stack.gallery/registry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(tokens): Add support for organization-owned API tokens and org-level token management

Browse Source
This commit is contained in:
Jürgen Kunz
2025-11-28 12:57:17 +00:00
parent 93ae998e3f
commit dface47942
9 changed files with 354 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ts/00_commitinfo_data.ts
View File

@@ -3,6 +3,6 @@
*/
export const commitinfo = {
name: '@stack.gallery/registry',
version: '1.1.0',
version: '1.2.0',
description: 'Enterprise-grade multi-protocol package registry'
}

68
ts/api/handlers/token.api.ts
View File

@@ -4,17 +4,22 @@
import type { IApiContext, IApiResponse } from '../router.ts';
import { TokenService } from '../../services/token.service.ts';
import { PermissionService } from '../../services/permission.service.ts';
import type { ITokenScope, TRegistryProtocol } from '../../interfaces/auth.interfaces.ts';
export class TokenApi {
private tokenService: TokenService;
private permissionService: PermissionService;
constructor(tokenService: TokenService) {
constructor(tokenService: TokenService, permissionService?: PermissionService) {
this.tokenService = tokenService;
this.permissionService = permissionService || new PermissionService();
}
/**
* GET /api/v1/tokens
* Query params:
* - organizationId: list org tokens (requires org admin)
*/
public async list(ctx: IApiContext): Promise<IApiResponse> {
if (!ctx.actor?.userId) {
@@ -22,7 +27,20 @@ export class TokenApi {
}
try {
const tokens = await this.tokenService.getUserTokens(ctx.actor.userId);
const url = new URL(ctx.request.url);
const organizationId = url.searchParams.get('organizationId');
let tokens;
if (organizationId) {
// Check if user can manage org
const canManage = await this.permissionService.canManageOrganization(ctx.actor.userId, organizationId);
if (!canManage) {
return { status: 403, body: { error: 'Not authorized to view organization tokens' } };
}
tokens = await this.tokenService.getOrgTokens(organizationId);
} else {
tokens = await this.tokenService.getUserTokens(ctx.actor.userId);
}
return {
status: 200,
@@ -33,6 +51,8 @@ export class TokenApi {
tokenPrefix: t.tokenPrefix,
protocols: t.protocols,
scopes: t.scopes,
organizationId: t.organizationId,
createdById: t.createdById,
expiresAt: t.expiresAt,
lastUsedAt: t.lastUsedAt,
usageCount: t.usageCount,
@@ -48,6 +68,12 @@ export class TokenApi {
/**
* POST /api/v1/tokens
* Body:
* - name: token name
* - organizationId: (optional) create org token instead of personal
* - protocols: array of protocols
* - scopes: array of scope objects
* - expiresInDays: (optional) token expiry
*/
public async create(ctx: IApiContext): Promise<IApiResponse> {
if (!ctx.actor?.userId) {
@@ -56,8 +82,9 @@ export class TokenApi {
try {
const body = await ctx.request.json();
const { name, protocols, scopes, expiresInDays } = body as {
const { name, organizationId, protocols, scopes, expiresInDays } = body as {
name: string;
organizationId?: string;
protocols: TRegistryProtocol[];
scopes: ITokenScope[];
expiresInDays?: number;
@@ -90,8 +117,18 @@ export class TokenApi {
}
}
// If creating org token, verify permission
if (organizationId) {
const canManage = await this.permissionService.canManageOrganization(ctx.actor.userId, organizationId);
if (!canManage) {
return { status: 403, body: { error: 'Not authorized to create organization tokens' } };
}
}
const result = await this.tokenService.createToken({
userId: ctx.actor.userId,
organizationId,
createdById: ctx.actor.userId,
name,
protocols,
scopes,
@@ -108,6 +145,7 @@ export class TokenApi {
tokenPrefix: result.token.tokenPrefix,
protocols: result.token.protocols,
scopes: result.token.scopes,
organizationId: result.token.organizationId,
expiresAt: result.token.expiresAt,
createdAt: result.token.createdAt,
warning: 'Store this token securely. It will not be shown again.',
@@ -121,6 +159,7 @@ export class TokenApi {
/**
* DELETE /api/v1/tokens/:id
* Allows revoking personal tokens or org tokens (if org admin)
*/
public async revoke(ctx: IApiContext): Promise<IApiResponse> {
if (!ctx.actor?.userId) {
@@ -130,12 +169,27 @@ export class TokenApi {
const { id } = ctx.params;
try {
// Get the token to verify ownership
const tokens = await this.tokenService.getUserTokens(ctx.actor.userId);
const token = tokens.find((t) => t.id === id);
// First check if it's a personal token
const userTokens = await this.tokenService.getUserTokens(ctx.actor.userId);
let token = userTokens.find((t) => t.id === id);
if (!token) {
// Check if it's an org token and user can manage org
const { ApiToken } = await import('../../models/index.ts');
const anyToken = await ApiToken.getInstance({ id, isRevoked: false });
if (anyToken?.organizationId) {
const canManage = await this.permissionService.canManageOrganization(
ctx.actor.userId,
anyToken.organizationId
);
if (canManage) {
token = anyToken;
}
}
}
if (!token) {
// Either doesn't exist or doesn't belong to user
return { status: 404, body: { error: 'Token not found' } };
}

3
ts/interfaces/auth.interfaces.ts
View File

@@ -143,6 +143,8 @@ export type TTokenAction = 'read' | 'write' | 'delete' | '*';
export interface IApiToken {
id: string;
userId: string;
organizationId?: string; // For org-owned tokens
createdById?: string; // Who created the token (for audit)
name: string;
tokenHash: string;
tokenPrefix: string;
@@ -276,6 +278,7 @@ export interface ICreateRepositoryDto {
export interface ICreateTokenDto {
name: string;
organizationId?: string; // For org-owned tokens
protocols: TRegistryProtocol[];
scopes: ITokenScope[];
expiresAt?: Date;

17
ts/models/apitoken.ts
View File

@@ -15,6 +15,13 @@ export class ApiToken extends plugins.smartdata.SmartDataDbDoc<ApiToken, ApiToke
@plugins.smartdata.index()
public userId: string = '';
@plugins.smartdata.svDb()
@plugins.smartdata.index()
public organizationId?: string; // For org-owned tokens
@plugins.smartdata.svDb()
public createdById?: string; // Who created the token (for audit)
@plugins.smartdata.svDb()
public name: string = '';
@@ -90,6 +97,16 @@ export class ApiToken extends plugins.smartdata.SmartDataDbDoc<ApiToken, ApiToke
});
}
/**
* Get all tokens for an organization
*/
public static async getOrgTokens(organizationId: string): Promise<ApiToken[]> {
return await ApiToken.getInstances({
organizationId,
isRevoked: false,
});
}
/**
* Check if token is valid (not expired, not revoked)
*/

23
ts/services/token.service.ts
View File

@@ -9,6 +9,8 @@ import { AuditService } from './audit.service.ts';
export interface ICreateTokenOptions {
userId: string;
organizationId?: string; // For org-owned tokens
createdById?: string; // Who created the token (defaults to userId)
name: string;
protocols: TRegistryProtocol[];
scopes: ITokenScope[];
@@ -52,6 +54,8 @@ export class TokenService {
const token = new ApiToken();
token.id = await ApiToken.getNewId();
token.userId = options.userId;
token.organizationId = options.organizationId;
token.createdById = options.createdById || options.userId;
token.name = options.name;
token.tokenHash = tokenHash;
token.tokenPrefix = tokenPrefix;
@@ -150,6 +154,13 @@ export class TokenService {
return await ApiToken.getUserTokens(userId);
}
/**
* Get all tokens for an organization
*/
public async getOrgTokens(organizationId: string): Promise<ApiToken[]> {
return await ApiToken.getOrgTokens(organizationId);
}
/**
* Revoke a token
*/
@@ -175,6 +186,18 @@ export class TokenService {
return tokens.length;
}
/**
* Revoke all tokens for an organization
*/
public async revokeAllOrgTokens(organizationId: string, reason?: string): Promise<number> {
const tokens = await ApiToken.getOrgTokens(organizationId);
for (const token of tokens) {
await token.revoke(reason);
await this.auditService.logTokenRevoked(token.id, token.name);
}
return tokens.length;
}
/**
* Check if token has permission for a specific action
*/