feat(tokens): Add support for organization-owned API tokens and org-level token management

ts/api/handlers/token.api.ts

@@ -4,17 +4,22 @@
 
 import type { IApiContext, IApiResponse } from '../router.ts';
 import { TokenService } from '../../services/token.service.ts';
+import { PermissionService } from '../../services/permission.service.ts';
 import type { ITokenScope, TRegistryProtocol } from '../../interfaces/auth.interfaces.ts';
 
 export class TokenApi {
   private tokenService: TokenService;
+  private permissionService: PermissionService;
 
-  constructor(tokenService: TokenService) {
+  constructor(tokenService: TokenService, permissionService?: PermissionService) {
     this.tokenService = tokenService;
+    this.permissionService = permissionService || new PermissionService();
   }
 
   /**
    * GET /api/v1/tokens
+   * Query params:
+   *   - organizationId: list org tokens (requires org admin)
    */
   public async list(ctx: IApiContext): Promise<IApiResponse> {
     if (!ctx.actor?.userId) {
@@ -22,7 +27,20 @@ export class TokenApi {
     }
 
     try {
-      const tokens = await this.tokenService.getUserTokens(ctx.actor.userId);
+      const url = new URL(ctx.request.url);
+      const organizationId = url.searchParams.get('organizationId');
+
+      let tokens;
+      if (organizationId) {
+        // Check if user can manage org
+        const canManage = await this.permissionService.canManageOrganization(ctx.actor.userId, organizationId);
+        if (!canManage) {
+          return { status: 403, body: { error: 'Not authorized to view organization tokens' } };
+        }
+        tokens = await this.tokenService.getOrgTokens(organizationId);
+      } else {
+        tokens = await this.tokenService.getUserTokens(ctx.actor.userId);
+      }
 
       return {
         status: 200,
@@ -33,6 +51,8 @@ export class TokenApi {
             tokenPrefix: t.tokenPrefix,
             protocols: t.protocols,
             scopes: t.scopes,
+            organizationId: t.organizationId,
+            createdById: t.createdById,
             expiresAt: t.expiresAt,
             lastUsedAt: t.lastUsedAt,
             usageCount: t.usageCount,
@@ -48,6 +68,12 @@ export class TokenApi {
 
   /**
    * POST /api/v1/tokens
+   * Body:
+   *   - name: token name
+   *   - organizationId: (optional) create org token instead of personal
+   *   - protocols: array of protocols
+   *   - scopes: array of scope objects
+   *   - expiresInDays: (optional) token expiry
    */
   public async create(ctx: IApiContext): Promise<IApiResponse> {
     if (!ctx.actor?.userId) {
@@ -56,8 +82,9 @@ export class TokenApi {
 
     try {
       const body = await ctx.request.json();
-      const { name, protocols, scopes, expiresInDays } = body as {
+      const { name, organizationId, protocols, scopes, expiresInDays } = body as {
         name: string;
+        organizationId?: string;
         protocols: TRegistryProtocol[];
         scopes: ITokenScope[];
         expiresInDays?: number;
@@ -90,8 +117,18 @@ export class TokenApi {
         }
       }
 
+      // If creating org token, verify permission
+      if (organizationId) {
+        const canManage = await this.permissionService.canManageOrganization(ctx.actor.userId, organizationId);
+        if (!canManage) {
+          return { status: 403, body: { error: 'Not authorized to create organization tokens' } };
+        }
+      }
+
       const result = await this.tokenService.createToken({
         userId: ctx.actor.userId,
+        organizationId,
+        createdById: ctx.actor.userId,
         name,
         protocols,
         scopes,
@@ -108,6 +145,7 @@ export class TokenApi {
           tokenPrefix: result.token.tokenPrefix,
           protocols: result.token.protocols,
           scopes: result.token.scopes,
+          organizationId: result.token.organizationId,
           expiresAt: result.token.expiresAt,
           createdAt: result.token.createdAt,
           warning: 'Store this token securely. It will not be shown again.',
@@ -121,6 +159,7 @@ export class TokenApi {
 
   /**
    * DELETE /api/v1/tokens/:id
+   * Allows revoking personal tokens or org tokens (if org admin)
    */
   public async revoke(ctx: IApiContext): Promise<IApiResponse> {
     if (!ctx.actor?.userId) {
@@ -130,12 +169,27 @@ export class TokenApi {
     const { id } = ctx.params;
 
     try {
-      // Get the token to verify ownership
-      const tokens = await this.tokenService.getUserTokens(ctx.actor.userId);
-      const token = tokens.find((t) => t.id === id);
+      // First check if it's a personal token
+      const userTokens = await this.tokenService.getUserTokens(ctx.actor.userId);
+      let token = userTokens.find((t) => t.id === id);
+
+      if (!token) {
+        // Check if it's an org token and user can manage org
+        const { ApiToken } = await import('../../models/index.ts');
+        const anyToken = await ApiToken.getInstance({ id, isRevoked: false });
+
+        if (anyToken?.organizationId) {
+          const canManage = await this.permissionService.canManageOrganization(
+            ctx.actor.userId,
+            anyToken.organizationId
+          );
+          if (canManage) {
+            token = anyToken;
+          }
+        }
+      }
 
       if (!token) {
-        // Either doesn't exist or doesn't belong to user
         return { status: 404, body: { error: 'Token not found' } };
       }