security sections are fully functional

2026-05-07 15:06:45 +02:00
parent 5e60b814ed
commit 53aa5cbbf5
20 changed files with 946 additions and 41 deletions
@@ -0,0 +1,193 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"xorm.io/xorm"
+
+	"github.com/forgeo/forgebucket/internal/api/middleware"
+	"github.com/forgeo/forgebucket/internal/models"
+)
+
+type AccessTokenHandler struct{ db *xorm.Engine }
+
+func NewAccessTokenHandler(db *xorm.Engine) *AccessTokenHandler {
+	return &AccessTokenHandler{db: db}
+}
+
+type accessTokenResponse struct {
+	ID        int64   `json:"id"`
+	Title     string  `json:"title"`
+	Scopes    string  `json:"scopes"`
+	ExpiresAt *string `json:"expiresAt"`
+	CreatedAt string  `json:"createdAt"`
+	Token     string  `json:"token,omitempty"` // only on creation
+}
+
+func (h *AccessTokenHandler) lookupRepo(w http.ResponseWriter, r *http.Request) (*models.Repository, bool) {
+	ownerName := chi.URLParam(r, "owner")
+	repoName := chi.URLParam(r, "repo")
+	var owner models.User
+	if found, _ := h.db.Where("username = ?", ownerName).Get(&owner); !found {
+		jsonError(w, "repository not found", http.StatusNotFound)
+		return nil, false
+	}
+	var repo models.Repository
+	if found, _ := h.db.Where("owner_id = ? AND name = ?", owner.ID, repoName).Get(&repo); !found {
+		jsonError(w, "repository not found", http.StatusNotFound)
+		return nil, false
+	}
+	return &repo, true
+}
+
+func (h *AccessTokenHandler) canManage(repo *models.Repository, callerID int64) bool {
+	if callerID == repo.OwnerID {
+		return true
+	}
+	var m models.RepoMember
+	found, _ := h.db.Where("repo_id = ? AND user_id = ? AND permission = 'admin'", repo.ID, callerID).Get(&m)
+	return found
+}
+
+func (h *AccessTokenHandler) List(w http.ResponseWriter, r *http.Request) {
+	repo, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+	var tokens []models.RepoAccessToken
+	h.db.Where("repo_id = ?", repo.ID).OrderBy("created_at desc").Find(&tokens)
+	resp := make([]accessTokenResponse, 0, len(tokens))
+	for _, t := range tokens {
+		var exp *string
+		if t.ExpiresAt != nil {
+			s := t.ExpiresAt.Format("2006-01-02")
+			exp = &s
+		}
+		resp = append(resp, accessTokenResponse{
+			ID:        t.ID,
+			Title:     t.Title,
+			Scopes:    t.Scopes,
+			ExpiresAt: exp,
+			CreatedAt: t.CreatedAt.Format(time.RFC3339),
+		})
+	}
+	jsonOK(w, resp)
+}
+
+func (h *AccessTokenHandler) Create(w http.ResponseWriter, r *http.Request) {
+	repo, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+	callerID, _ := middleware.UserIDFromContext(r.Context())
+	if !h.canManage(repo, callerID) {
+		jsonError(w, "only the owner or an admin can manage access tokens", http.StatusForbidden)
+		return
+	}
+
+	var body struct {
+		Title     string `json:"title"`
+		Scopes    string `json:"scopes"`    // "read" | "read,write"
+		ExpiresAt string `json:"expiresAt"` // "2026-12-31" or ""
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil || body.Title == "" {
+		jsonError(w, "title is required", http.StatusBadRequest)
+		return
+	}
+	if body.Scopes == "" {
+		body.Scopes = "read"
+	}
+
+	var expiresAt *time.Time
+	if body.ExpiresAt != "" {
+		t, err := time.Parse("2006-01-02", body.ExpiresAt)
+		if err != nil {
+			jsonError(w, "invalid expiresAt format; use YYYY-MM-DD", http.StatusBadRequest)
+			return
+		}
+		t = t.UTC()
+		expiresAt = &t
+	}
+
+	raw, hash, err := generateToken("fbat_")
+	if err != nil {
+		jsonError(w, "could not generate token", http.StatusInternalServerError)
+		return
+	}
+
+	token := &models.RepoAccessToken{
+		RepoID:    repo.ID,
+		CreatorID: callerID,
+		Title:     body.Title,
+		TokenHash: hash,
+		Scopes:    body.Scopes,
+		ExpiresAt: expiresAt,
+	}
+	if _, err := h.db.Insert(token); err != nil {
+		jsonError(w, "could not save token", http.StatusInternalServerError)
+		return
+	}
+
+	var exp *string
+	if expiresAt != nil {
+		s := expiresAt.Format("2006-01-02")
+		exp = &s
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(accessTokenResponse{
+		ID:        token.ID,
+		Title:     token.Title,
+		Scopes:    token.Scopes,
+		ExpiresAt: exp,
+		CreatedAt: token.CreatedAt.Format(time.RFC3339),
+		Token:     raw,
+	})
+}
+
+func (h *AccessTokenHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	repo, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+	callerID, _ := middleware.UserIDFromContext(r.Context())
+	if !h.canManage(repo, callerID) {
+		jsonError(w, "only the owner or an admin can manage access tokens", http.StatusForbidden)
+		return
+	}
+
+	tokenID, err := strconv.ParseInt(chi.URLParam(r, "tokenID"), 10, 64)
+	if err != nil {
+		jsonError(w, "invalid token ID", http.StatusBadRequest)
+		return
+	}
+	h.db.Where("id = ? AND repo_id = ?", tokenID, repo.ID).Delete(&models.RepoAccessToken{})
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// LookupAccessToken validates a Bearer token and returns the creator's userID.
+// Returns (userID, repoID, hasWrite, ok).
+func LookupAccessToken(db *xorm.Engine, rawToken string) (userID, repoID int64, hasWrite bool, ok bool) {
+	if !strings.HasPrefix(rawToken, "fbat_") {
+		return
+	}
+	hash := sha256Hex(rawToken)
+	var t models.RepoAccessToken
+	found, _ := db.Where("token_hash = ?", hash).Get(&t)
+	if !found {
+		return
+	}
+	if t.ExpiresAt != nil && t.ExpiresAt.Before(time.Now()) {
+		return
+	}
+	now := time.Now()
+	t.LastUsed = &now
+	db.ID(t.ID).Cols("last_used_at").Update(&t)
+	hasWrite = strings.Contains(t.Scopes, "write")
+	return t.CreatorID, t.RepoID, hasWrite, true
+}