feat(ops-auth): add scoped API token auth across ops endpoints

2026-05-19 22:24:37 +00:00
parent 53d7c5350e
commit 77c1738390
47 changed files with 909 additions and 511 deletions
@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';

 export class ApiTokenHandler {
  constructor(private opsServerRef: OpsServer) {
@@ -17,6 +18,11 @@ export class ApiTokenHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateApiToken>(
        'createApiToken',
        async (dataArg) => {
+          const auth = await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'tokens:manage',
+            requireAdminIdentity: true,
+            requireAdminToken: true,
+          });
          const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
          if (!manager) {
            return { success: false, message: 'Token management not initialized' };
@@ -25,7 +31,7 @@ export class ApiTokenHandler {
            dataArg.name,
            dataArg.scopes,
            dataArg.expiresInDays ?? null,
-            dataArg.identity.userId,
+            auth.userId,
            dataArg.policy,
          );
          return { success: true, tokenId: result.id, tokenValue: result.rawToken };
@@ -38,6 +44,11 @@ export class ApiTokenHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListApiTokens>(
        'listApiTokens',
        async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'tokens:read',
+            requireAdminIdentity: true,
+            requireAdminToken: true,
+          });
          const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
          if (!manager) {
            return { tokens: [] };
@@ -52,6 +63,11 @@ export class ApiTokenHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RevokeApiToken>(
        'revokeApiToken',
        async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'tokens:manage',
+            requireAdminIdentity: true,
+            requireAdminToken: true,
+          });
          const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
          if (!manager) {
            return { success: false, message: 'Token management not initialized' };
@@ -67,6 +83,11 @@ export class ApiTokenHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RollApiToken>(
        'rollApiToken',
        async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'tokens:manage',
+            requireAdminIdentity: true,
+            requireAdminToken: true,
+          });
          const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
          if (!manager) {
            return { success: false, message: 'Token management not initialized' };
@@ -85,6 +106,11 @@ export class ApiTokenHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ToggleApiToken>(
        'toggleApiToken',
        async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'tokens:manage',
+            requireAdminIdentity: true,
+            requireAdminToken: true,
+          });
          const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
          if (!manager) {
            return { success: false, message: 'Token management not initialized' };