serve.zone/dcrouter
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(gateway-clients): add policy-based gateway client tokens and gateway client route and DNS management endpoints

Browse Source
This commit is contained in:
Jürgen Kunz
2026-05-09 11:53:45 +00:00
parent 7e3b89d9b4
commit 97505935bb
15 changed files with 604 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ts/config/classes.api-token-manager.ts
+32 -1
View File
@@ -2,6 +2,7 @@ import * as plugins from '../plugins.js';
import { logger } from '../logger.js';
import { ApiTokenDoc } from '../db/index.js';
import type {
IApiTokenPolicy,
IStoredApiToken,
IApiTokenInfo,
TApiTokenScope,
@@ -33,6 +34,7 @@ export class ApiTokenManager {
scopes: TApiTokenScope[],
expiresInDays: number | null,
createdBy: string,
policy?: IApiTokenPolicy,
): Promise<{ id: string; rawToken: string }> {
const id = plugins.uuid.v4();
const randomBytes = plugins.crypto.randomBytes(32);
@@ -47,6 +49,7 @@ export class ApiTokenManager {
name,
tokenHash,
scopes,
policy,
createdAt: now,
expiresAt: expiresInDays != null ? now + expiresInDays * 86400000 : null,
lastUsedAt: null,
@@ -87,7 +90,31 @@ export class ApiTokenManager {
* Check if a token has a specific scope.
*/
public hasScope(token: IStoredApiToken, scope: TApiTokenScope): boolean {
return token.scopes.includes(scope);
if (token.policy?.role === 'admin') return true;
const isGatewayClientToken = token.policy?.role === 'gatewayClient';
const gatewayClientAllowedScopes = new Set<TApiTokenScope>([
'gateway-clients:read',
'gateway-clients:write',
'workhosters:read',
'workhosters:write',
]);
if (isGatewayClientToken && !gatewayClientAllowedScopes.has(scope)) {
return false;
}
if (!isGatewayClientToken && token.scopes.includes('*')) return true;
const scopes = new Set<TApiTokenScope>([...token.scopes, ...(token.policy?.scopes || [])]);
if (scopes.has(scope)) return true;
const compatibilityAliases: Partial<Record<TApiTokenScope, TApiTokenScope[]>> = {
'gateway-clients:read': ['workhosters:read'],
'gateway-clients:write': ['workhosters:write'],
'workhosters:read': ['gateway-clients:read'],
'workhosters:write': ['gateway-clients:write'],
};
return Boolean(compatibilityAliases[scope]?.some((alias) => scopes.has(alias)));
}
/**
@@ -100,6 +127,7 @@ export class ApiTokenManager {
id: stored.id,
name: stored.name,
scopes: stored.scopes,
policy: stored.policy,
createdAt: stored.createdAt,
expiresAt: stored.expiresAt,
lastUsedAt: stored.lastUsedAt,
@@ -165,6 +193,7 @@ export class ApiTokenManager {
name: doc.name,
tokenHash: doc.tokenHash,
scopes: doc.scopes,
policy: doc.policy,
createdAt: doc.createdAt,
expiresAt: doc.expiresAt,
lastUsedAt: doc.lastUsedAt,
@@ -181,6 +210,7 @@ export class ApiTokenManager {
existing.name = stored.name;
existing.tokenHash = stored.tokenHash;
existing.scopes = stored.scopes;
existing.policy = stored.policy;
existing.createdAt = stored.createdAt;
existing.expiresAt = stored.expiresAt;
existing.lastUsedAt = stored.lastUsedAt;
@@ -193,6 +223,7 @@ export class ApiTokenManager {
doc.name = stored.name;
doc.tokenHash = stored.tokenHash;
doc.scopes = stored.scopes;
doc.policy = stored.policy;
doc.createdAt = stored.createdAt;
doc.expiresAt = stored.expiresAt;
doc.lastUsedAt = stored.lastUsedAt;
ts/config/classes.route-config-manager.ts
+18 -5
View File
@@ -452,14 +452,19 @@ export class RouteConfigManager {
lastResolvedAt: typeof metadata.lastResolvedAt === 'number' && Number.isFinite(metadata.lastResolvedAt)
? metadata.lastResolvedAt
: undefined,
ownerType: metadata.ownerType === 'workhoster' || metadata.ownerType === 'operator' || metadata.ownerType === 'system'
ownerType: metadata.ownerType === 'gatewayClient' || metadata.ownerType === 'workhoster' || metadata.ownerType === 'operator' || metadata.ownerType === 'system'
? metadata.ownerType
: undefined,
gatewayClientType: metadata.gatewayClientType === 'onebox' || metadata.gatewayClientType === 'cloudly' || metadata.gatewayClientType === 'custom'
? metadata.gatewayClientType
: metadata.workHosterType,
gatewayClientId: normalizeString(metadata.gatewayClientId || metadata.workHosterId),
gatewayClientAppId: normalizeString(metadata.gatewayClientAppId || metadata.workAppId),
workHosterType: metadata.workHosterType === 'onebox' || metadata.workHosterType === 'cloudly' || metadata.workHosterType === 'custom'
? metadata.workHosterType
: undefined,
workHosterId: normalizeString(metadata.workHosterId),
workAppId: normalizeString(metadata.workAppId),
: metadata.gatewayClientType,
workHosterId: normalizeString(metadata.workHosterId || metadata.gatewayClientId),
workAppId: normalizeString(metadata.workAppId || metadata.gatewayClientAppId),
externalKey: normalizeString(metadata.externalKey),
};
@@ -472,11 +477,19 @@ export class RouteConfigManager {
if (!normalized.sourceProfileRef && !normalized.networkTargetRef) {
normalized.lastResolvedAt = undefined;
}
if (normalized.ownerType !== 'workhoster') {
if (normalized.ownerType !== 'gatewayClient' && normalized.ownerType !== 'workhoster') {
normalized.gatewayClientType = undefined;
normalized.gatewayClientId = undefined;
normalized.gatewayClientAppId = undefined;
normalized.workHosterType = undefined;
normalized.workHosterId = undefined;
normalized.workAppId = undefined;
normalized.externalKey = undefined;
} else {
normalized.ownerType = 'gatewayClient';
normalized.workHosterType = normalized.gatewayClientType;
normalized.workHosterId = normalized.gatewayClientId;
normalized.workAppId = normalized.gatewayClientAppId;
}
if (Object.values(normalized).every((value) => value === undefined)) {