security fixes in convex, and prepped to ship issue fixes

Author: bmdavis419

ISSUE_IMPLEMENTATION_PLAN.md

@@ -1,7 +1,7 @@
 {
 	"name": "btca",
 	"author": "Ben Davis",
-	"version": "1.0.51",
+	"version": "1.0.52",
 	"homepage": "https://btca.dev",
 	"description": "CLI tool for asking questions about technologies using btca server",
 	"type": "module",
@@ -41,8 +41,8 @@
 	"devDependencies": {
 		"@btca/shared": "workspace:*",
 		"btca-server": "workspace:*",
-		"@opentui/core": "^0.1.65",
-		"@opentui/solid": "^0.1.65",
+		"@opentui/core": "0.1.65",
+		"@opentui/solid": "0.1.65",
 		"@shikijs/langs": "^3.20.0",
 		"@shikijs/themes": "^3.20.0",
 		"@types/bun": "latest",

apps/cli/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "btca-server",
-	"version": "1.0.50",
+	"version": "1.0.52",
 	"description": "BTCA server for answering questions about your codebase using OpenCode AI",
 	"author": "Ben Davis",
 	"license": "MIT",

apps/server/package.json

@@ -12,6 +12,7 @@ import type * as analytics from "../analytics.js";
 import type * as analyticsEvents from "../analyticsEvents.js";
 import type * as apiHelpers from "../apiHelpers.js";
 import type * as apiKeys from "../apiKeys.js";
+import type * as authHelpers from "../authHelpers.js";
 import type * as crons from "../crons.js";
 import type * as http from "../http.js";
 import type * as instances_actions from "../instances/actions.js";
@@ -41,6 +42,7 @@ declare const fullApi: ApiFromModules<{
   analyticsEvents: typeof analyticsEvents;
   apiHelpers: typeof apiHelpers;
   apiKeys: typeof apiKeys;
+  authHelpers: typeof authHelpers;
   crons: typeof crons;
   http: typeof http;
   "instances/actions": typeof instances_actions;

apps/web/src/convex/_generated/api.d.ts

@@ -23,12 +23,14 @@ type NestedApi = typeof api & {
 type NestedInternal = typeof internal & {
 	'scheduled/queries': InternalQueryRecord;
 	'instances/actions': InternalActionRecord;
+	'instances/queries': InternalQueryRecord;
 };
 
 type InstancesApi = {
 	queries: PublicQueryRecord;
 	mutations: PublicMutationRecord;
 	actions: PublicActionRecord;
+	internalQueries: InternalQueryRecord;
 	internalActions: InternalActionRecord;
 };
 
@@ -40,6 +42,7 @@ export const instances: InstancesApi = {
 	queries: (api as NestedApi)['instances/queries'],
 	mutations: (api as NestedApi)['instances/mutations'],
 	actions: (api as NestedApi)['instances/actions'],
+	internalQueries: (internal as NestedInternal)['instances/queries'],
 	internalActions: (internal as NestedInternal)['instances/actions']
 };
 

apps/web/src/convex/apiHelpers.ts

@@ -3,13 +3,19 @@ import { v } from 'convex/values';
 
 import { internal } from './_generated/api';
 import { AnalyticsEvents } from './analyticsEvents';
+import { getAuthenticatedInstance, requireApiKeyOwnership } from './authHelpers';
+
+/**
+ * List API keys for the authenticated user's instance
+ */
+export const list = query({
+	args: {},
+	handler: async (ctx) => {
+		const instance = await getAuthenticatedInstance(ctx);
 
-export const listByUser = query({
-	args: { userId: v.id('instances') },
-	handler: async (ctx, args) => {
 		const keys = await ctx.db
 			.query('apiKeys')
-			.withIndex('by_instance', (q) => q.eq('instanceId', args.userId))
+			.withIndex('by_instance', (q) => q.eq('instanceId', instance._id))
 			.collect();
 
 		return keys.map((k) => ({
@@ -24,37 +30,37 @@ export const listByUser = query({
 	}
 });
 
+/**
+ * Create an API key for the authenticated user's instance
+ */
 export const create = mutation({
 	args: {
-		userId: v.id('instances'),
 		name: v.string()
 	},
 	handler: async (ctx, args) => {
-		const instance = await ctx.db.get(args.userId);
+		const instance = await getAuthenticatedInstance(ctx);
 
 		const key = generateApiKey();
 		const keyHash = await hashApiKey(key);
 		const keyPrefix = key.slice(0, 8);
 
 		const id = await ctx.db.insert('apiKeys', {
-			instanceId: args.userId,
+			instanceId: instance._id,
 			name: args.name,
 			keyHash,
 			keyPrefix,
 			createdAt: Date.now()
 		});
 
-		if (instance) {
-			await ctx.scheduler.runAfter(0, internal.analytics.trackEvent, {
-				distinctId: instance.clerkId,
-				event: AnalyticsEvents.API_KEY_CREATED,
-				properties: {
-					instanceId: args.userId,
-					keyId: id,
-					keyName: args.name
-				}
-			});
-		}
+		await ctx.scheduler.runAfter(0, internal.analytics.trackEvent, {
+			distinctId: instance.clerkId,
+			event: AnalyticsEvents.API_KEY_CREATED,
+			properties: {
+				instanceId: instance._id,
+				keyId: id,
+				keyName: args.name
+			}
+		});
 
 		return { id, key };
 	}
@@ -69,29 +75,32 @@ function generateApiKey(): string {
 	return result;
 }
 
+/**
+ * Revoke an API key owned by the authenticated user
+ */
 export const revoke = mutation({
 	args: { keyId: v.id('apiKeys') },
 	handler: async (ctx, args) => {
-		const apiKey = await ctx.db.get(args.keyId);
-		const instance = apiKey ? await ctx.db.get(apiKey.instanceId) : null;
+		const { apiKey, instance } = await requireApiKeyOwnership(ctx, args.keyId);
 
 		await ctx.db.patch(args.keyId, {
 			revokedAt: Date.now()
 		});
 
-		if (instance && apiKey) {
-			await ctx.scheduler.runAfter(0, internal.analytics.trackEvent, {
-				distinctId: instance.clerkId,
-				event: AnalyticsEvents.API_KEY_REVOKED,
-				properties: {
-					instanceId: apiKey.instanceId,
-					keyId: args.keyId
-				}
-			});
-		}
+		await ctx.scheduler.runAfter(0, internal.analytics.trackEvent, {
+			distinctId: instance.clerkId,
+			event: AnalyticsEvents.API_KEY_REVOKED,
+			properties: {
+				instanceId: apiKey.instanceId,
+				keyId: args.keyId
+			}
+		});
 	}
 });
 
+/**
+ * Validate an API key (internal use - no auth required as this validates the key itself)
+ */
 export const validate = query({
 	args: { apiKey: v.string() },
 	handler: async (ctx, args) => {
@@ -124,6 +133,9 @@ export const validate = query({
 	}
 });
 
+/**
+ * Touch last used timestamp for an API key (internal use for tracking)
+ */
 export const touchLastUsed = mutation({
 	args: { keyId: v.id('apiKeys') },
 	handler: async (ctx, args) => {