Merge branch 'main' into feature/json-api

- Add API token model with SHA-256 hashed tokens
- Add migration 006_add_api_tokens.sql
- Add Bearer token auth middleware
- Add API endpoints under /api/v1/:
  - GET /whoami
  - POST /tokens (create new API token)
  - GET /apps (list all apps)
  - POST /apps (create app)
  - GET /apps/{id} (get app)
  - DELETE /apps/{id} (delete app)
  - POST /apps/{id}/deploy (trigger deployment)
  - GET /apps/{id}/deployments (list deployments)
- Add comprehensive tests for all API endpoints
- All tests pass, zero lint issues

internal/database/migrations/007_drop_api_tokens.sql

@@ -1 +0,0 @@
-DROP TABLE IF EXISTS api_tokens;

internal/handlers/api.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/go-chi/chi/v5"
 
+	"git.eeqj.de/sneak/upaas/internal/middleware"
 	"git.eeqj.de/sneak/upaas/internal/models"
 	"git.eeqj.de/sneak/upaas/internal/service/app"
 )
@@ -71,65 +72,6 @@ func deploymentToAPI(d *models.Deployment) apiDeploymentResponse {
 	return resp
 }
 
-// HandleAPILoginPOST returns a handler that authenticates via JSON credentials
-// and sets a session cookie.
-func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
-	type loginRequest struct {
-		Username string `json:"username"`
-		Password string `json:"password"`
-	}
-
-	type loginResponse struct {
-		UserID   int64  `json:"userId"`
-		Username string `json:"username"`
-	}
-
-	return func(writer http.ResponseWriter, request *http.Request) {
-		var req loginRequest
-
-		decodeErr := json.NewDecoder(request.Body).Decode(&req)
-		if decodeErr != nil {
-			h.respondJSON(writer, request,
-				map[string]string{"error": "invalid JSON body"},
-				http.StatusBadRequest)
-
-			return
-		}
-
-		if req.Username == "" || req.Password == "" {
-			h.respondJSON(writer, request,
-				map[string]string{"error": "username and password are required"},
-				http.StatusBadRequest)
-
-			return
-		}
-
-		user, authErr := h.auth.Authenticate(request.Context(), req.Username, req.Password)
-		if authErr != nil {
-			h.respondJSON(writer, request,
-				map[string]string{"error": "invalid credentials"},
-				http.StatusUnauthorized)
-
-			return
-		}
-
-		sessionErr := h.auth.CreateSession(writer, request, user)
-		if sessionErr != nil {
-			h.log.Error("api: failed to create session", "error", sessionErr)
-			h.respondJSON(writer, request,
-				map[string]string{"error": "failed to create session"},
-				http.StatusInternalServerError)
-
-			return
-		}
-
-		h.respondJSON(writer, request, loginResponse{
-			UserID:   user.ID,
-			Username: user.Username,
-		}, http.StatusOK)
-	}
-}
-
 // HandleAPIListApps returns a handler that lists all apps as JSON.
 func (h *Handlers) HandleAPIListApps() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -352,6 +294,59 @@ func (h *Handlers) HandleAPITriggerDeploy() http.HandlerFunc {
 	}
 }
 
+// HandleAPICreateToken returns a handler that creates an API token.
+func (h *Handlers) HandleAPICreateToken() http.HandlerFunc {
+	type createTokenRequest struct {
+		Name string `json:"name"`
+	}
+
+	type createTokenResponse struct {
+		Token string `json:"token"`
+		Name  string `json:"name"`
+		ID    int64  `json:"id"`
+	}
+
+	return func(writer http.ResponseWriter, request *http.Request) {
+		user := middleware.APIUserFromContext(request.Context())
+		if user == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "unauthorized"},
+				http.StatusUnauthorized)
+
+			return
+		}
+
+		var req createTokenRequest
+
+		decodeErr := json.NewDecoder(request.Body).Decode(&req)
+		if decodeErr != nil {
+			req.Name = "default"
+		}
+
+		if req.Name == "" {
+			req.Name = "default"
+		}
+
+		rawToken, token, err := models.GenerateAPIToken(
+			request.Context(), h.db, user.ID, req.Name,
+		)
+		if err != nil {
+			h.log.Error("api: failed to create token", "error", err)
+			h.respondJSON(writer, request,
+				map[string]string{"error": "failed to create token"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		h.respondJSON(writer, request, createTokenResponse{
+			Token: rawToken,
+			Name:  token.Name,
+			ID:    token.ID,
+		}, http.StatusCreated)
+	}
+}
+
 // HandleAPIWhoAmI returns a handler that shows the current authenticated user.
 func (h *Handlers) HandleAPIWhoAmI() http.HandlerFunc {
 	type whoAmIResponse struct {
@@ -360,8 +355,8 @@ func (h *Handlers) HandleAPIWhoAmI() http.HandlerFunc {
 	}
 
 	return func(writer http.ResponseWriter, request *http.Request) {
-		user, err := h.auth.GetCurrentUser(request.Context(), request)
-		if err != nil || user == nil {
+		user := middleware.APIUserFromContext(request.Context())
+		if user == nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "unauthorized"},
 				http.StatusUnauthorized)

internal/handlers/api_test.go

@@ -10,64 +10,34 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 
-// apiRouter builds a chi router with the API routes using session auth middleware.
-func apiRouter(tc *testContext) http.Handler {
-	r := chi.NewRouter()
-
-	r.Route("/api/v1", func(apiR chi.Router) {
-		apiR.Post("/login", tc.handlers.HandleAPILoginPOST())
-
-		apiR.Group(func(apiR chi.Router) {
-			apiR.Use(tc.middleware.APISessionAuth())
-			apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
-			apiR.Get("/apps", tc.handlers.HandleAPIListApps())
-			apiR.Post("/apps", tc.handlers.HandleAPICreateApp())
-			apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
-			apiR.Delete("/apps/{id}", tc.handlers.HandleAPIDeleteApp())
-			apiR.Post("/apps/{id}/deploy", tc.handlers.HandleAPITriggerDeploy())
-			apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
-		})
-	})
-
-	return r
-}
-
-// setupAPITest creates a test context with a user and returns session cookies.
-func setupAPITest(t *testing.T) (*testContext, []*http.Cookie) {
+func setupAPITest(t *testing.T) (*testContext, string) {
 	t.Helper()
 
 	tc := setupTestHandlers(t)
 
-	// Create a user.
+	// Create a user first.
 	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
 	require.NoError(t, err)
 
-	// Login via the API to get session cookies.
-	r := apiRouter(tc)
+	user, err := models.FindUserByUsername(t.Context(), tc.database, "admin")
+	require.NoError(t, err)
+	require.NotNil(t, user)
 
-	loginBody := `{"username":"admin","password":"password123"}`
-	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(loginBody))
-	req.Header.Set("Content-Type", "application/json")
+	// Generate an API token.
+	rawToken, _, err := models.GenerateAPIToken(t.Context(), tc.database, user.ID, "test")
+	require.NoError(t, err)
 
-	rr := httptest.NewRecorder()
-	r.ServeHTTP(rr, req)
-
-	require.Equal(t, http.StatusOK, rr.Code)
-
-	cookies := rr.Result().Cookies()
-	require.NotEmpty(t, cookies, "login should return session cookies")
-
-	return tc, cookies
+	return tc, rawToken
 }
 
-// apiRequest makes an authenticated API request using session cookies.
 func apiRequest(
 	t *testing.T,
 	tc *testContext,
-	cookies []*http.Cookie,
-	method, path string,
+	token, method, path string,
 	body string,
 ) *httptest.ResponseRecorder {
 	t.Helper()
@@ -80,102 +50,64 @@ func apiRequest(
 		req = httptest.NewRequest(method, path, nil)
 	}
 
-	for _, c := range cookies {
-		req.AddCookie(c)
-	}
+	req.Header.Set("Authorization", "Bearer "+token)
 
 	rr := httptest.NewRecorder()
 
-	r := apiRouter(tc)
+	// Build a chi router with API routes.
+	r := chi.NewRouter()
+	mw := tc.middleware
+
+	r.Route("/api/v1", func(apiR chi.Router) {
+		apiR.Use(mw.APITokenAuth())
+		apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
+		apiR.Post("/tokens", tc.handlers.HandleAPICreateToken())
+		apiR.Get("/apps", tc.handlers.HandleAPIListApps())
+		apiR.Post("/apps", tc.handlers.HandleAPICreateApp())
+		apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
+		apiR.Delete("/apps/{id}", tc.handlers.HandleAPIDeleteApp())
+		apiR.Post("/apps/{id}/deploy", tc.handlers.HandleAPITriggerDeploy())
+		apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
+	})
+
 	r.ServeHTTP(rr, req)
 
 	return rr
 }
 
-func TestAPILoginSuccess(t *testing.T) {
+func TestAPIAuthRejectsNoToken(t *testing.T) {
 	t.Parallel()
 
 	tc := setupTestHandlers(t)
 
-	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
-	require.NoError(t, err)
-
-	r := apiRouter(tc)
-
-	body := `{"username":"admin","password":"password123"}`
-	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
-	req.Header.Set("Content-Type", "application/json")
-
-	rr := httptest.NewRecorder()
-	r.ServeHTTP(rr, req)
-
-	assert.Equal(t, http.StatusOK, rr.Code)
-
-	var resp map[string]any
-	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
-	assert.Equal(t, "admin", resp["username"])
-
-	// Should have a Set-Cookie header.
-	assert.NotEmpty(t, rr.Result().Cookies())
-}
-
-func TestAPILoginInvalidCredentials(t *testing.T) {
-	t.Parallel()
-
-	tc := setupTestHandlers(t)
-
-	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
-	require.NoError(t, err)
-
-	r := apiRouter(tc)
-
-	body := `{"username":"admin","password":"wrong"}`
-	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
-	req.Header.Set("Content-Type", "application/json")
-
-	rr := httptest.NewRecorder()
-	r.ServeHTTP(rr, req)
-
-	assert.Equal(t, http.StatusUnauthorized, rr.Code)
-}
-
-func TestAPILoginMissingFields(t *testing.T) {
-	t.Parallel()
-
-	tc := setupTestHandlers(t)
-
-	r := apiRouter(tc)
-
-	body := `{"username":"","password":""}`
-	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
-	req.Header.Set("Content-Type", "application/json")
-
-	rr := httptest.NewRecorder()
-	r.ServeHTTP(rr, req)
-
-	assert.Equal(t, http.StatusBadRequest, rr.Code)
-}
-
-func TestAPIRejectsUnauthenticated(t *testing.T) {
-	t.Parallel()
-
-	tc := setupTestHandlers(t)
-
-	r := apiRouter(tc)
-
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
 	rr := httptest.NewRecorder()
-	r.ServeHTTP(rr, req)
 
+	r := chi.NewRouter()
+	r.Route("/api/v1", func(apiR chi.Router) {
+		apiR.Use(tc.middleware.APITokenAuth())
+		apiR.Get("/apps", tc.handlers.HandleAPIListApps())
+	})
+
+	r.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+}
+
+func TestAPIAuthRejectsInvalidToken(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	rr := apiRequest(t, tc, "invalid-token", http.MethodGet, "/api/v1/apps", "")
 	assert.Equal(t, http.StatusUnauthorized, rr.Code)
 }
 
 func TestAPIWhoAmI(t *testing.T) {
 	t.Parallel()
 
-	tc, cookies := setupAPITest(t)
+	tc, token := setupAPITest(t)
 
-	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/whoami", "")
+	rr := apiRequest(t, tc, token, http.MethodGet, "/api/v1/whoami", "")
 	assert.Equal(t, http.StatusOK, rr.Code)
 
 	var resp map[string]any
@@ -186,9 +118,9 @@ func TestAPIWhoAmI(t *testing.T) {
 func TestAPIListAppsEmpty(t *testing.T) {
 	t.Parallel()
 
-	tc, cookies := setupAPITest(t)
+	tc, token := setupAPITest(t)
 
-	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps", "")
+	rr := apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps", "")
 	assert.Equal(t, http.StatusOK, rr.Code)
 
 	var apps []any
@@ -199,10 +131,10 @@ func TestAPIListAppsEmpty(t *testing.T) {
 func TestAPICreateApp(t *testing.T) {
 	t.Parallel()
 
-	tc, cookies := setupAPITest(t)
+	tc, token := setupAPITest(t)
 
 	body := `{"name":"test-app","repoUrl":"https://github.com/example/repo"}`
-	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
 	assert.Equal(t, http.StatusCreated, rr.Code)
 
 	var app map[string]any
@@ -214,20 +146,22 @@ func TestAPICreateApp(t *testing.T) {
 func TestAPICreateAppValidation(t *testing.T) {
 	t.Parallel()
 
-	tc, cookies := setupAPITest(t)
+	tc, token := setupAPITest(t)
 
+	// Missing required fields.
 	body := `{"name":"","repoUrl":""}`
-	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
 }
 
 func TestAPIGetApp(t *testing.T) {
 	t.Parallel()
 
-	tc, cookies := setupAPITest(t)
+	tc, token := setupAPITest(t)
 
+	// Create an app first.
 	body := `{"name":"my-app","repoUrl":"https://github.com/example/repo"}`
-	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
 	require.Equal(t, http.StatusCreated, rr.Code)
 
 	var created map[string]any
@@ -236,7 +170,8 @@ func TestAPIGetApp(t *testing.T) {
 	appID, ok := created["id"].(string)
 	require.True(t, ok)
 
-	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "")
+	// Get the app.
+	rr = apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/"+appID, "")
 	assert.Equal(t, http.StatusOK, rr.Code)
 
 	var app map[string]any
@@ -247,19 +182,20 @@ func TestAPIGetApp(t *testing.T) {
 func TestAPIGetAppNotFound(t *testing.T) {
 	t.Parallel()
 
-	tc, cookies := setupAPITest(t)
+	tc, token := setupAPITest(t)
 
-	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/nonexistent", "")
+	rr := apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/nonexistent", "")
 	assert.Equal(t, http.StatusNotFound, rr.Code)
 }
 
 func TestAPIDeleteApp(t *testing.T) {
 	t.Parallel()
 
-	tc, cookies := setupAPITest(t)
+	tc, token := setupAPITest(t)
 
+	// Create an app.
 	body := `{"name":"delete-me","repoUrl":"https://github.com/example/repo"}`
-	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
 	require.Equal(t, http.StatusCreated, rr.Code)
 
 	var created map[string]any
@@ -268,20 +204,23 @@ func TestAPIDeleteApp(t *testing.T) {
 	appID, ok := created["id"].(string)
 	require.True(t, ok)
 
-	rr = apiRequest(t, tc, cookies, http.MethodDelete, "/api/v1/apps/"+appID, "")
+	// Delete it.
+	rr = apiRequest(t, tc, token, http.MethodDelete, "/api/v1/apps/"+appID, "")
 	assert.Equal(t, http.StatusOK, rr.Code)
 
-	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "")
+	// Verify it's gone.
+	rr = apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/"+appID, "")
 	assert.Equal(t, http.StatusNotFound, rr.Code)
 }
 
 func TestAPIListDeployments(t *testing.T) {
 	t.Parallel()
 
-	tc, cookies := setupAPITest(t)
+	tc, token := setupAPITest(t)
 
+	// Create an app.
 	body := `{"name":"deploy-app","repoUrl":"https://github.com/example/repo"}`
-	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
 	require.Equal(t, http.StatusCreated, rr.Code)
 
 	var created map[string]any
@@ -290,10 +229,26 @@ func TestAPIListDeployments(t *testing.T) {
 	appID, ok := created["id"].(string)
 	require.True(t, ok)
 
-	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID+"/deployments", "")
+	// List deployments (should be empty).
+	rr = apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/"+appID+"/deployments", "")
 	assert.Equal(t, http.StatusOK, rr.Code)
 
 	var deployments []any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &deployments))
 	assert.Empty(t, deployments)
 }
+
+func TestAPICreateToken(t *testing.T) {
+	t.Parallel()
+
+	tc, token := setupAPITest(t)
+
+	body := `{"name":"new-token"}`
+	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/tokens", body)
+	assert.Equal(t, http.StatusCreated, rr.Code)
+
+	var resp map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
+	assert.Equal(t, "new-token", resp["name"])
+	assert.NotEmpty(t, resp["token"])
+}

internal/handlers/handlers_test.go

@@ -173,6 +173,7 @@ func setupTestHandlers(t *testing.T) *testContext {
 		Globals:  globalInstance,
 		Config:   cfg,
 		Auth:     authSvc,
+		Database: dbInstance,
 	})
 	require.NoError(t, mwErr)
 

internal/middleware/middleware.go

@@ -2,6 +2,7 @@
 package middleware
 
 import (
+	"context"
 	"log/slog"
 	"math"
 	"net"
@@ -19,14 +20,19 @@ import (
 	"golang.org/x/time/rate"
 
 	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
 	"git.eeqj.de/sneak/upaas/internal/globals"
 	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
 	"git.eeqj.de/sneak/upaas/internal/service/auth"
 )
 
 // corsMaxAge is the maximum age for CORS preflight responses in seconds.
 const corsMaxAge = 300
 
+// apiUserContextKey is the context key for the authenticated API user.
+type apiUserContextKey struct{}
+
 // Params contains dependencies for Middleware.
 type Params struct {
 	fx.In
@@ -35,6 +41,7 @@ type Params struct {
 	Globals  *globals.Globals
 	Config   *config.Config
 	Auth     *auth.Service
+	Database *database.Database
 }
 
 // Middleware provides HTTP middleware.
@@ -339,27 +346,74 @@ func (m *Middleware) LoginRateLimit() func(http.Handler) http.Handler {
 	}
 }
 
-// APISessionAuth returns middleware that requires session authentication for API routes.
-// Unlike SessionAuth, it returns JSON 401 responses instead of redirecting to /login.
-func (m *Middleware) APISessionAuth() func(http.Handler) http.Handler {
+// APITokenAuth returns middleware that authenticates requests via Bearer token.
+// It looks up the token hash in the database and stores the user in context.
+func (m *Middleware) APITokenAuth() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(
 			writer http.ResponseWriter,
 			request *http.Request,
 		) {
-			user, err := m.params.Auth.GetCurrentUser(request.Context(), request)
-			if err != nil || user == nil {
-				writer.Header().Set("Content-Type", "application/json")
-				http.Error(writer, `{"error":"unauthorized"}`, http.StatusUnauthorized)
+			authHeader := request.Header.Get("Authorization")
+			if authHeader == "" {
+				http.Error(writer, `{"error":"missing Authorization header"}`, http.StatusUnauthorized)
 
 				return
 			}
 
-			next.ServeHTTP(writer, request)
+			const bearerPrefix = "Bearer "
+			if !strings.HasPrefix(authHeader, bearerPrefix) {
+				http.Error(writer, `{"error":"invalid Authorization header"}`, http.StatusUnauthorized)
+
+				return
+			}
+
+			rawToken := strings.TrimPrefix(authHeader, bearerPrefix)
+			if rawToken == "" {
+				http.Error(writer, `{"error":"empty token"}`, http.StatusUnauthorized)
+
+				return
+			}
+
+			hash := models.HashAPIToken(rawToken)
+
+			apiToken, err := models.FindAPITokenByHash(request.Context(), m.params.Database, hash)
+			if err != nil {
+				m.log.Error("api token lookup error", "error", err)
+				http.Error(writer, `{"error":"internal server error"}`, http.StatusInternalServerError)
+
+				return
+			}
+
+			if apiToken == nil {
+				http.Error(writer, `{"error":"invalid token"}`, http.StatusUnauthorized)
+
+				return
+			}
+
+			// Touch last used (best-effort, don't block on error)
+			_ = apiToken.TouchLastUsed(request.Context())
+
+			user, userErr := models.FindUser(request.Context(), m.params.Database, apiToken.UserID)
+			if userErr != nil || user == nil {
+				http.Error(writer, `{"error":"token user not found"}`, http.StatusUnauthorized)
+
+				return
+			}
+
+			ctx := context.WithValue(request.Context(), apiUserContextKey{}, user)
+			next.ServeHTTP(writer, request.WithContext(ctx))
 		})
 	}
 }
 
+// APIUserFromContext extracts the authenticated API user from the context.
+func APIUserFromContext(ctx context.Context) *models.User {
+	user, _ := ctx.Value(apiUserContextKey{}).(*models.User)
+
+	return user
+}
+
 // SetupRequired returns middleware that redirects to setup if no user exists.
 func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {

internal/models/api_token.go

@@ -0,0 +1,187 @@
+package models
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"database/sql"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"time"
+
+	"git.eeqj.de/sneak/upaas/internal/database"
+)
+
+// tokenBytes is the number of random bytes for a raw API token.
+const tokenBytes = 32
+
+// APIToken represents an API authentication token.
+type APIToken struct {
+	db *database.Database
+
+	ID         int64
+	UserID     int64
+	Name       string
+	TokenHash  string
+	CreatedAt  time.Time
+	LastUsedAt sql.NullTime
+}
+
+// NewAPIToken creates a new APIToken with a database reference.
+func NewAPIToken(db *database.Database) *APIToken {
+	return &APIToken{db: db}
+}
+
+// GenerateAPIToken creates a new API token for a user, returning the raw token
+// string (shown once) and the persisted APIToken record.
+func GenerateAPIToken(
+	ctx context.Context,
+	db *database.Database,
+	userID int64,
+	name string,
+) (string, *APIToken, error) {
+	raw := make([]byte, tokenBytes)
+
+	_, err := rand.Read(raw)
+	if err != nil {
+		return "", nil, fmt.Errorf("generating token bytes: %w", err)
+	}
+
+	rawHex := hex.EncodeToString(raw)
+	hash := HashAPIToken(rawHex)
+
+	token := NewAPIToken(db)
+	token.UserID = userID
+	token.Name = name
+	token.TokenHash = hash
+
+	query := `INSERT INTO api_tokens (user_id, name, token_hash) VALUES (?, ?, ?)`
+
+	result, execErr := db.Exec(ctx, query, userID, name, hash)
+	if execErr != nil {
+		return "", nil, fmt.Errorf("inserting api token: %w", execErr)
+	}
+
+	id, idErr := result.LastInsertId()
+	if idErr != nil {
+		return "", nil, fmt.Errorf("getting token id: %w", idErr)
+	}
+
+	token.ID = id
+
+	reloadErr := token.Reload(ctx)
+	if reloadErr != nil {
+		return "", nil, fmt.Errorf("reloading token: %w", reloadErr)
+	}
+
+	return rawHex, token, nil
+}
+
+// HashAPIToken returns the SHA-256 hex digest of a raw token string.
+func HashAPIToken(raw string) string {
+	sum := sha256.Sum256([]byte(raw))
+
+	return hex.EncodeToString(sum[:])
+}
+
+// Reload refreshes the token from the database.
+func (t *APIToken) Reload(ctx context.Context) error {
+	row := t.db.QueryRow(ctx,
+		`SELECT id, user_id, name, token_hash, created_at, last_used_at
+		 FROM api_tokens WHERE id = ?`, t.ID,
+	)
+
+	return t.scan(row)
+}
+
+// Delete removes the token from the database.
+func (t *APIToken) Delete(ctx context.Context) error {
+	_, err := t.db.Exec(ctx, "DELETE FROM api_tokens WHERE id = ?", t.ID)
+
+	return err
+}
+
+// TouchLastUsed updates the last_used_at timestamp.
+func (t *APIToken) TouchLastUsed(ctx context.Context) error {
+	_, err := t.db.Exec(ctx,
+		"UPDATE api_tokens SET last_used_at = CURRENT_TIMESTAMP WHERE id = ?",
+		t.ID,
+	)
+
+	return err
+}
+
+func (t *APIToken) scan(row *sql.Row) error {
+	return row.Scan(
+		&t.ID, &t.UserID, &t.Name, &t.TokenHash,
+		&t.CreatedAt, &t.LastUsedAt,
+	)
+}
+
+// FindAPITokenByHash looks up a token by its SHA-256 hash.
+//
+//nolint:nilnil // returning nil,nil is idiomatic for "not found" in Active Record
+func FindAPITokenByHash(
+	ctx context.Context,
+	db *database.Database,
+	hash string,
+) (*APIToken, error) {
+	token := NewAPIToken(db)
+
+	row := db.QueryRow(ctx,
+		`SELECT id, user_id, name, token_hash, created_at, last_used_at
+		 FROM api_tokens WHERE token_hash = ?`, hash,
+	)
+
+	err := token.scan(row)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, nil
+		}
+
+		return nil, fmt.Errorf("scanning api token: %w", err)
+	}
+
+	return token, nil
+}
+
+// FindAPITokensByUserID returns all tokens for a user.
+func FindAPITokensByUserID(
+	ctx context.Context,
+	db *database.Database,
+	userID int64,
+) ([]*APIToken, error) {
+	rows, err := db.Query(ctx,
+		`SELECT id, user_id, name, token_hash, created_at, last_used_at
+		 FROM api_tokens WHERE user_id = ? ORDER BY created_at DESC`, userID,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("querying api tokens: %w", err)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	var tokens []*APIToken
+
+	for rows.Next() {
+		tok := NewAPIToken(db)
+
+		scanErr := rows.Scan(
+			&tok.ID, &tok.UserID, &tok.Name, &tok.TokenHash,
+			&tok.CreatedAt, &tok.LastUsedAt,
+		)
+		if scanErr != nil {
+			return nil, fmt.Errorf("scanning api token row: %w", scanErr)
+		}
+
+		tokens = append(tokens, tok)
+	}
+
+	rowsErr := rows.Err()
+	if rowsErr != nil {
+		return nil, fmt.Errorf("iterating api token rows: %w", rowsErr)
+	}
+
+	return tokens, nil
+}

internal/server/routes.go

@@ -98,16 +98,12 @@ func (s *Server) SetupRoutes() {
 		})
 	})
 
-	// API v1 routes (cookie-based session auth, no CSRF)
+	// API v1 routes (Bearer token auth, no CSRF)
 	s.router.Route("/api/v1", func(r chi.Router) {
-		// Login endpoint is public (returns session cookie)
-		r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleAPILoginPOST())
-
-		// All other API routes require session auth
-		r.Group(func(r chi.Router) {
-			r.Use(s.mw.APISessionAuth())
+		r.Use(s.mw.APITokenAuth())
 
 		r.Get("/whoami", s.handlers.HandleAPIWhoAmI())
+		r.Post("/tokens", s.handlers.HandleAPICreateToken())
 
 		r.Get("/apps", s.handlers.HandleAPIListApps())
 		r.Post("/apps", s.handlers.HandleAPICreateApp())
@@ -116,7 +112,6 @@ func (s *Server) SetupRoutes() {
 		r.Post("/apps/{id}/deploy", s.handlers.HandleAPITriggerDeploy())
 		r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments())
 	})
-	})
 
 	// Metrics endpoint (optional, with basic auth)
 	if s.params.Config.MetricsUsername != "" {