Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Missed userId-to-referenceId migration in auth helper
- Changed
userIdtoreferenceIdin the type annotation and property access inapp/api/e2/helper/main.tsto match the better-auth v1.5.0 API key verification response structure.
- Changed
Or push these changes by commenting:
@cursor push ebbc8c23c0
Preview (ebbc8c23c0)
diff --git a/app/api/e2/helper/main.ts b/app/api/e2/helper/main.ts
--- a/app/api/e2/helper/main.ts
+++ b/app/api/e2/helper/main.ts
@@ -70,14 +70,14 @@
?.replace("Bearer ", "");
if (apiKey) {
- const apiKeyResult = (await (auth.api as any).verifyApiKey({
- body: {
- key: apiKey,
- },
- })) as { valid: boolean; key?: { userId: string } } | null;
+ const apiKeyResult = (await (auth.api as any).verifyApiKey({
+ body: {
+ key: apiKey,
+ },
+ })) as { valid: boolean; key?: { referenceId: string } } | null;
- if (apiKeyResult?.key?.userId) {
- userId = apiKeyResult.key.userId;
+ if (apiKeyResult?.key?.referenceId) {
+ userId = apiKeyResult.key.referenceId;
console.log("🔑 [V2] Auth Type: API_KEY");
console.log("🔑 [V2] API Key:", apiKey);
console.log("✅ Authenticated via API key:", userId);| "atmn": "^0.0.22", | ||
| "autumn-js": "0.1.48", | ||
| "better-auth": "^1.4.4", | ||
| "better-auth": "^1.5.0", |
There was a problem hiding this comment.
Missed userId-to-referenceId migration in auth helper
High Severity
The better-auth upgrade to ^1.5.0 with the new @better-auth/api-key package changes the verified key object to use referenceId instead of userId. Two auth files (app/api/e2/lib/auth.ts, lib/auth/v2-auth.ts) were migrated, but app/api/e2/helper/main.ts still accesses key.userId on lines 77–80. API key authentication through that code path will silently fail, treating valid API keys as unauthenticated.
Additional Locations (1)
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| apiSession?.key?.referenceId | ||
| ) { | ||
| userId = apiSession.key.userId; | ||
| userId = apiSession.key.referenceId; |
There was a problem hiding this comment.
Incomplete userId to referenceId migration breaks API auth
High Severity
The migration from better-auth/plugins to @better-auth/api-key@^1.5.0 renames key.userId to key.referenceId in the verifyApiKey response. Two auth files were updated, but app/api/e2/helper/main.ts (line 77–80) still reads apiKeyResult.key.userId, which will now be undefined. This causes the validateRequest function (used by app/api/internal/search/route.ts) to silently reject all valid API key authentications with a 401 "Unauthorized" error.
Additional Locations (2)
1 participant
Note
High Risk
Touches authentication (API key identity mapping and Better Auth plugin upgrades) and outbound email delivery paths (SES client creation, tenant tracking, webhook payload sizing), so mistakes could break access control or sending/monitoring.
Overview
Email sending & webhooks: Replaces per-file SES client setup with a shared cached
getSesClient/requireSesClient, and refactors the QStash send-email webhook to reuse new helpers for tenant resolution (resolveTenantInfo), SES command construction (buildSesCommand), and attachment normalization (normalizeAttachments). Webhook delivery payload creation/size-stripping logic is extracted intowebhook-payload.ts.Auth & API keys: Updates API-key-derived user identification to use
key.referenceId(instead ofkey.userId) across v2/e2 auth helpers, upgrades Better Auth and addsdash/sentinelinfra plugins, and adjusts settings hooks/queries to match the newapiKey.list()response shape (data.apiKeys).Utilities & tests: Introduces shared
email-utilsandattachment-utils(and replaces ad-hoc parsing/validation in several modules), exports internal helpers for testing, and adds Bun tests covering agent email detection, DSN parsing/bounce subtype mapping, spike detection, warmup limits, attachments, email utils, and guard rule matching.Written by Cursor Bugbot for commit aeb43fe. This will update automatically on new commits. Configure here.