fix(webapp): migrate Sessions routes to new createLoaderApiRoute auth shape

ericallam · ericallam · commit 84c717cf128d · 2026-05-12T20:07:43.000+01:00
The auth-consolidation commit on main rewrote createLoaderApiRoute's
authorization contract:
- `resource` returns a typed RbacResource ({ type, id }) instead of an
  untyped record ({ deployments: 'current' } / { sessions: [...] })
- multi-resource auth uses `anyResource(...)` instead of an array literal
- `superScopes` is no longer a field — super-scopes are resolved at the
  JWT ability layer
- the `findResource` resolver must return `T | undefined`, not `T | null`

Our Sessions PR added two routes (api.v1.deployments.current.ts and
realtime.v1.sessions.$session.$io.records.ts) using the pre-consolidation
shape. The rebase had no textual conflict because the files didn't exist
on main, but typecheck fails because the new contract doesn't accept the
old shape. Migrate both routes to match.
diff --git a/apps/webapp/app/routes/api.v1.deployments.current.ts b/apps/webapp/app/routes/api.v1.deployments.current.ts
@@ -8,8 +8,7 @@ export const loader = createLoaderApiRoute(
     corsStrategy: "none",
     authorization: {
       action: "read",
-      resource: () => ({ deployments: "current" }),
-      superScopes: ["read:deployments", "read:all", "admin"],
+      resource: () => ({ type: "deployments", id: "current" }),
     },
     findResource: async (_params, auth) => {
       const promotion = await $replica.workerDeploymentPromotion.findFirst({
@@ -35,7 +34,7 @@ export const loader = createLoaderApiRoute(
         },
       });
 
-      return promotion?.deployment ?? null;
+      return promotion?.deployment ?? undefined;
     },
   },
   async ({ resource: deployment }) => {
diff --git a/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.records.ts b/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.records.ts
@@ -8,7 +8,7 @@ import {
   resolveSessionByIdOrExternalId,
 } from "~/services/realtime/sessions.server";
 import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import { anyResource, createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
 
 const ParamsSchema = z.object({
   session: z.string(),
@@ -58,15 +58,18 @@ const loader = createLoaderApiRoute(
     },
     authorization: {
       action: "read",
+      // Multi-key: the channel is addressable by the URL key, the row's
+      // friendlyId, and (if set) externalId. Type-level `read:sessions`
+      // matches any of them; `read:all` / `admin` bypass via the JWT
+      // ability's wildcard branches.
       resource: ({ row, addressingKey }) => {
         const ids = new Set<string>([addressingKey]);
         if (row) {
           ids.add(row.friendlyId);
           if (row.externalId) ids.add(row.externalId);
         }
-        return { sessions: [...ids] };
+        return anyResource([...ids].map((id) => ({ type: "sessions", id })));
       },
-      superScopes: ["read:sessions", "read:all", "admin"],
     },
   },
   async ({ params, authentication, resource, searchParams }) => {
