sneak/upaas
1
0
Fork 0
Code Issues 9 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

feat: add API token authentication (closes #87)

Browse Source 
- Add api_tokens table migration (007)
- Add APIToken model with CRUD operations
- Generate tokens with upaas_ prefix + 32 hex chars
- Store SHA-256 hash of tokens (not plaintext)
- Update APISessionAuth middleware to check Bearer tokens
- Add POST/GET/DELETE /api/v1/tokens endpoints
- Token creation returns plaintext once; list never exposes it
- Expired and revoked tokens are rejected
- Tests for creation, listing, deletion, bearer auth, revocation
This commit is contained in:
clawbot
2026-02-19 13:47:39 -08:00
committed by user
parent 3a4e999382
commit 7387ba6b5c
8 changed files with 809 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/database/database.go
View File

@@ -176,6 +176,13 @@ func HashWebhookSecret(secret string) string {
return hex.EncodeToString(sum[:])
}
// HashAPIToken returns the hex-encoded SHA-256 hash of an API token.
func HashAPIToken(token string) string {
sum := sha256.Sum256([]byte(token))
return hex.EncodeToString(sum[:])
}
func (d *Database) backfillWebhookSecretHashes(ctx context.Context) error {
rows, err := d.database.QueryContext(ctx,
"SELECT id, webhook_secret FROM apps WHERE webhook_secret_hash = '' AND webhook_secret != ''")