HomeLab/ForgeBucket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
822f723ff1d493206fc86649644defd7d48cc4c0
ForgeBucket/internal/api/handlers/tokens.go
T
erangel1 35afa8d8f1 fixed PR issue
2026-05-11 23:56:45 +02:00

182 lines
4.7 KiB
Go
Raw Blame History

package handlers
import (
"encoding/json"
"net/http"
"strconv"
"strings"
"time"
"github.com/go-chi/chi/v5"
"xorm.io/xorm"
"github.com/forgeo/forgebucket/internal/api/middleware"
"github.com/forgeo/forgebucket/internal/models"
)
type AccessTokenHandler struct{ db *xorm.Engine }
func NewAccessTokenHandler(db *xorm.Engine) *AccessTokenHandler {
return &AccessTokenHandler{db: db}
}
type accessTokenResponse struct {
ID int64 `json:"id"`
Title string `json:"title"`
Scopes string `json:"scopes"`
ExpiresAt *string `json:"expiresAt"`
CreatedAt string `json:"createdAt"`
Token string `json:"token,omitempty"` // only on creation
}
func (h *AccessTokenHandler) lookupRepo(w http.ResponseWriter, r *http.Request) (*models.Repository, bool) {
return resolveRepo(h.db, w, r)
}
func (h *AccessTokenHandler) canManage(repo *models.Repository, callerID int64) bool {
if callerID == repo.OwnerID {
return true
}
var m models.RepoMember
found, _ := h.db.Where("repo_id = ? AND user_id = ? AND permission = 'admin'", repo.ID, callerID).Get(&m)
return found
}
func (h *AccessTokenHandler) List(w http.ResponseWriter, r *http.Request) {
repo, ok := h.lookupRepo(w, r)
if !ok {
return
}
var tokens []models.RepoAccessToken
h.db.Where("repo_id = ?", repo.ID).OrderBy("created_at desc").Find(&tokens)
resp := make([]accessTokenResponse, 0, len(tokens))
for _, t := range tokens {
var exp *string
if t.ExpiresAt != nil {
s := t.ExpiresAt.Format("2006-01-02")
exp = &s
}
resp = append(resp, accessTokenResponse{
ID: t.ID,
Title: t.Title,
Scopes: t.Scopes,
ExpiresAt: exp,
CreatedAt: t.CreatedAt.Format(time.RFC3339),
})
}
jsonOK(w, resp)
}
func (h *AccessTokenHandler) Create(w http.ResponseWriter, r *http.Request) {
repo, ok := h.lookupRepo(w, r)
if !ok {
return
}
callerID, _ := middleware.UserIDFromContext(r.Context())
if !h.canManage(repo, callerID) {
jsonError(w, "only the owner or an admin can manage access tokens", http.StatusForbidden)
return
}
var body struct {
Title string `json:"title"`
Scopes string `json:"scopes"` // "read" | "read,write"
ExpiresAt string `json:"expiresAt"` // "2026-12-31" or ""
}
if err := json.NewDecoder(r.Body).Decode(&body); err != nil || body.Title == "" {
jsonError(w, "title is required", http.StatusBadRequest)
return
}
if body.Scopes == "" {
body.Scopes = "read"
}
var expiresAt *time.Time
if body.ExpiresAt != "" {
t, err := time.Parse("2006-01-02", body.ExpiresAt)
if err != nil {
jsonError(w, "invalid expiresAt format; use YYYY-MM-DD", http.StatusBadRequest)
return
}
t = t.UTC()
expiresAt = &t
}
raw, hash, err := generateToken("fbat_")
if err != nil {
jsonError(w, "could not generate token", http.StatusInternalServerError)
return
}
token := &models.RepoAccessToken{
RepoID: repo.ID,
CreatorID: callerID,
Title: body.Title,
TokenHash: hash,
Scopes: body.Scopes,
ExpiresAt: expiresAt,
}
if _, err := h.db.Insert(token); err != nil {
jsonError(w, "could not save token", http.StatusInternalServerError)
return
}
var exp *string
if expiresAt != nil {
s := expiresAt.Format("2006-01-02")
exp = &s
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusCreated)
json.NewEncoder(w).Encode(accessTokenResponse{
ID: token.ID,
Title: token.Title,
Scopes: token.Scopes,
ExpiresAt: exp,
CreatedAt: token.CreatedAt.Format(time.RFC3339),
Token: raw,
})
}
func (h *AccessTokenHandler) Delete(w http.ResponseWriter, r *http.Request) {
repo, ok := h.lookupRepo(w, r)
if !ok {
return
}
callerID, _ := middleware.UserIDFromContext(r.Context())
if !h.canManage(repo, callerID) {
jsonError(w, "only the owner or an admin can manage access tokens", http.StatusForbidden)
return
}
tokenID, err := strconv.ParseInt(chi.URLParam(r, "tokenID"), 10, 64)
if err != nil {
jsonError(w, "invalid token ID", http.StatusBadRequest)
return
}
h.db.Where("id = ? AND repo_id = ?", tokenID, repo.ID).Delete(&models.RepoAccessToken{})
w.WriteHeader(http.StatusNoContent)
}
// LookupAccessToken validates a Bearer token and returns the creator's userID.
// Returns (userID, repoID, hasWrite, ok).
func LookupAccessToken(db *xorm.Engine, rawToken string) (userID, repoID int64, hasWrite bool, ok bool) {
if !strings.HasPrefix(rawToken, "fbat_") {
return
}
hash := sha256Hex(rawToken)
var t models.RepoAccessToken
found, _ := db.Where("token_hash = ?", hash).Get(&t)
if !found {
return
}
if t.ExpiresAt != nil && t.ExpiresAt.Before(time.Now()) {
return
}
now := time.Now()
t.LastUsed = &now
db.ID(t.ID).Cols("last_used_at").Update(&t)
hasWrite = strings.Contains(t.Scopes, "write")
return t.CreatorID, t.RepoID, hasWrite, true
}
Reference in New Issue View Git Blame Copy Permalink