@kuadrant/kuadrant-backstage-plugin-backend 0.2.1 → 0.3.0-aaa46b4

package/dist/router.cjs.js

@@ -23,6 +23,46 @@ function extractNameFromEntityRef(entityRef) {
   const parts = entityRef.split("/");
   return parts[parts.length - 1];
 }
+function getConsumerNamespace(userEntityRef) {
+  const username = extractNameFromEntityRef(userEntityRef);
+  if (!username || username.trim() === "") {
+    throw new Error("Invalid user identity - username is empty");
+  }
+  const sanitized = username.toLowerCase().replace(/[^a-z0-9-]/g, "-");
+  if (sanitized === "" || sanitized.startsWith("-") || sanitized.endsWith("-")) {
+    throw new Error(`Username "${username}" cannot be converted to valid namespace name`);
+  }
+  const hash = crypto.createHash("sha256").update(userEntityRef).digest("hex").substring(0, 8);
+  return `kuadrant-${sanitized}-${hash}`;
+}
+async function ensureConsumerNamespace(k8sClient, namespace) {
+  try {
+    await k8sClient.getNamespace(namespace);
+  } catch (error) {
+    const statusCode = error.statusCode || error.response?.statusCode || error.body?.code;
+    if (statusCode === 404) {
+      try {
+        await k8sClient.createNamespace({
+          apiVersion: "v1",
+          kind: "Namespace",
+          metadata: {
+            name: namespace,
+            labels: {
+              "devportal.kuadrant.io/consumer-namespace": "true"
+            }
+          }
+        });
+      } catch (createError) {
+        const createStatusCode = createError.statusCode || createError.response?.statusCode || createError.body?.code;
+        if (createStatusCode !== 409) {
+          throw createError;
+        }
+      }
+    } else {
+      throw error;
+    }
+  }
+}
 async function getUserIdentity(req, httpAuth, userInfo) {
   const credentials = await httpAuth.credentials(req);
   if (!credentials || !credentials.principal) {
@@ -233,8 +273,7 @@ async function createRouter({
         allRequests = await k8sClient$1.listCustomResources(
           "devportal.kuadrant.io",
           "v1alpha1",
-          "apikeys",
-          namespace
+          "apikeys"
         );
       } catch (error) {
         console.warn("failed to list apikeys during cascade delete:", error);
@@ -247,11 +286,12 @@ async function createRouter({
       const deletionResults = await Promise.allSettled(
         relatedRequests.map(async (request) => {
           const requestName = request.metadata.name;
-          console.log(`deleting apikey: ${namespace}/${requestName}`);
+          const requestNamespace = request.metadata.namespace;
+          console.log(`deleting apikey: ${requestNamespace}/${requestName}`);
           await k8sClient$1.deleteCustomResource(
             "devportal.kuadrant.io",
             "v1alpha1",
-            namespace,
+            requestNamespace,
             "apikeys",
             requestName
           );
@@ -489,14 +529,93 @@ async function createRouter({
       }
     }
   });
+  const secretSchema = zod.z.object({
+    name: zod.z.string().min(1),
+    apiKeyValue: zod.z.string().min(1)
+  });
+  router.post("/secrets", async (req, res) => {
+    try {
+      const parsed = secretSchema.safeParse(req.body);
+      if (!parsed.success) {
+        throw new errors.InputError(parsed.error.toString());
+      }
+      const credentials = await httpAuth.credentials(req);
+      const { userEntityRef } = await getUserIdentity(req, httpAuth, userInfo);
+      const consumerNamespace = getConsumerNamespace(userEntityRef);
+      const resourceRef = `secret:${consumerNamespace}/*`;
+      const decision = await permissions$1.authorize(
+        [{
+          permission: permissions.kuadrantApiKeyCreatePermission,
+          resourceRef
+        }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("not authorized to create secrets");
+      }
+      await ensureConsumerNamespace(k8sClient$1, consumerNamespace);
+      const { name, apiKeyValue } = parsed.data;
+      const secret = {
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: {
+          name,
+          namespace: consumerNamespace
+        },
+        type: "Opaque",
+        data: {
+          api_key: Buffer.from(apiKeyValue).toString("base64")
+        }
+      };
+      const created = await k8sClient$1.createSecret(consumerNamespace, secret);
+      res.status(201).json(created);
+    } catch (error) {
+      console.error("error creating secret:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else if (error instanceof errors.InputError) {
+        res.status(400).json({ error: error.message });
+      } else {
+        const errorMessage = error instanceof Error ? error.message : "failed to create secret";
+        res.status(500).json({ error: errorMessage });
+      }
+    }
+  });
+  router.delete("/secrets/:name", async (req, res) => {
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const { userEntityRef } = await getUserIdentity(req, httpAuth, userInfo);
+      const { name } = req.params;
+      const consumerNamespace = getConsumerNamespace(userEntityRef);
+      const decision = await permissions$1.authorize(
+        [{ permission: permissions.kuadrantApiKeyCreatePermission, resourceRef: `secret:${consumerNamespace}/*` }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("not authorized to delete secrets");
+      }
+      await k8sClient$1.deleteSecret(consumerNamespace, name);
+      res.status(204).send();
+    } catch (error) {
+      console.error("error deleting secret:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        const errorMessage = error instanceof Error ? error.message : "failed to delete secret";
+        res.status(500).json({ error: errorMessage });
+      }
+    }
+  });
   const requestSchema = zod.z.object({
     apiProductName: zod.z.string(),
     // name of the APIProduct
     namespace: zod.z.string(),
-    // namespace where both APIProduct and APIKey live
+    // owner's namespace (where the APIProduct lives)
     planTier: zod.z.string(),
     useCase: zod.z.string().optional(),
-    userEmail: zod.z.string().optional()
+    userEmail: zod.z.string().optional(),
+    secretName: zod.z.string()
+    // frontend creates secret via POST /secrets first
   });
   router.post("/requests", async (req, res) => {
     const parsed = requestSchema.safeParse(req.body);
@@ -505,7 +624,7 @@ async function createRouter({
     }
     try {
       const credentials = await httpAuth.credentials(req);
-      const { apiProductName, namespace, planTier, useCase, userEmail } = parsed.data;
+      const { apiProductName, namespace, planTier, useCase, userEmail, secretName: frontendSecretName } = parsed.data;
       const { userEntityRef } = await getUserIdentity(req, httpAuth, userInfo);
       const resourceRef = `apiproduct:${namespace}/${apiProductName}`;
       const decision = await permissions$1.authorize(
@@ -518,23 +637,33 @@ async function createRouter({
       if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
         throw new errors.NotAllowedError(`not authorised to request access to ${apiProductName}`);
       }
+      const consumerNamespace = getConsumerNamespace(userEntityRef);
+      await ensureConsumerNamespace(k8sClient$1, consumerNamespace);
       const randomSuffix = crypto.randomBytes(4).toString("hex");
-      const userName = extractNameFromEntityRef(userEntityRef);
-      const requestName = `${userName}-${apiProductName}-${randomSuffix}`.toLowerCase().replace(/[^a-z0-9-]/g, "-");
+      const requestName = `${apiProductName}-${randomSuffix}`.toLowerCase().replace(/[^a-z0-9-]/g, "-");
       const requestedBy = { userId: userEntityRef };
       if (userEmail) {
         requestedBy.email = userEmail;
       }
+      if (!frontendSecretName) {
+        throw new errors.InputError("secretName is required - create the secret via POST /secrets first");
+      }
+      const secretName = frontendSecretName;
       const request = {
         apiVersion: "devportal.kuadrant.io/v1alpha1",
         kind: "APIKey",
         metadata: {
           name: requestName,
-          namespace
+          namespace: consumerNamespace
         },
         spec: {
           apiProductRef: {
-            name: apiProductName
+            name: apiProductName,
+            namespace
+            // cross-namespace reference to owner's APIProduct
+          },
+          secretRef: {
+            name: secretName
           },
           planTier,
           useCase: useCase || "",
@@ -544,7 +673,7 @@ async function createRouter({
       const created = await k8sClient$1.createCustomResource(
         "devportal.kuadrant.io",
         "v1alpha1",
-        namespace,
+        consumerNamespace,
         "apikeys",
         request
       );
@@ -578,11 +707,13 @@ async function createRouter({
       }
       const status = req.query.status;
       const namespace = req.query.namespace;
+      const apiProductName = req.query.apiProductName;
+      const apiProductNamespace = req.query.apiProductNamespace;
       let data;
       if (namespace) {
-        data = await k8sClient$1.listCustomResources("devportal.kuadrant.io", "v1alpha1", "apikeys", namespace);
+        data = await k8sClient$1.listCustomResources("devportal.kuadrant.io", "v1alpha1", "apikeyrequests", namespace);
       } else {
-        data = await k8sClient$1.listCustomResources("devportal.kuadrant.io", "v1alpha1", "apikeys");
+        data = await k8sClient$1.listCustomResources("devportal.kuadrant.io", "v1alpha1", "apikeyrequests");
       }
       let filteredItems = data.items || [];
       if (!canReadAll) {
@@ -596,9 +727,32 @@ async function createRouter({
           (req2) => ownedApiProducts.includes(req2.spec?.apiProductRef?.name)
         );
       }
+      if (apiProductName) {
+        filteredItems = filteredItems.filter(
+          (req2) => req2.spec?.apiProductRef?.name === apiProductName
+        );
+      }
+      if (apiProductNamespace) {
+        filteredItems = filteredItems.filter(
+          (req2) => req2.spec?.apiProductRef?.namespace === apiProductNamespace
+        );
+      }
       if (status) {
         filteredItems = filteredItems.filter((req2) => {
-          const phase = req2.status?.phase || "Pending";
+          let phase = "Pending";
+          if (req2.status?.conditions && req2.status.conditions.length > 0) {
+            const approved = req2.status.conditions.find(
+              (c) => c.type === "Approved" && c.status === "True"
+            );
+            if (approved) {
+              phase = "Approved";
+            } else {
+              const denied = req2.status.conditions.find(
+                (c) => c.type === "Denied" && c.status === "True"
+              );
+              if (denied) phase = "Denied";
+            }
+          }
           return phase === status;
         });
       }
@@ -623,16 +777,32 @@ async function createRouter({
         throw new errors.NotAllowedError("unauthorised");
       }
       const { userEntityRef } = await getUserIdentity(req, httpAuth, userInfo);
-      const namespace = req.query.namespace;
+      const apiProductName = req.query.apiProductName;
+      const apiProductNamespace = req.query.apiProductNamespace;
+      const consumerNs = getConsumerNamespace(userEntityRef);
       let data;
-      if (namespace) {
-        data = await k8sClient$1.listCustomResources("devportal.kuadrant.io", "v1alpha1", "apikeys", namespace);
-      } else {
-        data = await k8sClient$1.listCustomResources("devportal.kuadrant.io", "v1alpha1", "apikeys");
+      try {
+        data = await k8sClient$1.listCustomResources("devportal.kuadrant.io", "v1alpha1", "apikeys", consumerNs);
+      } catch (error) {
+        if (error.message?.includes("404") || error.statusCode === 404) {
+          res.json({ items: [] });
+          return;
+        }
+        throw error;
       }
-      const filteredItems = (data.items || []).filter(
+      let filteredItems = (data.items || []).filter(
         (req2) => req2.spec?.requestedBy?.userId === userEntityRef
       );
+      if (apiProductName) {
+        filteredItems = filteredItems.filter(
+          (req2) => req2.spec?.apiProductRef?.name === apiProductName
+        );
+      }
+      if (apiProductNamespace) {
+        filteredItems = filteredItems.filter(
+          (req2) => req2.spec?.apiProductRef?.namespace === apiProductNamespace
+        );
+      }
       res.json({ items: filteredItems });
     } catch (error) {
       console.error("error fetching user api key requests:", error);
@@ -660,13 +830,13 @@ async function createRouter({
         "devportal.kuadrant.io",
         "v1alpha1",
         namespace,
-        "apikeys",
+        "apikeyrequests",
         name
       );
       const spec = request.spec;
       const apiProductName = spec.apiProductRef?.name;
       if (!apiProductName) {
-        throw new errors.InputError("apiProductRef.name is required in APIKey spec");
+        throw new errors.InputError("apiProductRef.name is required in APIKeyRequest spec");
       }
       await verifyApiKeyUpdatePermission(
         credentials,
@@ -676,18 +846,27 @@ async function createRouter({
         k8sClient$1,
         permissions$1
       );
-      const status = {
-        phase: "Approved",
-        reviewedBy,
-        reviewedAt: (/* @__PURE__ */ new Date()).toISOString()
+      const approvalName = `${name}-approval-${crypto.randomBytes(4).toString("hex")}`;
+      const approval = {
+        apiVersion: "devportal.kuadrant.io/v1alpha1",
+        kind: "APIKeyApproval",
+        metadata: {
+          name: approvalName,
+          namespace
+        },
+        spec: {
+          apiKeyRequestRef: { name },
+          approved: true,
+          reviewedBy,
+          reviewedAt: (/* @__PURE__ */ new Date()).toISOString()
+        }
       };
-      await k8sClient$1.patchCustomResourceStatus(
+      await k8sClient$1.createCustomResource(
         "devportal.kuadrant.io",
         "v1alpha1",
         namespace,
-        "apikeys",
-        name,
-        status
+        "apikeyapprovals",
+        approval
       );
       res.json({ success: true });
     } catch (error) {
@@ -713,13 +892,13 @@ async function createRouter({
         "devportal.kuadrant.io",
         "v1alpha1",
         namespace,
-        "apikeys",
+        "apikeyrequests",
         name
       );
       const spec = request.spec;
       const apiProductName = spec.apiProductRef?.name;
       if (!apiProductName) {
-        throw new errors.InputError("apiProductRef.name is required in APIKey spec");
+        throw new errors.InputError("apiProductRef.name is required in APIKeyRequest spec");
       }
       await verifyApiKeyUpdatePermission(
         credentials,
@@ -729,20 +908,29 @@ async function createRouter({
         k8sClient$1,
         permissions$1
       );
-      const status = {
-        phase: "Rejected",
-        reviewedBy,
-        reviewedAt: (/* @__PURE__ */ new Date()).toISOString()
+      const approvalName = `${name}-denial-${crypto.randomBytes(4).toString("hex")}`;
+      const approval = {
+        apiVersion: "devportal.kuadrant.io/v1alpha1",
+        kind: "APIKeyApproval",
+        metadata: {
+          name: approvalName,
+          namespace
+        },
+        spec: {
+          apiKeyRequestRef: { name },
+          approved: false,
+          reviewedBy,
+          reviewedAt: (/* @__PURE__ */ new Date()).toISOString()
+        }
       };
-      await k8sClient$1.patchCustomResourceStatus(
+      await k8sClient$1.createCustomResource(
         "devportal.kuadrant.io",
         "v1alpha1",
         namespace,
-        "apikeys",
-        name,
-        status
+        "apikeyapprovals",
+        approval
       );
-      res.status(204).send();
+      res.json({ success: true });
     } catch (error) {
       console.error("error rejecting api key request:", error);
       if (error instanceof errors.NotAllowedError) {
@@ -767,73 +955,52 @@ async function createRouter({
     try {
       const credentials = await httpAuth.credentials(req);
       const { userEntityRef } = await getUserIdentity(req, httpAuth, userInfo);
-      const updateAllDecision = await permissions$1.authorize(
-        [{ permission: permissions.kuadrantApiKeyUpdateAllPermission }],
-        { credentials }
-      );
-      const canUpdateAll = updateAllDecision[0].result === pluginPermissionCommon.AuthorizeResult.ALLOW;
-      if (!canUpdateAll) {
-        const updateOwnDecision = await permissions$1.authorize(
-          [{ permission: permissions.kuadrantApiKeyUpdateOwnPermission }],
-          { credentials }
-        );
-        if (updateOwnDecision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
-          throw new errors.NotAllowedError("unauthorised");
-        }
-      }
-      const { requests } = parsed.data;
+      const { requests, comment } = parsed.data;
       const reviewedBy = userEntityRef;
       const results = [];
       for (const reqRef of requests) {
         try {
-          if (!canUpdateAll) {
-            const request = await k8sClient$1.getCustomResource(
-              "devportal.kuadrant.io",
-              "v1alpha1",
-              reqRef.namespace,
-              "apikeys",
-              reqRef.name
-            );
-            const apiProductName = request.spec?.apiProductRef?.name;
-            if (!apiProductName) {
-              results.push({
-                namespace: reqRef.namespace,
-                name: reqRef.name,
-                success: false,
-                error: "API key has no associated API product."
-              });
-              continue;
-            }
-            const apiProduct = await k8sClient$1.getCustomResource(
-              "devportal.kuadrant.io",
-              "v1alpha1",
-              reqRef.namespace,
-              "apiproducts",
-              apiProductName
-            );
-            const owner = apiProduct.metadata?.annotations?.["backstage.io/owner"];
-            if (owner !== userEntityRef) {
-              results.push({
-                namespace: reqRef.namespace,
-                name: reqRef.name,
-                success: false,
-                error: "You can only approve requests for your own API products."
-              });
-              continue;
-            }
+          const request = await k8sClient$1.getCustomResource(
+            "devportal.kuadrant.io",
+            "v1alpha1",
+            reqRef.namespace,
+            "apikeyrequests",
+            reqRef.name
+          );
+          const apiProductName = request.spec?.apiProductRef?.name;
+          if (!apiProductName) {
+            throw new errors.InputError("apiProductRef.name is required in APIKeyRequest spec");
           }
-          const status = {
-            phase: "Approved",
-            reviewedBy,
-            reviewedAt: (/* @__PURE__ */ new Date()).toISOString()
+          await verifyApiKeyUpdatePermission(
+            credentials,
+            userEntityRef,
+            reqRef.namespace,
+            apiProductName,
+            k8sClient$1,
+            permissions$1
+          );
+          const approvalName = `${reqRef.name}-approval-${crypto.randomBytes(4).toString("hex")}`;
+          const approval = {
+            apiVersion: "devportal.kuadrant.io/v1alpha1",
+            kind: "APIKeyApproval",
+            metadata: {
+              name: approvalName,
+              namespace: reqRef.namespace
+            },
+            spec: {
+              apiKeyRequestRef: { name: reqRef.name },
+              approved: true,
+              reviewedBy,
+              reviewedAt: (/* @__PURE__ */ new Date()).toISOString(),
+              ...comment && { comment }
+            }
           };
-          await k8sClient$1.patchCustomResourceStatus(
+          await k8sClient$1.createCustomResource(
             "devportal.kuadrant.io",
             "v1alpha1",
             reqRef.namespace,
-            "apikeys",
-            reqRef.name,
-            status
+            "apikeyapprovals",
+            approval
           );
           results.push({ namespace: reqRef.namespace, name: reqRef.name, success: true });
         } catch (error) {
@@ -864,21 +1031,7 @@ async function createRouter({
     try {
       const credentials = await httpAuth.credentials(req);
       const { userEntityRef } = await getUserIdentity(req, httpAuth, userInfo);
-      const updateAllDecision = await permissions$1.authorize(
-        [{ permission: permissions.kuadrantApiKeyUpdateAllPermission }],
-        { credentials }
-      );
-      const canUpdateAll = updateAllDecision[0].result === pluginPermissionCommon.AuthorizeResult.ALLOW;
-      if (!canUpdateAll) {
-        const updateOwnDecision = await permissions$1.authorize(
-          [{ permission: permissions.kuadrantApiKeyUpdateOwnPermission }],
-          { credentials }
-        );
-        if (updateOwnDecision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
-          throw new errors.NotAllowedError("unauthorised");
-        }
-      }
-      const { requests } = parsed.data;
+      const { requests, comment } = parsed.data;
       const reviewedBy = userEntityRef;
       const results = [];
       for (const reqRef of requests) {
@@ -887,39 +1040,43 @@ async function createRouter({
             "devportal.kuadrant.io",
             "v1alpha1",
             reqRef.namespace,
-            "apikeys",
+            "apikeyrequests",
             reqRef.name
           );
-          const spec = request.spec;
-          const apiProduct = await k8sClient$1.getCustomResource(
-            "devportal.kuadrant.io",
-            "v1alpha1",
+          const apiProductName = request.spec?.apiProductRef?.name;
+          if (!apiProductName) {
+            throw new errors.InputError("apiProductRef.name is required in APIKeyRequest spec");
+          }
+          await verifyApiKeyUpdatePermission(
+            credentials,
+            userEntityRef,
             reqRef.namespace,
-            "apiproducts",
-            spec.apiProductRef?.name
+            apiProductName,
+            k8sClient$1,
+            permissions$1
           );
-          const owner = apiProduct.metadata?.annotations?.["backstage.io/owner"];
-          if (!canUpdateAll && owner !== userEntityRef) {
-            results.push({
-              namespace: reqRef.namespace,
-              name: reqRef.name,
-              success: false,
-              error: "You can only reject requests for your own API products."
-            });
-            continue;
-          }
-          const status = {
-            phase: "Rejected",
-            reviewedBy,
-            reviewedAt: (/* @__PURE__ */ new Date()).toISOString()
+          const approvalName = `${reqRef.name}-denial-${crypto.randomBytes(4).toString("hex")}`;
+          const approval = {
+            apiVersion: "devportal.kuadrant.io/v1alpha1",
+            kind: "APIKeyApproval",
+            metadata: {
+              name: approvalName,
+              namespace: reqRef.namespace
+            },
+            spec: {
+              apiKeyRequestRef: { name: reqRef.name },
+              approved: false,
+              reviewedBy,
+              reviewedAt: (/* @__PURE__ */ new Date()).toISOString(),
+              ...comment && { comment }
+            }
           };
-          await k8sClient$1.patchCustomResourceStatus(
+          await k8sClient$1.createCustomResource(
             "devportal.kuadrant.io",
             "v1alpha1",
             reqRef.namespace,
-            "apikeys",
-            reqRef.name,
-            status
+            "apikeyapprovals",
+            approval
           );
           results.push({ namespace: reqRef.namespace, name: reqRef.name, success: true });
         } catch (error) {
@@ -947,30 +1104,23 @@ async function createRouter({
       const credentials = await httpAuth.credentials(req);
       const { userEntityRef } = await getUserIdentity(req, httpAuth, userInfo);
       const { namespace, name } = req.params;
-      const request = await k8sClient$1.getCustomResource(
+      const apiKey = await k8sClient$1.getCustomResource(
         "devportal.kuadrant.io",
         "v1alpha1",
         namespace,
         "apikeys",
         name
       );
-      const requestUserId = request.spec?.requestedBy?.userId;
-      const deleteAllDecision = await permissions$1.authorize(
-        [{ permission: permissions.kuadrantApiKeyDeleteAllPermission }],
+      const deleteOwnDecision = await permissions$1.authorize(
+        [{ permission: permissions.kuadrantApiKeyDeleteOwnPermission }],
         { credentials }
       );
-      const canDeleteAll = deleteAllDecision[0].result === pluginPermissionCommon.AuthorizeResult.ALLOW;
-      if (!canDeleteAll) {
-        const deleteOwnDecision = await permissions$1.authorize(
-          [{ permission: permissions.kuadrantApiKeyDeleteOwnPermission }],
-          { credentials }
-        );
-        if (deleteOwnDecision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
-          throw new errors.NotAllowedError("unauthorised");
-        }
-        if (requestUserId !== userEntityRef) {
-          throw new errors.NotAllowedError("you can only delete your own api key requests");
-        }
+      if (deleteOwnDecision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("unauthorised");
+      }
+      const requestUserId = apiKey.spec?.requestedBy?.userId;
+      if (requestUserId !== userEntityRef) {
+        throw new errors.NotAllowedError("you can only delete your own api key requests");
       }
       await k8sClient$1.deleteCustomResource(
         "devportal.kuadrant.io",
@@ -1012,7 +1162,21 @@ async function createRouter({
         name
       );
       const requestUserId = existing.spec?.requestedBy?.userId;
-      const currentPhase = existing.status?.phase || "Pending";
+      let currentPhase = "Pending";
+      const conditions = existing.status?.conditions;
+      if (conditions && conditions.length > 0) {
+        const approved = conditions.find(
+          (c) => c.type === "Approved" && c.status === "True"
+        );
+        if (approved) {
+          currentPhase = "Approved";
+        } else {
+          const denied = conditions.find(
+            (c) => c.type === "Denied" && c.status === "True"
+          );
+          if (denied) currentPhase = "Denied";
+        }
+      }
       if (currentPhase !== "Pending") {
         throw new errors.NotAllowedError("only pending requests can be edited");
       }
@@ -1130,19 +1294,13 @@ async function createRouter({
           throw new errors.NotAllowedError("you can only read your own api key secrets");
         }
       }
-      if (apiKey.status?.canReadSecret !== true) {
-        res.status(403).json({
-          error: "secret has already been read and cannot be retrieved again"
-        });
-        return;
-      }
-      if (!apiKey.status?.secretRef?.name || !apiKey.status?.secretRef?.key) {
+      if (!apiKey.spec?.secretRef?.name) {
         res.status(404).json({
-          error: "secret reference not found in apikey status"
+          error: "secretRef not found in APIKey spec"
         });
         return;
       }
-      const secretName = apiKey.status.secretRef.name;
+      const secretName = apiKey.spec.secretRef.name;
       let secret;
       try {
         secret = await k8sClient$1.getSecret(namespace, secretName);
@@ -1162,17 +1320,6 @@ async function createRouter({
         return;
       }
       const decodedApiKey = Buffer.from(apiKeyValue, "base64").toString("utf-8");
-      await k8sClient$1.patchCustomResourceStatus(
-        "devportal.kuadrant.io",
-        "v1alpha1",
-        namespace,
-        "apikeys",
-        name,
-        {
-          ...apiKey.status,
-          canReadSecret: false
-        }
-      );
       res.json({
         apiKey: decodedApiKey
       });