sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

feat: add JSON API with token auth (closes #69) #74

Merged
sneak merged 5 commits from feature/json-api into main 2026-02-16 09:51:48 +01:00
Conversation 6 Commits 5 Files Changed 5 +736 -8
clawbot commented 2026-02-16 09:20:56 +01:00
Collaborator
Copy Link

Summary

Implements a REST JSON API at /api/v1/ with Bearer token authentication.

New files

  • internal/database/migrations/006_add_api_tokens.sql — API tokens table
  • internal/models/api_token.go — APIToken model (SHA-256 hashed tokens)
  • internal/handlers/api.go — API endpoint handlers
  • internal/handlers/api_test.go — 11 tests covering all endpoints

Modified files

  • internal/middleware/middleware.go — APITokenAuth middleware + APIUserFromContext
  • internal/server/routes.go — wire up /api/v1/ route group
  • internal/handlers/handlers_test.go — add middleware to test context

Endpoints

Method Path Description
GET /api/v1/whoami Current user info
POST /api/v1/tokens Create API token
GET /api/v1/apps List all apps
POST /api/v1/apps Create app
GET /api/v1/apps/{id} Get app details
DELETE /api/v1/apps/{id} Delete app
POST /api/v1/apps/{id}/deploy Trigger deployment
GET /api/v1/apps/{id}/deployments List deployments

CI Results

  • go test -race ./... — all tests pass
  • golangci-lint run — 0 issues

Closes #69

## Summary Implements a REST JSON API at `/api/v1/` with Bearer token authentication. ### New files - `internal/database/migrations/006_add_api_tokens.sql` — API tokens table - `internal/models/api_token.go` — APIToken model (SHA-256 hashed tokens) - `internal/handlers/api.go` — API endpoint handlers - `internal/handlers/api_test.go` — 11 tests covering all endpoints ### Modified files - `internal/middleware/middleware.go` — APITokenAuth middleware + APIUserFromContext - `internal/server/routes.go` — wire up `/api/v1/` route group - `internal/handlers/handlers_test.go` — add middleware to test context ### Endpoints | Method | Path | Description | |--------|------|-------------| | GET | /api/v1/whoami | Current user info | | POST | /api/v1/tokens | Create API token | | GET | /api/v1/apps | List all apps | | POST | /api/v1/apps | Create app | | GET | /api/v1/apps/{id} | Get app details | | DELETE | /api/v1/apps/{id} | Delete app | | POST | /api/v1/apps/{id}/deploy | Trigger deployment | | GET | /api/v1/apps/{id}/deployments | List deployments | ### CI Results - ✅ `go test -race ./...` — all tests pass - ✅ `golangci-lint run` — 0 issues Closes #69
sneak was assigned by clawbot 2026-02-16 09:20:56 +01:00
clawbot added 1 commit 2026-02-16 09:20:58 +01:00 
- Add API token model with SHA-256 hashed tokens
- Add migration 006_add_api_tokens.sql
- Add Bearer token auth middleware
- Add API endpoints under /api/v1/:
  - GET /whoami
  - POST /tokens (create new API token)
  - GET /apps (list all apps)
  - POST /apps (create app)
  - GET /apps/{id} (get app)
  - DELETE /apps/{id} (delete app)
  - POST /apps/{id}/deploy (trigger deployment)
  - GET /apps/{id}/deployments (list deployments)
- Add comprehensive tests for all API endpoints
- All tests pass, zero lint issues
sneak commented 2026-02-16 09:24:20 +01:00
Owner
Copy Link

switch this to cookie-based authentication. api clients can POST to the login endpoint and get a cookie like a browser.

switch this to cookie-based authentication. api clients can POST to the login endpoint and get a cookie like a browser.
sneak added 1 commit 2026-02-16 09:24:27 +01:00
clawbot was assigned by sneak 2026-02-16 09:28:04 +01:00
sneak removed their assignment 2026-02-16 09:28:06 +01:00
sneak commented 2026-02-16 09:28:16 +01:00
Owner
Copy Link

@clawbot we don't want bearer auth

@clawbot we don't want bearer auth
clawbot commented 2026-02-16 09:28:30 +01:00
Author
Collaborator
Copy Link

Understood — removing all bearer/token auth. Sub-agent is already working on switching to cookie-based session auth (same as the web UI). Will force-push shortly.

Understood — removing all bearer/token auth. Sub-agent is already working on switching to cookie-based session auth (same as the web UI). Will force-push shortly.
clawbot force-pushed feature/json-api from 81c109914b to 9ac1d25788 2026-02-16 09:31:16 +01:00 Compare
clawbot commented 2026-02-16 09:31:33 +01:00
Author
Collaborator
Copy Link

Switched to cookie-based session auth per your review.

Changes

  • Removed API token system entirely (model, migration 006, APITokenAuth middleware, APIUserFromContext)
  • Added migration 007_drop_api_tokens.sql to clean up the table
  • Added POST /api/v1/login — accepts JSON {"username","password"}, sets session cookie, returns user info
  • All /api/v1/* routes now use APISessionAuth middleware (same session cookies as web UI, returns JSON 401 instead of redirect)
  • Removed /api/v1/tokens endpoint
  • HandleAPIWhoAmI now reads user from session instead of token context
  • Updated all 12 API tests to use cookie-based auth flow

CI Results

  • make test — all tests pass
  • golangci-lint run ./... — 0 issues
Switched to cookie-based session auth per your review. ### Changes - Removed API token system entirely (model, migration 006, `APITokenAuth` middleware, `APIUserFromContext`) - Added migration `007_drop_api_tokens.sql` to clean up the table - Added `POST /api/v1/login` — accepts JSON `{"username","password"}`, sets session cookie, returns user info - All `/api/v1/*` routes now use `APISessionAuth` middleware (same session cookies as web UI, returns JSON 401 instead of redirect) - Removed `/api/v1/tokens` endpoint - `HandleAPIWhoAmI` now reads user from session instead of token context - Updated all 12 API tests to use cookie-based auth flow ### CI Results - ✅ `make test` — all tests pass - ✅ `golangci-lint run ./...` — 0 issues
sneak commented 2026-02-16 09:32:45 +01:00
Owner
Copy Link

remove the drop migration - migration 6 was never deployed

remove the drop migration - migration 6 was never deployed
sneak added 1 commit 2026-02-16 09:33:14 +01:00
clawbot added 1 commit 2026-02-16 09:34:09 +01:00
clawbot commented 2026-02-16 09:34:12 +01:00
Author
Collaborator
Copy Link

Removed both undeployed migrations: 006_add_api_tokens.sql (create) and 007_drop_api_tokens.sql (drop). No Go code referenced api_tokens. Remaining migrations are sequential 001–006.

make test — all passing
golangci-lint run ./... — 0 issues

Removed both undeployed migrations: `006_add_api_tokens.sql` (create) and `007_drop_api_tokens.sql` (drop). No Go code referenced `api_tokens`. Remaining migrations are sequential 001–006. ✅ `make test` — all passing ✅ `golangci-lint run ./...` — 0 issues
sneak added 1 commit 2026-02-16 09:51:39 +01:00
sneak merged commit 38a744b489 into main 2026-02-16 09:51:48 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
notplanned

   
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
notplanned
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
clawbot
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#74
No description provided.
Delete Branch "feature/json-api"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?