The project API key allowlist resolver was returning an empty list when the new join-table rows were missing, causing legacy-only IP restrictions to be ignored and effectively allowing restricted keys to be used from any IP.
Description
Change resolveProjectApiKeyAllowedIps to prefer apiKeyAllowedIps (join table) but fall back to the legacy allowedIps scalar when no join rows are present, and update the unit tests to cover join-table precedence, legacy fallback, and the no-allowlist case.
Testing
Ran the resolver unit tests with pnpm exec vitest run --config vitest.unit.config.ts src/lib/apiKeys/dbUtils/resolve_allowed_ips.unit.test.ts and all tests passed.
@kaavee315checks…codex/fix-legacy-api-key-ip-allowlist-issue → master2 files · +19 −3updated 3d ago