const apiUrl = getApiBaseUrl();
2121

22+
// Default per-developer active API key cap seeded when an org first wires up
23+
// SSO. Developers are provisioned in bulk via SCIM/SSO, so give them a sane
24+
// baseline that admins can still override org-wide (default developer budget)
25+
// or per member.
26+
const DEFAULT_SSO_DEVELOPER_MAX_API_KEYS = 3;
27+
2228
async function assertEnterpriseOrgAccess(
2329
userId: string,
2430
organizationId: string,
@@ -311,6 +317,19 @@ sso.openapi(register, async (c) => {
311317
createdAt: tables.ssoProvider.createdAt,
312318
});
313319

320+
// Seed a reasonable default per-developer API key cap for the org. Only set
321+
// it when the org hasn't already configured its own default developer budget,
322+
// so we never clobber an explicit admin choice.
323+
await db
324+
.update(tables.organization)
325+
.set({ defaultDeveloperMaxApiKeys: DEFAULT_SSO_DEVELOPER_MAX_API_KEYS })
326+
.where(
327+
and(
328+
eq(tables.organization.id, organizationId),
329+
isNull(tables.organization.defaultDeveloperMaxApiKeys),
330+
),
331+
);
332+
314333
await logAuditEvent({
315334
organizationId,
316335
userId: user.id,
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
-- Backfill a reasonable default per-developer API key cap (3) for organizations
2+
-- that already have an SSO connection but never configured their own default
3+
-- developer budget. New SSO setups seed this at registration time; this covers
4+
-- the handful of orgs provisioned before that seeding existed. Only NULL values
5+
-- are touched so we never clobber an explicit admin choice.
6+
UPDATE "organization"
7+
SET "default_developer_max_api_keys" = 3
8+
WHERE "default_developer_max_api_keys" IS NULL
9+
AND "id" IN (
10+
SELECT DISTINCT "organization_id"
11+
FROM "sso_provider"
12+
WHERE "organization_id" IS NOT NULL
13+
);

0 commit comments

Comments
 (0)