feat(api-token-manager): seed and rotate the environment-managed admin API token during initialization
This commit is contained in:
@@ -9,6 +9,8 @@ import type {
|
||||
} from '../../ts_interfaces/data/route-management.js';
|
||||
|
||||
const TOKEN_PREFIX_STR = 'dcr_';
|
||||
const ENV_ADMIN_TOKEN_ID = 'env-admin-token';
|
||||
const ENV_ADMIN_TOKEN_CREATED_BY = 'dcrouter-env';
|
||||
|
||||
export class ApiTokenManager {
|
||||
private tokens = new Map<string, IStoredApiToken>();
|
||||
@@ -17,6 +19,7 @@ export class ApiTokenManager {
|
||||
|
||||
public async initialize(): Promise<void> {
|
||||
await this.loadTokens();
|
||||
await this.ensureEnvAdminToken();
|
||||
if (this.tokens.size > 0) {
|
||||
logger.log('info', `Loaded ${this.tokens.size} API token(s) from storage`);
|
||||
}
|
||||
@@ -41,7 +44,7 @@ export class ApiTokenManager {
|
||||
const rawPayload = `${id}:${randomBytes.toString('base64url')}`;
|
||||
const rawToken = `${TOKEN_PREFIX_STR}${rawPayload}`;
|
||||
|
||||
const tokenHash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
|
||||
const tokenHash = this.hashToken(rawToken);
|
||||
|
||||
const now = Date.now();
|
||||
const stored: IStoredApiToken = {
|
||||
@@ -70,7 +73,7 @@ export class ApiTokenManager {
|
||||
public async validateToken(rawToken: string): Promise<IStoredApiToken | null> {
|
||||
if (!rawToken.startsWith(TOKEN_PREFIX_STR)) return null;
|
||||
|
||||
const hash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
|
||||
const hash = this.hashToken(rawToken);
|
||||
|
||||
for (const stored of this.tokens.values()) {
|
||||
if (stored.tokenHash === hash) {
|
||||
@@ -162,7 +165,7 @@ export class ApiTokenManager {
|
||||
const rawPayload = `${id}:${randomBytes.toString('base64url')}`;
|
||||
const rawToken = `${TOKEN_PREFIX_STR}${rawPayload}`;
|
||||
|
||||
stored.tokenHash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
|
||||
stored.tokenHash = this.hashToken(rawToken);
|
||||
await this.persistToken(stored);
|
||||
logger.log('info', `API token '${stored.name}' rolled (id: ${id})`);
|
||||
return { id, rawToken };
|
||||
@@ -204,6 +207,41 @@ export class ApiTokenManager {
|
||||
}
|
||||
}
|
||||
|
||||
private async ensureEnvAdminToken(): Promise<void> {
|
||||
const rawToken = process.env.DCROUTER_ADMIN_API_TOKEN?.trim();
|
||||
if (!rawToken) return;
|
||||
|
||||
if (!rawToken.startsWith(TOKEN_PREFIX_STR)) {
|
||||
throw new Error(`DCROUTER_ADMIN_API_TOKEN must start with ${TOKEN_PREFIX_STR}`);
|
||||
}
|
||||
if (rawToken.length < TOKEN_PREFIX_STR.length + 32) {
|
||||
throw new Error('DCROUTER_ADMIN_API_TOKEN is too short');
|
||||
}
|
||||
|
||||
const now = Date.now();
|
||||
const existing = this.tokens.get(ENV_ADMIN_TOKEN_ID);
|
||||
const stored: IStoredApiToken = {
|
||||
id: ENV_ADMIN_TOKEN_ID,
|
||||
name: process.env.DCROUTER_ADMIN_API_TOKEN_NAME?.trim() || 'Environment Admin Token',
|
||||
tokenHash: this.hashToken(rawToken),
|
||||
scopes: ['*'],
|
||||
policy: { role: 'admin' },
|
||||
createdAt: existing?.createdAt || now,
|
||||
expiresAt: null,
|
||||
lastUsedAt: existing?.lastUsedAt || null,
|
||||
createdBy: existing?.createdBy || ENV_ADMIN_TOKEN_CREATED_BY,
|
||||
enabled: true,
|
||||
};
|
||||
|
||||
this.tokens.set(stored.id, stored);
|
||||
await this.persistToken(stored);
|
||||
logger.log('info', `Environment admin API token ensured (id: ${stored.id})`);
|
||||
}
|
||||
|
||||
private hashToken(rawToken: string): string {
|
||||
return plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
|
||||
}
|
||||
|
||||
private async persistToken(stored: IStoredApiToken): Promise<void> {
|
||||
const existing = await ApiTokenDoc.findById(stored.id);
|
||||
if (existing) {
|
||||
|
||||
Reference in New Issue
Block a user