Merge pull request #201 from clerk/jigarp/user-4157-fix-api-key-request-state-mapping

fix: Correctly return either org_id or user_id when using api_key token type

Author: jigar-clerk

src/clerk_backend_api/security/types.py

@@ -279,9 +279,17 @@ def to_auth(self) -> AuthObject:
                                               name=self.payload.get('name'),
                                               scopes=self.payload.get('scopes'))
             if token_type == TokenType.API_KEY:
+                subject = self.payload.get('subject')
+                user_id = None
+                org_id = None
+                if subject:
+                    if subject.startswith('user_'):
+                        user_id = subject
+                    elif subject.startswith('org_'):
+                        org_id = subject
                 return APIKeyMachineAuthObject(id=self.payload.get('id'),
-                                                user_id=self.payload.get('subject'),
-                                                org_id=self.payload.get('org_id'),
+                                                user_id=user_id,
+                                                org_id=org_id,
                                                 name=self.payload.get('name'),
                                                 scopes=self.payload.get('scopes'),
                                                 claims=self.payload.get('claims'))

tests/test_authenticate_request.py

@@ -369,6 +369,55 @@ def test_api_key_machine_auth_token(mock_verify_token):
     assert api_key_machine_auth_object.claims == {"foo": "bar"}
 
 
+@patch("clerk_backend_api.security.authenticaterequest.verify_token", autospec=True)
+def test_api_key_machine_auth_token_with_org_subject(mock_verify_token):
+    """Test that API key with org_ prefixed subject maps to org_id, not user_id."""
+    mock_verify_token.return_value = {
+      "object": "api_key",
+      "id": "ak_3beecc9c60adb5f9b850e91a8ee1e992",
+      "type": "api_key",
+      "subject": "org_2xhFjEI5X2qWRvtV13BzSj8H6Dk",
+      "name": "ORG_API_KEY",
+      "description": "This is an org-level API Key",
+      "claims": {
+        "foo": "bar"
+      },
+      "scopes": [
+        "read",
+        "write"
+      ],
+      "revoked": False,
+      "revocation_reason": "Revoked by user",
+      "expired": False,
+      "expiration": 1716883200,
+      "created_by": "user_2xhFjEI5X2qWRvtV13BzSj8H6Dk",
+      "last_used_at": 1716883200,
+      "created_at": 1716883200,
+      "updated_at": 1716883200
+    }
+
+    request = MockRequest(headers=make_headers(auth_token="ak_0ef5a7a33d87ed87ee7954c845d80450"))
+    opts = AuthenticateRequestOptions(
+        secret_key=None,
+        jwt_key=None,
+        audience="test-audience",
+        authorized_parties=["https://example.com"],
+        clock_skew_in_ms=5000,
+        accepts_token=["api_key"])
+    state = authenticate_request(request, opts)
+    assert state.is_authenticated
+    assert state.token == "ak_0ef5a7a33d87ed87ee7954c845d80450"
+    api_key_machine_auth_object = state.to_auth()
+
+    assert api_key_machine_auth_object is not None
+    assert api_key_machine_auth_object.token_type.value == "api_key"
+    assert api_key_machine_auth_object.id == "ak_3beecc9c60adb5f9b850e91a8ee1e992"
+    assert api_key_machine_auth_object.user_id is None
+    assert api_key_machine_auth_object.org_id == "org_2xhFjEI5X2qWRvtV13BzSj8H6Dk"
+    assert api_key_machine_auth_object.name == "ORG_API_KEY"
+    assert api_key_machine_auth_object.claims == {"foo": "bar"}
+
+
 @patch("clerk_backend_api.security.authenticaterequest.verify_token", autospec=True)
 def test_m2m_machine_auth_token(mock_verify_token):
     mock_verify_token.return_value = {