sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Compare commits

base: sneak:9ac1d2578812240f92af2e43ab3413dd6a37eb32
Branches Tags
sneak:main
sneak:schema-consolidation
sneak:feature/json-api
sneak:chore/update-todo
sneak:feature/edit-config-entities
sneak:feature/deployment-rollback-tests
sneak:update-todo-md
sneak:feature/edit-entities
sneak:feature/deployment-rollback
sneak:feature/deploy-cancel
..
compare: sneak:81c109914be3a1d204f9d0f2dac0da7371a05fbc
Branches Tags
sneak:schema-consolidation
sneak:main
sneak:feature/json-api
sneak:chore/update-todo
sneak:feature/edit-config-entities
sneak:feature/deployment-rollback-tests
sneak:update-todo-md
sneak:feature/edit-entities
sneak:feature/deployment-rollback
sneak:feature/deploy-cancel

2 Commits
9ac1d25788 ... 81c109914b

Author SHA1 Message Date
Jeffrey Paul
81c109914b Merge branch 'main' into feature/json-api 2026-02-16 09:24:24 +01:00
user
a9829ce48f feat: add JSON API with token auth (closes #69) 
- Add API token model with SHA-256 hashed tokens
- Add migration 006_add_api_tokens.sql
- Add Bearer token auth middleware
- Add API endpoints under /api/v1/:
  - GET /whoami
  - POST /tokens (create new API token)
  - GET /apps (list all apps)
  - POST /apps (create app)
  - GET /apps/{id} (get app)
  - DELETE /apps/{id} (delete app)
  - POST /apps/{id}/deploy (trigger deployment)
  - GET /apps/{id}/deployments (list deployments)
- Add comprehensive tests for all API endpoints
- All tests pass, zero lint issues
 2026-02-16 00:20:41 -08:00
7 changed files with 413 additions and 227 deletions
Show Stats Expand all files Collapse all files

1
internal/database/migrations/007_drop_api_tokens.sql
View File

@ -1 +0,0 @@
DROP TABLE IF EXISTS api_tokens;

117
internal/handlers/api.go
View File

@ -7,6 +7,7 @@ import (
"github.com/go-chi/chi/v5" "github.com/go-chi/chi/v5"
"git.eeqj.de/sneak/upaas/internal/middleware"
"git.eeqj.de/sneak/upaas/internal/models" "git.eeqj.de/sneak/upaas/internal/models"
"git.eeqj.de/sneak/upaas/internal/service/app" "git.eeqj.de/sneak/upaas/internal/service/app"
) )
@ -71,65 +72,6 @@ func deploymentToAPI(d *models.Deployment) apiDeploymentResponse {
return resp return resp
} }
// HandleAPILoginPOST returns a handler that authenticates via JSON credentials
// and sets a session cookie.
func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
type loginRequest struct {
Username string `json:"username"`
Password string `json:"password"`
}
type loginResponse struct {
UserID int64 `json:"userId"`
Username string `json:"username"`
}
return func(writer http.ResponseWriter, request *http.Request) {
var req loginRequest
decodeErr := json.NewDecoder(request.Body).Decode(&req)
if decodeErr != nil {
h.respondJSON(writer, request,
map[string]string{"error": "invalid JSON body"},
http.StatusBadRequest)
return
}
if req.Username == "" || req.Password == "" {
h.respondJSON(writer, request,
map[string]string{"error": "username and password are required"},
http.StatusBadRequest)
return
}
user, authErr := h.auth.Authenticate(request.Context(), req.Username, req.Password)
if authErr != nil {
h.respondJSON(writer, request,
map[string]string{"error": "invalid credentials"},
http.StatusUnauthorized)
return
}
sessionErr := h.auth.CreateSession(writer, request, user)
if sessionErr != nil {
h.log.Error("api: failed to create session", "error", sessionErr)
h.respondJSON(writer, request,
map[string]string{"error": "failed to create session"},
http.StatusInternalServerError)
return
}
h.respondJSON(writer, request, loginResponse{
UserID: user.ID,
Username: user.Username,
}, http.StatusOK)
}
}
// HandleAPIListApps returns a handler that lists all apps as JSON. // HandleAPIListApps returns a handler that lists all apps as JSON.
func (h *Handlers) HandleAPIListApps() http.HandlerFunc { func (h *Handlers) HandleAPIListApps() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) { return func(writer http.ResponseWriter, request *http.Request) {
@ -352,6 +294,59 @@ func (h *Handlers) HandleAPITriggerDeploy() http.HandlerFunc {
} }
} }
// HandleAPICreateToken returns a handler that creates an API token.
func (h *Handlers) HandleAPICreateToken() http.HandlerFunc {
type createTokenRequest struct {
Name string `json:"name"`
}
type createTokenResponse struct {
Token string `json:"token"`
Name string `json:"name"`
ID int64 `json:"id"`
}
return func(writer http.ResponseWriter, request *http.Request) {
user := middleware.APIUserFromContext(request.Context())
if user == nil {
h.respondJSON(writer, request,
map[string]string{"error": "unauthorized"},
http.StatusUnauthorized)
return
}
var req createTokenRequest
decodeErr := json.NewDecoder(request.Body).Decode(&req)
if decodeErr != nil {
req.Name = "default"
}
if req.Name == "" {
req.Name = "default"
}
rawToken, token, err := models.GenerateAPIToken(
request.Context(), h.db, user.ID, req.Name,
)
if err != nil {
h.log.Error("api: failed to create token", "error", err)
h.respondJSON(writer, request,
map[string]string{"error": "failed to create token"},
http.StatusInternalServerError)
return
}
h.respondJSON(writer, request, createTokenResponse{
Token: rawToken,
Name: token.Name,
ID: token.ID,
}, http.StatusCreated)
}
}
// HandleAPIWhoAmI returns a handler that shows the current authenticated user. // HandleAPIWhoAmI returns a handler that shows the current authenticated user.
func (h *Handlers) HandleAPIWhoAmI() http.HandlerFunc { func (h *Handlers) HandleAPIWhoAmI() http.HandlerFunc {
type whoAmIResponse struct { type whoAmIResponse struct {
@ -360,8 +355,8 @@ func (h *Handlers) HandleAPIWhoAmI() http.HandlerFunc {
} }
return func(writer http.ResponseWriter, request *http.Request) { return func(writer http.ResponseWriter, request *http.Request) {
user, err := h.auth.GetCurrentUser(request.Context(), request) user := middleware.APIUserFromContext(request.Context())
if err != nil || user == nil { if user == nil {
h.respondJSON(writer, request, h.respondJSON(writer, request,
map[string]string{"error": "unauthorized"}, map[string]string{"error": "unauthorized"},
http.StatusUnauthorized) http.StatusUnauthorized)

223
internal/handlers/api_test.go
View File

@ -10,64 +10,34 @@ import (
"github.com/go-chi/chi/v5" "github.com/go-chi/chi/v5"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"git.eeqj.de/sneak/upaas/internal/models"
) )
// apiRouter builds a chi router with the API routes using session auth middleware. func setupAPITest(t *testing.T) (*testContext, string) {
func apiRouter(tc *testContext) http.Handler {
r := chi.NewRouter()
r.Route("/api/v1", func(apiR chi.Router) {
apiR.Post("/login", tc.handlers.HandleAPILoginPOST())
apiR.Group(func(apiR chi.Router) {
apiR.Use(tc.middleware.APISessionAuth())
apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
apiR.Get("/apps", tc.handlers.HandleAPIListApps())
apiR.Post("/apps", tc.handlers.HandleAPICreateApp())
apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
apiR.Delete("/apps/{id}", tc.handlers.HandleAPIDeleteApp())
apiR.Post("/apps/{id}/deploy", tc.handlers.HandleAPITriggerDeploy())
apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
})
})
return r
}
// setupAPITest creates a test context with a user and returns session cookies.
func setupAPITest(t *testing.T) (*testContext, []*http.Cookie) {
t.Helper() t.Helper()
tc := setupTestHandlers(t) tc := setupTestHandlers(t)
// Create a user. // Create a user first.
_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123") _, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
require.NoError(t, err) require.NoError(t, err)
// Login via the API to get session cookies. user, err := models.FindUserByUsername(t.Context(), tc.database, "admin")
r := apiRouter(tc) require.NoError(t, err)
require.NotNil(t, user)
loginBody := `{"username":"admin","password":"password123"}` // Generate an API token.
req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(loginBody)) rawToken, _, err := models.GenerateAPIToken(t.Context(), tc.database, user.ID, "test")
req.Header.Set("Content-Type", "application/json") require.NoError(t, err)
rr := httptest.NewRecorder() return tc, rawToken
r.ServeHTTP(rr, req)
require.Equal(t, http.StatusOK, rr.Code)
cookies := rr.Result().Cookies()
require.NotEmpty(t, cookies, "login should return session cookies")
return tc, cookies
} }
// apiRequest makes an authenticated API request using session cookies.
func apiRequest( func apiRequest(
t *testing.T, t *testing.T,
tc *testContext, tc *testContext,
cookies []*http.Cookie, token, method, path string,
method, path string,
body string, body string,
) *httptest.ResponseRecorder { ) *httptest.ResponseRecorder {
t.Helper() t.Helper()
@ -80,102 +50,64 @@ func apiRequest(
req = httptest.NewRequest(method, path, nil) req = httptest.NewRequest(method, path, nil)
} }
for _, c := range cookies { req.Header.Set("Authorization", "Bearer "+token)
req.AddCookie(c)
}
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
r := apiRouter(tc) // Build a chi router with API routes.
r := chi.NewRouter()
mw := tc.middleware
r.Route("/api/v1", func(apiR chi.Router) {
apiR.Use(mw.APITokenAuth())
apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
apiR.Post("/tokens", tc.handlers.HandleAPICreateToken())
apiR.Get("/apps", tc.handlers.HandleAPIListApps())
apiR.Post("/apps", tc.handlers.HandleAPICreateApp())
apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
apiR.Delete("/apps/{id}", tc.handlers.HandleAPIDeleteApp())
apiR.Post("/apps/{id}/deploy", tc.handlers.HandleAPITriggerDeploy())
apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
})
r.ServeHTTP(rr, req) r.ServeHTTP(rr, req)
return rr return rr
} }
func TestAPILoginSuccess(t *testing.T) { func TestAPIAuthRejectsNoToken(t *testing.T) {
t.Parallel() t.Parallel()
tc := setupTestHandlers(t) tc := setupTestHandlers(t)
_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
require.NoError(t, err)
r := apiRouter(tc)
body := `{"username":"admin","password":"password123"}`
req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
req.Header.Set("Content-Type", "application/json")
rr := httptest.NewRecorder()
r.ServeHTTP(rr, req)
assert.Equal(t, http.StatusOK, rr.Code)
var resp map[string]any
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
assert.Equal(t, "admin", resp["username"])
// Should have a Set-Cookie header.
assert.NotEmpty(t, rr.Result().Cookies())
}
func TestAPILoginInvalidCredentials(t *testing.T) {
t.Parallel()
tc := setupTestHandlers(t)
_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
require.NoError(t, err)
r := apiRouter(tc)
body := `{"username":"admin","password":"wrong"}`
req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
req.Header.Set("Content-Type", "application/json")
rr := httptest.NewRecorder()
r.ServeHTTP(rr, req)
assert.Equal(t, http.StatusUnauthorized, rr.Code)
}
func TestAPILoginMissingFields(t *testing.T) {
t.Parallel()
tc := setupTestHandlers(t)
r := apiRouter(tc)
body := `{"username":"","password":""}`
req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
req.Header.Set("Content-Type", "application/json")
rr := httptest.NewRecorder()
r.ServeHTTP(rr, req)
assert.Equal(t, http.StatusBadRequest, rr.Code)
}
func TestAPIRejectsUnauthenticated(t *testing.T) {
t.Parallel()
tc := setupTestHandlers(t)
r := apiRouter(tc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil) req := httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
r.ServeHTTP(rr, req)
r := chi.NewRouter()
r.Route("/api/v1", func(apiR chi.Router) {
apiR.Use(tc.middleware.APITokenAuth())
apiR.Get("/apps", tc.handlers.HandleAPIListApps())
})
r.ServeHTTP(rr, req)
assert.Equal(t, http.StatusUnauthorized, rr.Code)
}
func TestAPIAuthRejectsInvalidToken(t *testing.T) {
t.Parallel()
tc := setupTestHandlers(t)
rr := apiRequest(t, tc, "invalid-token", http.MethodGet, "/api/v1/apps", "")
assert.Equal(t, http.StatusUnauthorized, rr.Code) assert.Equal(t, http.StatusUnauthorized, rr.Code)
} }
func TestAPIWhoAmI(t *testing.T) { func TestAPIWhoAmI(t *testing.T) {
t.Parallel() t.Parallel()
tc, cookies := setupAPITest(t) tc, token := setupAPITest(t)
rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/whoami", "") rr := apiRequest(t, tc, token, http.MethodGet, "/api/v1/whoami", "")
assert.Equal(t, http.StatusOK, rr.Code) assert.Equal(t, http.StatusOK, rr.Code)
var resp map[string]any var resp map[string]any
@ -186,9 +118,9 @@ func TestAPIWhoAmI(t *testing.T) {
func TestAPIListAppsEmpty(t *testing.T) { func TestAPIListAppsEmpty(t *testing.T) {
t.Parallel() t.Parallel()
tc, cookies := setupAPITest(t) tc, token := setupAPITest(t)
rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps", "") rr := apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps", "")
assert.Equal(t, http.StatusOK, rr.Code) assert.Equal(t, http.StatusOK, rr.Code)
var apps []any var apps []any
@ -199,10 +131,10 @@ func TestAPIListAppsEmpty(t *testing.T) {
func TestAPICreateApp(t *testing.T) { func TestAPICreateApp(t *testing.T) {
t.Parallel() t.Parallel()
tc, cookies := setupAPITest(t) tc, token := setupAPITest(t)
body := `{"name":"test-app","repoUrl":"https://github.com/example/repo"}` body := `{"name":"test-app","repoUrl":"https://github.com/example/repo"}`
rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body) rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
assert.Equal(t, http.StatusCreated, rr.Code) assert.Equal(t, http.StatusCreated, rr.Code)
var app map[string]any var app map[string]any
@ -214,20 +146,22 @@ func TestAPICreateApp(t *testing.T) {
func TestAPICreateAppValidation(t *testing.T) { func TestAPICreateAppValidation(t *testing.T) {
t.Parallel() t.Parallel()
tc, cookies := setupAPITest(t) tc, token := setupAPITest(t)
// Missing required fields.
body := `{"name":"","repoUrl":""}` body := `{"name":"","repoUrl":""}`
rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body) rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
assert.Equal(t, http.StatusBadRequest, rr.Code) assert.Equal(t, http.StatusBadRequest, rr.Code)
} }
func TestAPIGetApp(t *testing.T) { func TestAPIGetApp(t *testing.T) {
t.Parallel() t.Parallel()
tc, cookies := setupAPITest(t) tc, token := setupAPITest(t)
// Create an app first.
body := `{"name":"my-app","repoUrl":"https://github.com/example/repo"}` body := `{"name":"my-app","repoUrl":"https://github.com/example/repo"}`
rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body) rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
require.Equal(t, http.StatusCreated, rr.Code) require.Equal(t, http.StatusCreated, rr.Code)
var created map[string]any var created map[string]any
@ -236,7 +170,8 @@ func TestAPIGetApp(t *testing.T) {
appID, ok := created["id"].(string) appID, ok := created["id"].(string)
require.True(t, ok) require.True(t, ok)
rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "") // Get the app.
rr = apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/"+appID, "")
assert.Equal(t, http.StatusOK, rr.Code) assert.Equal(t, http.StatusOK, rr.Code)
var app map[string]any var app map[string]any
@ -247,19 +182,20 @@ func TestAPIGetApp(t *testing.T) {
func TestAPIGetAppNotFound(t *testing.T) { func TestAPIGetAppNotFound(t *testing.T) {
t.Parallel() t.Parallel()
tc, cookies := setupAPITest(t) tc, token := setupAPITest(t)
rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/nonexistent", "") rr := apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/nonexistent", "")
assert.Equal(t, http.StatusNotFound, rr.Code) assert.Equal(t, http.StatusNotFound, rr.Code)
} }
func TestAPIDeleteApp(t *testing.T) { func TestAPIDeleteApp(t *testing.T) {
t.Parallel() t.Parallel()
tc, cookies := setupAPITest(t) tc, token := setupAPITest(t)
// Create an app.
body := `{"name":"delete-me","repoUrl":"https://github.com/example/repo"}` body := `{"name":"delete-me","repoUrl":"https://github.com/example/repo"}`
rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body) rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
require.Equal(t, http.StatusCreated, rr.Code) require.Equal(t, http.StatusCreated, rr.Code)
var created map[string]any var created map[string]any
@ -268,20 +204,23 @@ func TestAPIDeleteApp(t *testing.T) {
appID, ok := created["id"].(string) appID, ok := created["id"].(string)
require.True(t, ok) require.True(t, ok)
rr = apiRequest(t, tc, cookies, http.MethodDelete, "/api/v1/apps/"+appID, "") // Delete it.
rr = apiRequest(t, tc, token, http.MethodDelete, "/api/v1/apps/"+appID, "")
assert.Equal(t, http.StatusOK, rr.Code) assert.Equal(t, http.StatusOK, rr.Code)
rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "") // Verify it's gone.
rr = apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/"+appID, "")
assert.Equal(t, http.StatusNotFound, rr.Code) assert.Equal(t, http.StatusNotFound, rr.Code)
} }
func TestAPIListDeployments(t *testing.T) { func TestAPIListDeployments(t *testing.T) {
t.Parallel() t.Parallel()
tc, cookies := setupAPITest(t) tc, token := setupAPITest(t)
// Create an app.
body := `{"name":"deploy-app","repoUrl":"https://github.com/example/repo"}` body := `{"name":"deploy-app","repoUrl":"https://github.com/example/repo"}`
rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body) rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
require.Equal(t, http.StatusCreated, rr.Code) require.Equal(t, http.StatusCreated, rr.Code)
var created map[string]any var created map[string]any
@ -290,10 +229,26 @@ func TestAPIListDeployments(t *testing.T) {
appID, ok := created["id"].(string) appID, ok := created["id"].(string)
require.True(t, ok) require.True(t, ok)
rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID+"/deployments", "") // List deployments (should be empty).
rr = apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/"+appID+"/deployments", "")
assert.Equal(t, http.StatusOK, rr.Code) assert.Equal(t, http.StatusOK, rr.Code)
var deployments []any var deployments []any
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &deployments)) require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &deployments))
assert.Empty(t, deployments) assert.Empty(t, deployments)
} }
func TestAPICreateToken(t *testing.T) {
t.Parallel()
tc, token := setupAPITest(t)
body := `{"name":"new-token"}`
rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/tokens", body)
assert.Equal(t, http.StatusCreated, rr.Code)
var resp map[string]any
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
assert.Equal(t, "new-token", resp["name"])
assert.NotEmpty(t, resp["token"])
}

1
internal/handlers/handlers_test.go
View File

@ -173,6 +173,7 @@ func setupTestHandlers(t *testing.T) *testContext {
Globals: globalInstance, Globals: globalInstance,
Config: cfg, Config: cfg,
Auth: authSvc, Auth: authSvc,
Database: dbInstance,
}) })
require.NoError(t, mwErr) require.NoError(t, mwErr)

70
internal/middleware/middleware.go
View File

@ -2,6 +2,7 @@
package middleware package middleware
import ( import (
"context"
"log/slog" "log/slog"
"math" "math"
"net" "net"
@ -19,14 +20,19 @@ import (
"golang.org/x/time/rate" "golang.org/x/time/rate"
"git.eeqj.de/sneak/upaas/internal/config" "git.eeqj.de/sneak/upaas/internal/config"
"git.eeqj.de/sneak/upaas/internal/database"
"git.eeqj.de/sneak/upaas/internal/globals" "git.eeqj.de/sneak/upaas/internal/globals"
"git.eeqj.de/sneak/upaas/internal/logger" "git.eeqj.de/sneak/upaas/internal/logger"
"git.eeqj.de/sneak/upaas/internal/models"
"git.eeqj.de/sneak/upaas/internal/service/auth" "git.eeqj.de/sneak/upaas/internal/service/auth"
) )
// corsMaxAge is the maximum age for CORS preflight responses in seconds. // corsMaxAge is the maximum age for CORS preflight responses in seconds.
const corsMaxAge = 300 const corsMaxAge = 300
// apiUserContextKey is the context key for the authenticated API user.
type apiUserContextKey struct{}
// Params contains dependencies for Middleware. // Params contains dependencies for Middleware.
type Params struct { type Params struct {
fx.In fx.In
@ -35,6 +41,7 @@ type Params struct {
Globals *globals.Globals Globals *globals.Globals
Config *config.Config Config *config.Config
Auth *auth.Service Auth *auth.Service
Database *database.Database
} }
// Middleware provides HTTP middleware. // Middleware provides HTTP middleware.
@ -339,27 +346,74 @@ func (m *Middleware) LoginRateLimit() func(http.Handler) http.Handler {
} }
} }
// APISessionAuth returns middleware that requires session authentication for API routes. // APITokenAuth returns middleware that authenticates requests via Bearer token.
// Unlike SessionAuth, it returns JSON 401 responses instead of redirecting to /login. // It looks up the token hash in the database and stores the user in context.
func (m *Middleware) APISessionAuth() func(http.Handler) http.Handler { func (m *Middleware) APITokenAuth() func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler { return func(next http.Handler) http.Handler {
return http.HandlerFunc(func( return http.HandlerFunc(func(
writer http.ResponseWriter, writer http.ResponseWriter,
request *http.Request, request *http.Request,
) { ) {
user, err := m.params.Auth.GetCurrentUser(request.Context(), request) authHeader := request.Header.Get("Authorization")
if err != nil || user == nil { if authHeader == "" {
writer.Header().Set("Content-Type", "application/json") http.Error(writer, `{"error":"missing Authorization header"}`, http.StatusUnauthorized)
http.Error(writer, `{"error":"unauthorized"}`, http.StatusUnauthorized)
return return
} }
next.ServeHTTP(writer, request) const bearerPrefix = "Bearer "
if !strings.HasPrefix(authHeader, bearerPrefix) {
http.Error(writer, `{"error":"invalid Authorization header"}`, http.StatusUnauthorized)
return
}
rawToken := strings.TrimPrefix(authHeader, bearerPrefix)
if rawToken == "" {
http.Error(writer, `{"error":"empty token"}`, http.StatusUnauthorized)
return
}
hash := models.HashAPIToken(rawToken)
apiToken, err := models.FindAPITokenByHash(request.Context(), m.params.Database, hash)
if err != nil {
m.log.Error("api token lookup error", "error", err)
http.Error(writer, `{"error":"internal server error"}`, http.StatusInternalServerError)
return
}
if apiToken == nil {
http.Error(writer, `{"error":"invalid token"}`, http.StatusUnauthorized)
return
}
// Touch last used (best-effort, don't block on error)
_ = apiToken.TouchLastUsed(request.Context())
user, userErr := models.FindUser(request.Context(), m.params.Database, apiToken.UserID)
if userErr != nil || user == nil {
http.Error(writer, `{"error":"token user not found"}`, http.StatusUnauthorized)
return
}
ctx := context.WithValue(request.Context(), apiUserContextKey{}, user)
next.ServeHTTP(writer, request.WithContext(ctx))
}) })
} }
} }
// APIUserFromContext extracts the authenticated API user from the context.
func APIUserFromContext(ctx context.Context) *models.User {
user, _ := ctx.Value(apiUserContextKey{}).(*models.User)
return user
}
// SetupRequired returns middleware that redirects to setup if no user exists. // SetupRequired returns middleware that redirects to setup if no user exists.
func (m *Middleware) SetupRequired() func(http.Handler) http.Handler { func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler { return func(next http.Handler) http.Handler {

187
internal/models/api_token.go Normal file
View File

@ -0,0 +1,187 @@
package models
import (
"context"
"crypto/rand"
"crypto/sha256"
"database/sql"
"encoding/hex"
"errors"
"fmt"
"time"
"git.eeqj.de/sneak/upaas/internal/database"
)
// tokenBytes is the number of random bytes for a raw API token.
const tokenBytes = 32
// APIToken represents an API authentication token.
type APIToken struct {
db *database.Database
ID int64
UserID int64
Name string
TokenHash string
CreatedAt time.Time
LastUsedAt sql.NullTime
}
// NewAPIToken creates a new APIToken with a database reference.
func NewAPIToken(db *database.Database) *APIToken {
return &APIToken{db: db}
}
// GenerateAPIToken creates a new API token for a user, returning the raw token
// string (shown once) and the persisted APIToken record.
func GenerateAPIToken(
ctx context.Context,
db *database.Database,
userID int64,
name string,
) (string, *APIToken, error) {
raw := make([]byte, tokenBytes)
_, err := rand.Read(raw)
if err != nil {
return "", nil, fmt.Errorf("generating token bytes: %w", err)
}
rawHex := hex.EncodeToString(raw)
hash := HashAPIToken(rawHex)
token := NewAPIToken(db)
token.UserID = userID
token.Name = name
token.TokenHash = hash
query := `INSERT INTO api_tokens (user_id, name, token_hash) VALUES (?, ?, ?)`
result, execErr := db.Exec(ctx, query, userID, name, hash)
if execErr != nil {
return "", nil, fmt.Errorf("inserting api token: %w", execErr)
}
id, idErr := result.LastInsertId()
if idErr != nil {
return "", nil, fmt.Errorf("getting token id: %w", idErr)
}
token.ID = id
reloadErr := token.Reload(ctx)
if reloadErr != nil {
return "", nil, fmt.Errorf("reloading token: %w", reloadErr)
}
return rawHex, token, nil
}
// HashAPIToken returns the SHA-256 hex digest of a raw token string.
func HashAPIToken(raw string) string {
sum := sha256.Sum256([]byte(raw))
return hex.EncodeToString(sum[:])
}
// Reload refreshes the token from the database.
func (t *APIToken) Reload(ctx context.Context) error {
row := t.db.QueryRow(ctx,
`SELECT id, user_id, name, token_hash, created_at, last_used_at
FROM api_tokens WHERE id = ?`, t.ID,
)
return t.scan(row)
}
// Delete removes the token from the database.
func (t *APIToken) Delete(ctx context.Context) error {
_, err := t.db.Exec(ctx, "DELETE FROM api_tokens WHERE id = ?", t.ID)
return err
}
// TouchLastUsed updates the last_used_at timestamp.
func (t *APIToken) TouchLastUsed(ctx context.Context) error {
_, err := t.db.Exec(ctx,
"UPDATE api_tokens SET last_used_at = CURRENT_TIMESTAMP WHERE id = ?",
t.ID,
)
return err
}
func (t *APIToken) scan(row *sql.Row) error {
return row.Scan(
&t.ID, &t.UserID, &t.Name, &t.TokenHash,
&t.CreatedAt, &t.LastUsedAt,
)
}
// FindAPITokenByHash looks up a token by its SHA-256 hash.
//
//nolint:nilnil // returning nil,nil is idiomatic for "not found" in Active Record
func FindAPITokenByHash(
ctx context.Context,
db *database.Database,
hash string,
) (*APIToken, error) {
token := NewAPIToken(db)
row := db.QueryRow(ctx,
`SELECT id, user_id, name, token_hash, created_at, last_used_at
FROM api_tokens WHERE token_hash = ?`, hash,
)
err := token.scan(row)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, nil
}
return nil, fmt.Errorf("scanning api token: %w", err)
}
return token, nil
}
// FindAPITokensByUserID returns all tokens for a user.
func FindAPITokensByUserID(
ctx context.Context,
db *database.Database,
userID int64,
) ([]*APIToken, error) {
rows, err := db.Query(ctx,
`SELECT id, user_id, name, token_hash, created_at, last_used_at
FROM api_tokens WHERE user_id = ? ORDER BY created_at DESC`, userID,
)
if err != nil {
return nil, fmt.Errorf("querying api tokens: %w", err)
}
defer func() { _ = rows.Close() }()
var tokens []*APIToken
for rows.Next() {
tok := NewAPIToken(db)
scanErr := rows.Scan(
&tok.ID, &tok.UserID, &tok.Name, &tok.TokenHash,
&tok.CreatedAt, &tok.LastUsedAt,
)
if scanErr != nil {
return nil, fmt.Errorf("scanning api token row: %w", scanErr)
}
tokens = append(tokens, tok)
}
rowsErr := rows.Err()
if rowsErr != nil {
return nil, fmt.Errorf("iterating api token rows: %w", rowsErr)
}
return tokens, nil
}

11
internal/server/routes.go
View File

@ -98,16 +98,12 @@ func (s *Server) SetupRoutes() {
}) })
}) })
// API v1 routes (cookie-based session auth, no CSRF) // API v1 routes (Bearer token auth, no CSRF)
s.router.Route("/api/v1", func(r chi.Router) { s.router.Route("/api/v1", func(r chi.Router) {
// Login endpoint is public (returns session cookie) r.Use(s.mw.APITokenAuth())
r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleAPILoginPOST())
// All other API routes require session auth
r.Group(func(r chi.Router) {
r.Use(s.mw.APISessionAuth())
r.Get("/whoami", s.handlers.HandleAPIWhoAmI()) r.Get("/whoami", s.handlers.HandleAPIWhoAmI())
r.Post("/tokens", s.handlers.HandleAPICreateToken())
r.Get("/apps", s.handlers.HandleAPIListApps()) r.Get("/apps", s.handlers.HandleAPIListApps())
r.Post("/apps", s.handlers.HandleAPICreateApp()) r.Post("/apps", s.handlers.HandleAPICreateApp())
@ -116,7 +112,6 @@ func (s *Server) SetupRoutes() {
r.Post("/apps/{id}/deploy", s.handlers.HandleAPITriggerDeploy()) r.Post("/apps/{id}/deploy", s.handlers.HandleAPITriggerDeploy())
r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments()) r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments())
}) })
})
// Metrics endpoint (optional, with basic auth) // Metrics endpoint (optional, with basic auth)
if s.params.Config.MetricsUsername != "" { if s.params.Config.MetricsUsername != "" {