From 68312971a8808f7a428d56361a03fa50b48f23b7 Mon Sep 17 00:00:00 2001 From: Kurt Overmier Date: Sat, 11 Apr 2026 06:52:27 -0500 Subject: [PATCH] =?UTF-8?q?fix(auth):=20accept=20ea=5F*=20prefix=20in=20is?= =?UTF-8?q?ApiKey=20=E2=80=94=20staleness=20bug=20from=20edge-auth=20migra?= =?UTF-8?q?tion?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The isApiKey() prefix sniffer only matched sb_live_*/sb_test_*, the legacy stackbilt-auth key format. When edge-auth took over as the ecosystem auth SoT and started minting ea_* keys, this check was never updated — so any ea_* bearer would fall through to the validateJwt path and fail, leaving ea_* API keys effectively unreachable through the gateway. Aligns with edge-auth's own resolvePrincipal at src/security/identity.ts:44, which already accepts all three prefixes. No functional change for existing sb_* keys; purely additive. Closes Stackbilt-dev/stackbilt-mcp-gateway#28 partially — OAuth default-scope fix still pending as Option A in that issue. Co-Authored-By: Claude Opus 4.6 (1M context) --- src/auth.ts | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/auth.ts b/src/auth.ts index 4bedc62..fb8e760 100644 --- a/src/auth.ts +++ b/src/auth.ts @@ -5,7 +5,15 @@ import type { AuthResult, AuthServiceRpc, Tier } from './types.js'; function isApiKey(token: string): boolean { - return token.startsWith('sb_live_') || token.startsWith('sb_test_'); + // Must match edge-auth's `resolvePrincipal` / `extractKeyPrefix` — edge-auth + // is the SoT for key format. The old `sb_*` checks are legacy from the + // pre-migration stackbilt-auth era and were never updated when edge-auth + // took over and started minting `ea_*` keys. + return ( + token.startsWith('ea_') || + token.startsWith('sb_live_') || + token.startsWith('sb_test_') + ); } function mapError(error?: string): string {