fix: api key revocation

Author: haritabh-z01

apps/webapp/src/components/settings/product/product-secrets-card.tsx

@@ -3,11 +3,7 @@
 import { useState } from "react";
 import { Copy, Eye, EyeOff } from "lucide-react";
 import { toast } from "sonner";
-import {
-  Card,
-  CardContent,
-  CardFooter,
-} from "@refref/ui/components/card";
+import { Card, CardContent, CardFooter } from "@refref/ui/components/card";
 import { Button } from "@refref/ui/components/button";
 import { Input } from "@refref/ui/components/input";
 import { Label } from "@refref/ui/components/label";

apps/webapp/src/server/api/routers/api-keys.ts

@@ -5,6 +5,7 @@ import {
   ensureServiceAccountForOrganization,
   getApiKeysForOrganization,
   validateApiKeyPermission as validateOrgApiKeyPermission,
+  deleteApiKeyForOrganization,
 } from "@refref/coredb";
 import { auth } from "@/lib/auth";
 
@@ -156,12 +157,20 @@ export const apiKeysRouter = createTRPCRouter({
         });
       }
 
-      // Delete the API key using Better Auth
-      await auth.api.deleteApiKey({
-        body: {
-          keyId: input.keyId,
-        },
-      });
+      // Delete the API key directly from the database
+      // (Better Auth's deleteApiKey requires ownership match, but keys belong to service account)
+      const deleted = await deleteApiKeyForOrganization(
+        ctx.db,
+        ctx.activeOrganizationId,
+        input.keyId,
+      );
+
+      if (!deleted) {
+        throw new TRPCError({
+          code: "NOT_FOUND",
+          message: "API key not found or does not belong to this organization",
+        });
+      }
 
       return { success: true };
     }),

packages/coredb/src/lib/organization-service-account.ts

@@ -219,6 +219,35 @@ export async function validateApiKeyPermission(
   return userRole === "admin" || userRole === "owner";
 }
 
+/**
+ * Delete an API key for an organization
+ * Verifies the key belongs to the organization's service account before deletion
+ * @returns true if deleted, false if not found or doesn't belong to organization
+ */
+export async function deleteApiKeyForOrganization(
+  db: PostgresJsDatabase<any>,
+  organizationId: string,
+  keyId: string,
+): Promise<boolean> {
+  // Get service account for this organization
+  const serviceAccount = await findServiceAccountForOrganization(
+    db,
+    organizationId,
+  );
+
+  if (!serviceAccount) {
+    return false;
+  }
+
+  // Delete the key only if it belongs to the organization's service account
+  const result = await db
+    .delete(apikey)
+    .where(and(eq(apikey.id, keyId), eq(apikey.userId, serviceAccount.id)))
+    .returning({ id: apikey.id });
+
+  return result.length > 0;
+}
+
 /**
  * Clean up old product service accounts (migration helper)
  */

packages/widget/src/widget/index.tsx

@@ -67,7 +67,9 @@ function mountWidget() {
     // Reset inherited properties at shadow boundary, then apply widget styles
     // @link https://github.com/tailwindlabs/tailwindcss/discussions/1935
     const sheet = new CSSStyleSheet();
-    sheet.replaceSync(`:host { all: initial; }\n` + styles.replaceAll(":root", ":host"));
+    sheet.replaceSync(
+      `:host { all: initial; }\n` + styles.replaceAll(":root", ":host"),
+    );
 
     // Apply CSS variable overrides from actual config
     if (config.cssVariables && Object.keys(config.cssVariables).length > 0) {