fix: upsert permissions with slug or name colission

[chronark]

What does this PR do?

This PR fixes a bug in the permission handling by correctly using slug instead of name when filtering and creating permissions. The changes ensure that permissions are properly matched by their slug field rather than name, which aligns with the database schema design.

Fixes #(issue)

Type of change

• Bug fix (non-breaking change which fixes an issue)

How should this be tested?

• Test creating a key with permissions to verify they are properly stored and retrieved
• Test adding permissions to an existing key using both ID and slug-based references
• Verify that permission slugs are correctly used for lookups instead of names

Checklist

Required

• Filled out the "How to test" section in this PR
• Read Contributing Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Summary by CodeRabbit

• Bug Fixes

  • Updated permission handling to consistently use permission slugs instead of names across relevant API endpoints and responses.
  • Removed unique constraint on permission names within workspaces to improve permission management.
  • Adjusted conflict error handling to reflect uniqueness of permission slugs instead of names.

• Tests

  • Enhanced tests to verify correct behavior when updating permissions multiple times, ensuring permissions remain properly associated with keys.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
dashboard	⬜️ Ignored (Inspect)	Visit Preview		Jul 31, 2025 7:51am
engineering	⬜️ Ignored (Inspect)	Visit Preview		Jul 31, 2025 7:51am

[changeset-bot]

⚠️ No Changeset found

Latest commit: eeb9e8b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

This change updates the permission identification logic in the API by replacing all uses of the "name" field with "slug" for permissions. Variable names, database queries, and response formats are adjusted accordingly. Associated tests are updated to verify idempotency in permission upserts. One function signature is updated to reflect the new parameter naming. Additionally, the unique constraint on name in the permissions table is removed from the database schema and internal declarations. A conflict test for duplicate permission slugs replaces the previous test for duplicate names.

Changes

Cohort / File(s)	Change Summary
API Route: Add Permissions apps/api/src/routes/v1_keys_addPermissions.ts	Replaces all references to permission "name" with "slug" for identification, updates variable names, query filters, and response construction accordingly.
API Route: Create Key apps/api/src/routes/v1_keys_createKey.ts	Updates logic to use permission "slug" instead of "name", renames variables, modifies queries, updates function signature to accept permissionsSlugs.
Test: Create Key apps/api/src/routes/v1_keys_createKey.happy.test.ts	Extends test to perform a second upsert of permissions, verifying idempotency and correct association after repeated requests.
Database Schema go/pkg/db/schema.sql, internal/db/src/schema/rbac.ts	Removes unique constraint on name and workspace_id in the permissions table, retaining unique constraint on slug and workspace_id.
Permission Conflict Test go/apps/api/routes/v2_permissions_create_permission/409_test.go	Modifies test to check conflict errors on duplicate permission slugs instead of names; removes test for case-insensitive name conflicts.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant API
    participant DB

    Client->>API: POST /v1/keys.createKey (with permission slugs)
    API->>DB: Query permissions by slug
    DB-->>API: Return matching permissions
    API->>DB: Create missing permissions (name & slug = slug)
    API->>DB: Associate permissions with key
    API-->>Client: Respond with key and associated permission slugs

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• feat: permission slug step 1 #3293: Introduces the initial database schema change adding a new optional slug column and unique index for permissions, which this PR builds upon.
• chore: make slugs required #3295: Also modifies permission identification to use slug instead of name, but in different files and contexts.

Suggested labels

Bug

Suggested reviewers

• perkinsjr
• mcstepp
• MichaelUnkey
• ogzhanolguncu
• chronark

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3f17f17 and 8ef7394.

📒 Files selected for processing (1)

• go/apps/api/routes/v2_permissions_create_permission/409_test.go (3 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: chronark
PR: unkeyed/unkey#2146
File: apps/dashboard/lib/trpc/routers/api/setDefaultPrefix.ts:80-80
Timestamp: 2024-10-04T17:27:08.666Z
Learning: Ensure that audit log descriptions accurately reflect the action being performed, such as updating the `defaultPrefix`, and avoid incorrect references like 'name' when not applicable.

Learnt from: chronark
PR: unkeyed/unkey#3560
File: go/apps/api/routes/v2_keys_create_key/handler.go:353-466
Timestamp: 2025-07-15T14:25:05.608Z
Learning: In the Unkey codebase, input validation for API endpoints is handled at the OpenAPI schema layer, which validates request fields like permission slugs (pattern: "^[a-zA-Z0-9_]+$", length: 1-100 characters) before requests reach the handler code. This validation occurs during the zen.BindBody call in handlers.

go/apps/api/routes/v2_permissions_create_permission/409_test.go (2)

Learnt from: chronark
PR: #3560
File: go/apps/api/routes/v2_keys_create_key/handler.go:353-466
Timestamp: 2025-07-15T14:25:05.608Z
Learning: In the Unkey codebase, input validation for API endpoints is handled at the OpenAPI schema layer, which validates request fields like permission slugs (pattern: "^[a-zA-Z0-9_]+$", length: 1-100 characters) before requests reach the handler code. This validation occurs during the zen.BindBody call in handlers.

Learnt from: chronark
PR: #3560
File: go/apps/api/routes/v2_keys_create_key/handler.go:468-581
Timestamp: 2025-07-15T14:47:20.490Z
Learning: In the Unkey codebase, role and permission names are validated at the OpenAPI schema layer with strict regex patterns: role names must match "^[a-zA-Z][a-zA-Z0-9_-]*$" (start with letter, followed by letters/numbers/underscores/hyphens) and permission names must match "^[a-zA-Z0-9_]+$" (letters, numbers, underscores only). This validation occurs during zen.BindBody call before handlers run, preventing malicious or improperly formatted names from reaching auto-creation logic.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Test Agent Local / test_agent_local
• GitHub Check: Test Go API Local / Test
• GitHub Check: Test API / API Test Local

🔇 Additional comments (1)

go/apps/api/routes/v2_permissions_create_permission/409_test.go (1)

38-79: LGTM! Test correctly validates slug-based uniqueness.

The test case properly verifies that permissions are now uniquely identified by slug rather than name. Creating two permissions with the same slug but different names correctly triggers a 409 Conflict error, confirming the implementation aligns with the PR objectives.

The test structure is well-organized:

1. Creates the first permission successfully
2. Attempts to create a second permission with the same slug but different name
3. Verifies the expected 409 Conflict response
4. Confirms the error message indicates the resource "already exists"

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 07-30-fix_upsert_permissions_with_slug_or_name_colission

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[chronark]

• fix: upsert permissions with slug or name colission #3696 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

Thank you for following the naming conventions for pull request titles! 🙏

[Flo4604]

can you also please drop the
uniqueNamePerWorkspaceIdx: unique("unique_name_per_workspace_idx") for the permissions from internal/db/src/schema/rbac.ts since we got rid of that

[chronark]

ah yes

[graphite-app]

[graphite-app]

Graphite Automations

"Post a GIF when PR approved" took an action on this PR • (07/30/25)

1 gif was posted to this PR based on Andreas Thomas's automation.

"Notify author when CI fails" took an action on this PR • (07/30/25)

1 teammate was notified to this PR based on Andreas Thomas's automation.