superset-sh · saddlepaddle · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/apps/api/src/lib/api-key-org.ts b/apps/api/src/lib/api-key-org.ts
@@ -0,0 +1,93 @@
+import type { auth as betterAuth } from "@superset/auth/server";
+import { db } from "@superset/db/client";
+import { members } from "@superset/db/schema";
+import { and, eq } from "drizzle-orm";
+
+const API_KEY_HEADER = "x-api-key";
+const BEARER_API_KEY_PREFIX = "sk_live_";
+
+function extractApiKey(req: Request): string | undefined {
+	const headerKey = req.headers.get(API_KEY_HEADER);
+	if (headerKey) return headerKey;
+
+	const authorization = req.headers.get("authorization");
+	const match = authorization?.match(/^Bearer\s+(.+)$/i);
+	const bearer = match?.[1];
+	if (bearer?.startsWith(BEARER_API_KEY_PREFIX)) return bearer;
+
+	return undefined;
+}
+
+function parseApiKeyMetadata(
+	metadata: unknown,
+): Record<string, unknown> | null {
+	if (!metadata) return null;
+
+	if (typeof metadata === "string") {
+		try {
+			const parsed = JSON.parse(metadata);
+			return parsed && typeof parsed === "object"
+				? (parsed as Record<string, unknown>)
+				: null;
+		} catch {
+			return null;
+		}
+	}
+
+	return typeof metadata === "object"
+		? (metadata as Record<string, unknown>)
+		: null;
+}
+
+export type ApiKeyResolution =
+	| { kind: "not-api-key" }
+	| { kind: "no-organization-metadata" }
+	| { kind: "ok"; organizationId: string }
+	| { kind: "invalid" };
+
+/**
+ * Resolve the organization an api-key-authed request should operate
+ * against. api keys created via `apiKeyRouter.create` store their
+ * intended org in `metadata.organizationId`. Without this, the
+ * api-key-synthesized session has no `activeOrganizationId` and
+ * falls through to the default newest-membership resolver, which
+ * silently routes requests to the wrong org when a user belongs to
+ * more than one.
+ *
+ * Kinds:
+ *   - `not-api-key`             — request is not api-key authed; caller should use session as-is
+ *   - `no-organization-metadata` — legacy key without org metadata; caller should use session as-is
+ *   - `ok`                      — key's org is valid and user is still a member; caller should override active org
+ *   - `invalid`                 — key verification failed OR user is no longer a member of the key's org; caller should deny the request
+ */
+export async function resolveApiKey(
+	req: Request,
+	auth: typeof betterAuth,
+	userId: string,
+): Promise<ApiKeyResolution> {
+	const apiKey = extractApiKey(req);
+	if (!apiKey) return { kind: "not-api-key" };
+
+	try {
+		const result = await auth.api.verifyApiKey({ body: { key: apiKey } });
+		if (!result.valid || !result.key) return { kind: "invalid" };
+
+		const metadata = parseApiKeyMetadata(result.key.metadata);
+		const organizationId = metadata?.organizationId;
+		if (typeof organizationId !== "string") {
+			return { kind: "no-organization-metadata" };
+		}
+
+		const membership = await db.query.members.findFirst({
+			where: and(
+				eq(members.userId, userId),
+				eq(members.organizationId, organizationId),
+			),
+		});
+		if (!membership) return { kind: "invalid" };
+
+		return { kind: "ok", organizationId };
+	} catch {
+		return { kind: "invalid" };
+	}
+}
diff --git a/apps/api/src/trpc/context.ts b/apps/api/src/trpc/context.ts
@@ -1,5 +1,6 @@
 import { auth } from "@superset/auth/server";
 import { createTRPCContext } from "@superset/trpc";
+import { resolveApiKey } from "@/lib/api-key-org";
 
 export const createContext = async ({
 	req,
@@ -10,8 +11,19 @@ export const createContext = async ({
 	const session = await auth.api.getSession({
 		headers: req.headers,
 	});
+
+	let effectiveSession = session;
+	if (session) {
+		const resolution = await resolveApiKey(req, auth, session.user.id);
+		if (resolution.kind === "ok") {
+			session.session.activeOrganizationId = resolution.organizationId;
+		} else if (resolution.kind === "invalid") {
+			effectiveSession = null;
+		}
+	}
+
 	return createTRPCContext({
-		session,
+		session: effectiveSession,
 		auth,
 		headers: req.headers,
 	});

diff --git a/packages/cli/scripts/build-dist.ts b/packages/cli/scripts/build-dist.ts
@@ -232,8 +232,10 @@ function copyNativePackages(libDir: string, target: Target): void {
  *
  * 1. `better-sqlite3`: download the Node-ABI prebuild from GitHub and
  *    overwrite `build/Release/better_sqlite3.node`.
- * 2. `node-pty`: delete `build/Release/` so the `bindings` loader falls
- *    through to the N-API prebuild in `prebuilds/<target>/pty.node`.
+ * 2. `node-pty`: on darwin, fall back to the in-package N-API prebuild
+ *    by removing `build/`. On linux-x64 there is no upstream prebuild,
+ *    so rebuild from source via node-gyp; node-pty uses node-addon-api
+ *    so the resulting binding is ABI-stable across Node versions.
  */
 async function fixNativeBinariesForNode(
 	libDir: string,
@@ -262,7 +264,22 @@ async function fixNativeBinariesForNode(
 		join(bsqDest, "better_sqlite3.node"),
 	);
 
-	const nodePtyBuild = join(destModules, "node-pty", "build");
+	const nodePtyDir = join(destModules, "node-pty");
+	const nodePtyBuild = join(nodePtyDir, "build");
+
+	if (target === "linux-x64") {
+		if (existsSync(nodePtyBuild)) {
+			rmSync(nodePtyBuild, { recursive: true, force: true });
+		}
+		console.log("[build-dist] compiling node-pty from source for linux-x64");
+		await exec("npx", ["--yes", "node-gyp", "rebuild"], nodePtyDir);
+		const builtBinding = join(nodePtyBuild, "Release", "pty.node");
+		if (!existsSync(builtBinding)) {
+			throw new Error(`node-pty build did not produce ${builtBinding}`);
+		}
+		return;
+	}
+
 	if (existsSync(nodePtyBuild)) {
 		console.log(
 			"[build-dist] removing node-pty build/ so bindings falls back to prebuilds/",

diff --git a/packages/cli/src/lib/api-client.ts b/packages/cli/src/lib/api-client.ts
@@ -16,7 +16,9 @@ export function createApiClient(
 				url: `${getApiUrl(config)}/api/trpc`,
 				transformer: SuperJSON,
 				headers() {
-					return { Authorization: `Bearer ${opts.bearer}` };
+					return opts.bearer.startsWith("sk_live_")
+						? { "x-api-key": opts.bearer }
+						: { Authorization: `Bearer ${opts.bearer}` };
 				},
 			}),
 		],

diff --git a/packages/host-service/src/providers/auth/JwtAuthProvider/JwtAuthProvider.ts b/packages/host-service/src/providers/auth/JwtAuthProvider/JwtAuthProvider.ts
@@ -28,7 +28,9 @@ export class JwtApiAuthProvider implements ApiAuthProvider {
 		}
 
 		const response = await fetch(`${this.apiUrl}/api/auth/token`, {
-			headers: { Authorization: `Bearer ${this.sessionToken}` },
+			headers: this.sessionToken.startsWith("sk_live_")
+				? { "x-api-key": this.sessionToken }
+				: { Authorization: `Bearer ${this.sessionToken}` },
 		});
 		if (!response.ok) {
 			throw new Error(`Failed to mint JWT: ${response.status}`);