improve backwards compat

Author: carderne

apps/webapp/app/services/apiAuth.server.ts

@@ -484,7 +484,7 @@ export async function authenticatedEnvironmentForAuthentication(
         );
       }
 
-      if (auth.result.environment.slug !== slug) {
+      if (auth.result.environment.slug !== slug && auth.result.environment.branchName !== resolvedBranch) {
         throw json(
           {
             error:
@@ -494,16 +494,6 @@ export async function authenticatedEnvironmentForAuthentication(
         );
       }
 
-      if (auth.result.environment.branchName !== resolvedBranch) {
-        throw json(
-          {
-            error:
-              "Invalid environment branch for this API key. Make sure you are using an API key associated with that environment.",
-          },
-          { status: 400 }
-        );
-      }
-
       return auth.result.environment;
     }
     case "personalAccessToken": {

apps/webapp/app/services/upsertBranch.server.ts

@@ -93,7 +93,7 @@ export class UpsertBranchService {
       // its parent's orgMemberId. Preview parents have no orgMember (orgMemberId is null).
       if (!parentEnvironment) {
         // This should never happen
-        if (env === "preview") {
+        if (env === "development") {
           return {
             success: false as const,
             error: "Error: No default dev runtime environment setup.",

apps/webapp/test/rbacFallbackBranch.test.ts

@@ -140,20 +140,6 @@ describe("RBAC fallback — DEVELOPMENT branch pivot", () => {
 });
 
 describe("RBAC fallback — branch header guards", () => {
-  postgresTest("a non-branchable env rejects a branch header", async ({ prisma }) => {
-    const { organization, project } = await createTestOrgProjectWithMember(prisma);
-    const rbac = makeController(prisma);
-
-    const prod = await createEnv(prisma, project.id, organization.id, { type: "PRODUCTION" });
-
-    const result = await rbac.authenticateBearer(bearerRequest(prod.apiKey, "some-branch"));
-
-    expect(result.ok).toBe(false);
-    if (result.ok) return;
-    expect(result.status).toBe(401);
-    expect(result.error).toContain("preview and dev");
-  });
-
   // The "default" sentinel is DEVELOPMENT-only: it maps the dev root env to its
   // (branchless) self. For PREVIEW, "default" is an ordinary branch name, so a
   // PREVIEW branch literally named "default" is reachable and the request pivots

internal-packages/rbac/src/fallback.ts

@@ -192,45 +192,37 @@ class RoleBaseAccessFallbackController implements RoleBaseAccessController {
       return { ok: false, status: 401, error: "Invalid API key" };
     }
 
-    // PREVIEW env requires a branch header; pivot to the child env so
-    // downstream code operates on the branch (its own id, but the
-    // parent's apiKey/orgMember/organization/project — exactly what
-    // findEnvironmentByApiKey does for the legacy auth path).
     if (env.type === "PREVIEW" && !branchName) {
       return {
         ok: false,
         status: 401,
         error: "x-trigger-branch header required for preview env",
       };
     }
-    // The "default" sentinel is DEVELOPMENT-only: it maps to the dev root env
-    // (which carries no branch), so we skip the pivot there. For PREVIEW,
-    // "default" is an ordinary branch name and must still pivot to its child.
-    const isDevRootSentinel = env.type === "DEVELOPMENT" && isDefaultDevBranch(branchName);
-    if (branchName !== null && !isDevRootSentinel) {
-      if (env.type !== "PREVIEW" && env.type !== "DEVELOPMENT") {
-        return {
-          ok: false,
-          status: 401,
-          error: "x-trigger-branch header can only be used with preview and dev envs",
+
+    if (env.type === "PREVIEW" || env.type === "DEVELOPMENT") {
+      // The "default" sentinel is DEVELOPMENT-only: it maps to the dev root env
+      // (which carries no branch), so we skip the pivot there. For PREVIEW,
+      // "default" is an ordinary branch name and must still pivot to its child.
+      const isDevRootSentinel = env.type === "DEVELOPMENT" && isDefaultDevBranch(branchName);
+      if (branchName !== null && !isDevRootSentinel) {
+        const child = env.childEnvironments?.[0];
+        if (!child) {
+          return { ok: false, status: 401, error: "No matching branch env" };
+        }
+        // Pivot to the child env: child's id/type/branchName, parent's
+        // apiKey/orgMember/organization/project. parentEnvironment is set
+        // explicitly here so the slim shape stays internally consistent.
+        env = {
+          ...child,
+          apiKey: env.apiKey,
+          orgMember: env.orgMember,
+          organization: env.organization,
+          project: env.project,
+          parentEnvironment: { id: env.id, apiKey: env.apiKey },
+          childEnvironments: [],
         };
       }
-      const child = env.childEnvironments?.[0];
-      if (!child) {
-        return { ok: false, status: 401, error: "No matching branch env" };
-      }
-      // Pivot to the child env: child's id/type/branchName, parent's
-      // apiKey/orgMember/organization/project. parentEnvironment is set
-      // explicitly here so the slim shape stays internally consistent.
-      env = {
-        ...child,
-        apiKey: env.apiKey,
-        orgMember: env.orgMember,
-        organization: env.organization,
-        project: env.project,
-        parentEnvironment: { id: env.id, apiKey: env.apiKey },
-        childEnvironments: [],
-      };
     }
 
     const subject: RbacSubject = {