fix: API key authentication and REST handler errors (#446)

hjball · web-flow · commit 67cf523ee89b · 2026-03-19T12:20:19.000Z
diff --git a/apps/docs/api-reference/introduction.mdx b/apps/docs/api-reference/introduction.mdx
@@ -11,10 +11,10 @@ https://kan.bn/api/v1
 
 ## Authentication
 
-Most endpoints require authentication using your API key. You can create one in the [settings page](https://kan.bn/settings) of your account. Include this key in the `x-api-key` header of each request.
+Most endpoints require authentication using your API key. You can create one in the [settings page](https://kan.bn/settings) of your account. Include this key as a Bearer token in the `Authorization` header of each request.
 
 ```
-'x-api-key': kan_123456789
+'Authorization': 'Bearer kan_123456789'
 ```
 
 ## Response codes
diff --git a/packages/api/src/routers/integration.ts b/packages/api/src/routers/integration.ts
@@ -19,6 +19,7 @@ import { encryptToken } from "../utils/encryption";
 export const integrationRouter = createTRPCRouter({
   saveGitHubToken: protectedProcedure
     .input(z.object({ token: z.string() }))
+    .output(z.object({ success: z.boolean() }))
     .mutation(async ({ ctx, input }) => {
       const user = ctx.user;
 
@@ -43,7 +44,9 @@ export const integrationRouter = createTRPCRouter({
       return { success: true };
     }),
 
-  disconnectGitHub: protectedProcedure.mutation(async ({ ctx }) => {
+  disconnectGitHub: protectedProcedure
+    .output(z.object({ success: z.boolean() }))
+    .mutation(async ({ ctx }) => {
     const user = ctx.user;
 
     if (!user)
@@ -56,7 +59,9 @@ export const integrationRouter = createTRPCRouter({
     return { success: true };
   }),
 
-  getGitHubStatus: protectedProcedure.query(async ({ ctx }) => {
+  getGitHubStatus: protectedProcedure
+    .output(z.object({ connected: z.boolean() }))
+    .query(async ({ ctx }) => {
     const user = ctx.user;
 
     if (!user)
diff --git a/packages/api/src/trpc.ts b/packages/api/src/trpc.ts
@@ -137,9 +137,7 @@ const loggingMiddleware = t.middleware(async ({ path, type, next, ctx }) => {
   return result;
 });
 
-export const publicProcedure = t.procedure.use(loggingMiddleware).meta({
-  openapi: { method: "GET", path: "/public" },
-});
+export const publicProcedure = t.procedure.use(loggingMiddleware);
 
 const enforceUserIsAuthed = t.middleware(async ({ ctx, next }) => {
   if (!ctx.user) {
@@ -163,13 +161,7 @@ const enforceUserIsAdmin = t.middleware(async ({ ctx, next }) => {
 
 export const protectedProcedure = t.procedure
   .use(loggingMiddleware)
-  .use(enforceUserIsAuthed)
-  .meta({
-    openapi: {
-      method: "GET",
-      path: "/protected",
-    },
-  });
+  .use(enforceUserIsAuthed);
 
 export const adminProtectedProcedure = t.procedure
   .use(loggingMiddleware)
diff --git a/packages/auth/src/plugins.ts b/packages/auth/src/plugins.ts
@@ -165,6 +165,13 @@ export function createPlugins(db: dbClient) {
       : []),
     apiKey({
       enableSessionForAPIKeys: true,
+      customAPIKeyGetter: (ctx) => {
+        const authorization = ctx.headers?.get("authorization");
+        if (authorization?.startsWith("Bearer ")) {
+          return authorization.slice(7);
+        }
+        return ctx.headers?.get("x-api-key") ?? undefined;
+      },
       rateLimit: {
         enabled: true,
         timeWindow: 1000 * 60, // 1 minute
