feat: add API token authentication (closes #87) #94

Closed

clawbot wants to merge 4 commits from feature/api-token-auth into main

pull from: feature/api-token-auth

merge into: sneak:main

sneak:main

sneak:feature/observability-improvements

sneak:feature/backup-restore-config

sneak:feature/private-registry-auth

sneak:feature/custom-healthcheck-command

sneak:feature/cpu-memory-resource-limits

sneak:fix/js-formatting

sneak:fix/module-path

sneak:fix/1.0-audit-bugs

sneak:fix/disable-api-write-methods

sneak:chore/code-cleanup

sneak:ci/check-workflow-only

sneak:fix/repo-url-validation

sneak:fix/main-lint-issues

sneak:revert/pr-98

sneak:feat/ci-make-check

sneak:ci/add-check-action

sneak:fix/deploy-cancel-cleanup

sneak:schema-consolidation

sneak:feature/json-api

sneak:chore/update-todo

sneak:feature/edit-config-entities

sneak:feature/deployment-rollback-tests

sneak:update-todo-md

sneak:feature/edit-entities

sneak:feature/deployment-rollback

sneak:feature/deploy-cancel

Conversation 6 Commits 4 Files Changed 21 +1145 -38

4 Commits

Author	SHA1	Message	Date
clawbot	e73409b567	fix: resolve lint issues for make check compliance	2026-02-19 23:43:41 -08:00
clawbot	a891fb2489	fix: increase API token entropy from 128 to 256 bits ... Change token random bytes from 16 to 32, producing tokens with upaas_ prefix + 64 hex characters instead of 32.	2026-02-19 23:43:22 -08:00
clawbot	96eea71c54	fix: set authenticated user on request context in bearer token auth ... tryBearerAuth validated the bearer token but never looked up the associated user or set it on the request context. This meant downstream handlers calling GetCurrentUser would get nil even with a valid token. Changes: - Add ContextWithUser/UserFromContext helpers in auth package - tryBearerAuth now looks up the user by token's UserID and sets it on the request context via auth.ContextWithUser - GetCurrentUser checks context first before falling back to session cookie - Add integration tests for bearer auth user context	2026-02-19 23:43:22 -08:00
clawbot	7387ba6b5c	feat: add API token authentication (closes #87) ... - Add api_tokens table migration (007) - Add APIToken model with CRUD operations - Generate tokens with upaas_ prefix + 32 hex chars - Store SHA-256 hash of tokens (not plaintext) - Update APISessionAuth middleware to check Bearer tokens - Add POST/GET/DELETE /api/v1/tokens endpoints - Token creation returns plaintext once; list never exposes it - Expired and revoked tokens are rejected - Tests for creation, listing, deletion, bearer auth, revocation	2026-02-19 23:43:22 -08:00