feat(webapp): extend admin workers endpoint and add PAT admin helper

Adds a GET loader to the admin worker groups endpoint, exposes type, hidden, workloadType, cloudProvider, location, staticIPs, and enableFastPath on creation, and introduces authenticateAdminRequest and requireAdminApiRequest helpers in personalAccessToken.server.ts. The generic authenticateAdminRequest returns a discriminated result so callers can shape failures to fit their context; requireAdminApiRequest is the Remix loader/action wrapper that throws a Response.

Author: nicktrn

.server-changes/admin-workers-endpoint.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: improvement
+---
+
+Admin worker groups API: add GET loader and expose more fields on POST.

apps/webapp/app/routes/admin.api.v1.workers.ts

@@ -1,9 +1,13 @@
-import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
+import {
+  type ActionFunctionArgs,
+  type LoaderFunctionArgs,
+  json,
+} from "@remix-run/server-runtime";
 import { tryCatch } from "@trigger.dev/core";
-import { type Project } from "@trigger.dev/database";
+import { type Project, WorkerInstanceGroupType, WorkloadType } from "@trigger.dev/database";
 import { z } from "zod";
 import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { WorkerGroupService } from "~/v3/services/worker/workerGroupService.server";
 
 const RequestBodySchema = z.object({
@@ -12,34 +16,44 @@ const RequestBodySchema = z.object({
   projectId: z.string().optional(),
   makeDefaultForProject: z.boolean().default(false),
   removeDefaultFromProject: z.boolean().default(false),
+  type: z.nativeEnum(WorkerInstanceGroupType).optional(),
+  hidden: z.boolean().optional(),
+  workloadType: z.nativeEnum(WorkloadType).optional(),
+  cloudProvider: z.string().optional(),
+  location: z.string().optional(),
+  staticIPs: z.string().optional(),
+  enableFastPath: z.boolean().optional(),
 });
 
-export async function action({ request }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+export async function loader({ request }: LoaderFunctionArgs) {
+  await requireAdminApiRequest(request);
 
-  const user = await prisma.user.findFirst({
-    where: {
-      id: authenticationResult.userId,
-    },
+  const workerGroups = await prisma.workerInstanceGroup.findMany({
+    orderBy: { createdAt: "asc" },
   });
 
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+  return json({ workerGroups });
+}
 
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+export async function action({ request }: ActionFunctionArgs) {
+  await requireAdminApiRequest(request);
 
   try {
     const rawBody = await request.json();
-    const { name, description, projectId, makeDefaultForProject, removeDefaultFromProject } =
-      RequestBodySchema.parse(rawBody ?? {});
+    const {
+      name,
+      description,
+      projectId,
+      makeDefaultForProject,
+      removeDefaultFromProject,
+      type,
+      hidden,
+      workloadType,
+      cloudProvider,
+      location,
+      staticIPs,
+      enableFastPath,
+    } = RequestBodySchema.parse(rawBody ?? {});
 
     if (removeDefaultFromProject) {
       if (!projectId) {
@@ -74,7 +88,17 @@ export async function action({ request }: ActionFunctionArgs) {
     });
 
     if (!existingWorkerGroup) {
-      const { workerGroup, token } = await createWorkerGroup(name, description);
+      const { workerGroup, token } = await createWorkerGroup({
+        name,
+        description,
+        type,
+        hidden,
+        workloadType,
+        cloudProvider,
+        location,
+        staticIPs,
+        enableFastPath,
+      });
 
       if (!makeDefaultForProject) {
         return json({
@@ -150,9 +174,11 @@ export async function action({ request }: ActionFunctionArgs) {
   }
 }
 
-async function createWorkerGroup(name: string | undefined, description: string | undefined) {
+async function createWorkerGroup(
+  options: Parameters<WorkerGroupService["createWorkerGroup"]>[0]
+) {
   const service = new WorkerGroupService();
-  return await service.createWorkerGroup({ name, description });
+  return await service.createWorkerGroup(options);
 }
 
 async function removeDefaultWorkerGroupFromProject(projectId: string) {

apps/webapp/app/services/personalAccessToken.server.ts

@@ -1,4 +1,4 @@
-import { type PersonalAccessToken } from "@trigger.dev/database";
+import { type PersonalAccessToken, type User } from "@trigger.dev/database";
 import { customAlphabet, nanoid } from "nanoid";
 import { z } from "zod";
 import { prisma } from "~/db.server";
@@ -118,6 +118,59 @@ export async function authenticateApiRequestWithPersonalAccessToken(
   return authenticatePersonalAccessToken(token);
 }
 
+export type AdminAuthenticationResult =
+  | { ok: true; user: User }
+  | { ok: false; status: 401 | 403; message: string };
+
+/**
+ * Authenticates a request via personal access token and checks the user is
+ * an admin. Returns a discriminated result so callers can shape the failure
+ * (throw a Response, wrap in neverthrow, return JSON, etc.) to fit their
+ * context. See `requireAdminApiRequest` for the Remix loader/action wrapper.
+ */
+export async function authenticateAdminRequest(
+  request: Request
+): Promise<AdminAuthenticationResult> {
+  const authResult = await authenticateApiRequestWithPersonalAccessToken(request);
+
+  if (!authResult) {
+    return { ok: false, status: 401, message: "Invalid or Missing API key" };
+  }
+
+  const user = await prisma.user.findFirst({
+    where: { id: authResult.userId },
+  });
+
+  if (!user) {
+    return { ok: false, status: 401, message: "Invalid or Missing API key" };
+  }
+
+  if (!user.admin) {
+    return { ok: false, status: 403, message: "You must be an admin to perform this action" };
+  }
+
+  return { ok: true, user };
+}
+
+/**
+ * Remix loader/action wrapper around `authenticateAdminRequest` that throws
+ * a Response on failure so routes can `await` without handling the error
+ * branch. Uses `new Response` directly to avoid coupling this module to
+ * `@remix-run/server-runtime`.
+ */
+export async function requireAdminApiRequest(request: Request): Promise<User> {
+  const result = await authenticateAdminRequest(request);
+
+  if (!result.ok) {
+    throw new Response(JSON.stringify({ error: result.message }), {
+      status: result.status,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+
+  return result.user;
+}
+
 function getPersonalAccessTokenFromRequest(request: Request) {
   const rawAuthorization = request.headers.get("Authorization");
 

apps/webapp/app/v3/services/worker/workerGroupService.server.ts

@@ -1,4 +1,4 @@
-import { WorkerInstanceGroup, WorkerInstanceGroupType } from "@trigger.dev/database";
+import { WorkerInstanceGroup, WorkerInstanceGroupType, WorkloadType } from "@trigger.dev/database";
 import { WithRunEngine } from "../baseService.server";
 import { WorkerGroupTokenService } from "./workerGroupTokenService.server";
 import { logger } from "~/services/logger.server";
@@ -14,11 +14,25 @@ export class WorkerGroupService extends WithRunEngine {
     organizationId,
     name,
     description,
+    type,
+    hidden,
+    workloadType,
+    cloudProvider,
+    location,
+    staticIPs,
+    enableFastPath,
   }: {
     projectId?: string;
     organizationId?: string;
     name?: string;
     description?: string;
+    type?: WorkerInstanceGroupType;
+    hidden?: boolean;
+    workloadType?: WorkloadType;
+    cloudProvider?: string;
+    location?: string;
+    staticIPs?: string;
+    enableFastPath?: boolean;
   }) {
     if (!name) {
       name = await this.generateWorkerName({ projectId });
@@ -30,15 +44,24 @@ export class WorkerGroupService extends WithRunEngine {
     });
     const token = await tokenService.createToken();
 
+    const resolvedType =
+      type ?? (projectId ? WorkerInstanceGroupType.UNMANAGED : WorkerInstanceGroupType.MANAGED);
+
     const workerGroup = await this._prisma.workerInstanceGroup.create({
       data: {
         projectId,
         organizationId,
-        type: projectId ? WorkerInstanceGroupType.UNMANAGED : WorkerInstanceGroupType.MANAGED,
+        type: resolvedType,
         masterQueue: this.generateMasterQueueName({ projectId, name }),
         tokenId: token.id,
         description,
         name,
+        hidden,
+        workloadType,
+        cloudProvider,
+        location,
+        staticIPs,
+        enableFastPath,
       },
     });