feat: add personal access tokens

This commit adds API endpoints for managing personal access tokens. Users
can create and revoke tokens, and tokens can be used to authenticate API
requests.

Tokens are created with a description, and an optional expiry date. Tokens
can be revoked at any time.

There is a UI for managing tokens in the account settings - users can create
and revoke tokens from there. Tokens are displayed with their description,
expiry date, the granted permissions, and the date they were created.

An email is sent to users when a new token is created to notify them of the
token's creation.

The token creation UI contains a questionnaire flow to help users understand
that what they are doing is potentially dangerous, and to guide users to use
alternative authentication mechanisms such as OIDC or interactive flow where
possible.

Author: lucacasonato

api/migrations/20240422122600_personal_access_token.sql

@@ -0,0 +1 @@
+ALTER TYPE token_type ADD VALUE 'personal';

api/src/api.yml

@@ -1945,6 +1945,31 @@ components:
 
     Permission:
       oneOf:
+        - type: object
+          properties:
+            permission:
+              type: string
+              description: The permission name.
+              enum: ["package/publish"]
+            scope:
+              $ref: "#/components/schemas/ScopeName"
+          required:
+            - permission
+            - scope
+        - type: object
+          properties:
+            permission:
+              type: string
+              description: The permission name.
+              enum: ["package/publish"]
+            scope:
+              $ref: "#/components/schemas/ScopeName"
+            package:
+              $ref: "#/components/schemas/PackageName"
+          required:
+            - permission
+            - scope
+            - package
         - type: object
           properties:
             permission:

api/src/api/authorization.rs

@@ -255,6 +255,7 @@ mod tests {
   use crate::api::ApiAuthorizationExchangeResponse;
   use crate::api::ApiCreateAuthorizationResponse;
   use crate::api::ApiFullUser;
+  use crate::db::PackagePublishPermission;
   use crate::db::Permission;
   use crate::db::Permissions;
   use crate::util::test::ApiResultExt;
@@ -367,12 +368,14 @@ mod tests {
 
     let (verifier, challenge) = new_verifier_and_challenge();
 
-    let permissions = Permissions(vec![Permission::VersionPublish {
-      scope: t.scope.scope.clone(),
-      package: "test".try_into().unwrap(),
-      version: "1.0.0".try_into().unwrap(),
-      tarball_hash: "sha256-1234567890".into(),
-    }]);
+    let permissions = Permissions(vec![Permission::PackagePublish(
+      PackagePublishPermission::Version {
+        scope: t.scope.scope.clone(),
+        package: "test".try_into().unwrap(),
+        version: "1.0.0".try_into().unwrap(),
+        tarball_hash: "sha256-1234567890".into(),
+      },
+    )]);
 
     let mut resp =
       create_authorization(&mut t, &challenge, Some(permissions)).await;

api/src/api/errors.rs

@@ -52,6 +52,10 @@ errors!(
     status: NOT_FOUND,
     "The requested path was not found.",
   },
+  TokenNotFound {
+    status: NOT_FOUND,
+    "The requested token was not found.",
+  },
   InternalServerError {
     status: INTERNAL_SERVER_ERROR,
     "Internal Server Error",

api/src/api/self_user.rs

@@ -9,18 +9,28 @@ use tracing::field;
 use tracing::instrument;
 use tracing::Span;
 
+use std::borrow::Cow;
+
 use crate::db::Database;
+use crate::db::TokenType;
 use crate::db::UserPublic;
+use crate::emails::EmailArgs;
+use crate::emails::EmailSender;
 use crate::iam::ReqIamExt;
 use crate::util;
+use crate::util::decode_json;
 use crate::util::ApiResult;
 use crate::util::RequestIdExt;
+use crate::RegistryUrl;
 
+use super::ApiCreateTokenRequest;
+use super::ApiCreatedToken;
 use super::ApiError;
 use super::ApiFullUser;
 use super::ApiScope;
 use super::ApiScopeInvite;
 use super::ApiScopeMember;
+use super::ApiToken;
 
 pub fn self_user_router() -> Router<Body, ApiError> {
   Router::builder()
@@ -33,6 +43,9 @@ pub fn self_user_router() -> Router<Body, ApiError> {
       util::auth(util::json(accept_invite_handler)),
     )
     .delete("/invites/:scope", util::auth(decline_invite_handler))
+    .get("/tokens", util::auth(util::json(list_tokens)))
+    .post("/tokens", util::auth(util::json(create_token)))
+    .delete("/tokens/:id", util::auth(util::json(delete_token)))
     .build()
     .unwrap()
 }
@@ -151,3 +164,110 @@ pub async fn decline_invite_handler(
     .unwrap();
   Ok(resp)
 }
+
+#[instrument("GET /api/user/tokens")]
+async fn list_tokens(req: Request<Body>) -> Result<Vec<ApiToken>, ApiError> {
+  let iam = req.iam();
+  let user = iam.check_current_user_access()?;
+
+  let db = req.data::<Database>().unwrap();
+
+  let tokens = db.list_tokens(user.id).await?;
+
+  Ok(tokens.into_iter().map(ApiToken::from).collect())
+}
+
+#[instrument("POST /api/user/tokens")]
+async fn create_token(
+  mut req: Request<Body>,
+) -> Result<ApiCreatedToken, ApiError> {
+  let ApiCreateTokenRequest {
+    description,
+    expires_at,
+    permissions,
+  } = decode_json(&mut req).await?;
+
+  let description = description.trim().replace('\n', " ").replace('\r', "");
+  if description.is_empty() {
+    return Err(ApiError::MalformedRequest {
+      msg: "description must not be empty".into(),
+    });
+  }
+  if description.len() > 250 {
+    return Err(ApiError::MalformedRequest {
+      msg: "description must not be longer than 250 characters".into(),
+    });
+  }
+  if description.contains(|c: char| c.is_control()) {
+    return Err(ApiError::MalformedRequest {
+      msg: "description must not contain control characters".into(),
+    });
+  }
+
+  if let Some(permissions) = permissions.as_ref() {
+    if permissions.0.len() != 1 {
+      return Err(ApiError::MalformedRequest {
+        msg: "permissions must contain exactly one element".into(),
+      });
+    }
+  }
+
+  let iam = req.iam();
+  let user = iam.check_authorization_approve_access()?;
+
+  let db = req.data::<Database>().unwrap();
+
+  let secret = crate::token::create_token(
+    db,
+    user.id,
+    TokenType::Personal,
+    Some(description),
+    expires_at,
+    permissions,
+  )
+  .await?;
+
+  let hash = crate::token::hash(&secret);
+  let token = db.get_token_by_hash(&hash).await?.unwrap();
+
+  if let Some(ref email) = user.email {
+    let email_sender = req.data::<Option<EmailSender>>().unwrap();
+    let registry_url = req.data::<RegistryUrl>().unwrap();
+    if let Some(email_sender) = email_sender {
+      let email_args = EmailArgs::PersonalAccessToken {
+        name: Cow::Borrowed(&user.name),
+        registry_url: Cow::Borrowed(registry_url.0.as_str()),
+        registry_name: Cow::Borrowed(&email_sender.from_name),
+        support_email: Cow::Borrowed(&email_sender.from),
+      };
+      email_sender
+        .send(email.clone(), email_args)
+        .await
+        .map_err(|e| {
+          tracing::error!("failed to send email: {:?}", e);
+          ApiError::InternalServerError
+        })?;
+    }
+  }
+
+  Ok(ApiCreatedToken {
+    token: token.into(),
+    secret,
+  })
+}
+
+#[instrument("DELETE /api/user/tokens/:id")]
+async fn delete_token(req: Request<Body>) -> Result<(), ApiError> {
+  let id = req.param_uuid("id")?;
+
+  let iam = req.iam();
+  let user = iam.check_authorization_approve_access()?;
+
+  let db = req.data::<Database>().unwrap();
+
+  if !db.delete_token(user.id, id).await? {
+    return Err(ApiError::TokenNotFound);
+  };
+
+  Ok(())
+}

api/src/api/types.rs

@@ -14,7 +14,7 @@ use serde::Serialize;
 use uuid::Uuid;
 
 #[derive(Serialize, Deserialize, Debug, PartialEq, Clone, Copy)]
-#[serde(rename_all = "lowercase")]
+#[serde(rename_all = "snake_case")]
 pub enum ApiPublishingTaskStatus {
   Pending,
   Processing,
@@ -613,7 +613,7 @@ impl From<PackageVersion> for ApiPackageVersion {
 }
 
 #[derive(Debug, Serialize, Deserialize, Ord, PartialOrd, Eq, PartialEq)]
-#[serde(rename_all = "camelCase")]
+#[serde(rename_all = "snake_case")]
 pub enum ApiSourceDirEntryKind {
   Dir,
   File,
@@ -628,7 +628,7 @@ pub struct ApiSourceDirEntry {
 }
 
 #[derive(Debug, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase", tag = "kind")]
+#[serde(rename_all = "snake_case", tag = "kind")]
 pub enum ApiSource {
   Dir { entries: Vec<ApiSourceDirEntry> },
   File { size: usize, view: Option<String> },
@@ -783,7 +783,7 @@ impl From<Authorization> for ApiAuthorization {
 }
 
 #[derive(Debug, Serialize, Deserialize, Eq, PartialEq, Hash)]
-#[serde(rename_all = "camelCase")]
+#[serde(rename_all = "snake_case")]
 pub enum ApiDependencyKind {
   Jsr,
   Npm,
@@ -843,3 +843,64 @@ pub struct ApiList<T> {
   pub items: Vec<T>,
   pub total: usize,
 }
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub enum ApiTokenType {
+  Web,
+  Device,
+  Personal,
+}
+
+impl From<TokenType> for ApiTokenType {
+  fn from(value: TokenType) -> Self {
+    match value {
+      TokenType::Web => ApiTokenType::Web,
+      TokenType::Device => ApiTokenType::Device,
+      TokenType::Personal => ApiTokenType::Personal,
+    }
+  }
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct ApiToken {
+  pub id: Uuid,
+  pub description: Option<String>,
+  pub user_id: Uuid,
+  pub r#type: ApiTokenType,
+  pub expires_at: Option<DateTime<Utc>>,
+  pub updated_at: DateTime<Utc>,
+  pub created_at: DateTime<Utc>,
+  pub permissions: Option<Permissions>,
+}
+
+impl From<Token> for ApiToken {
+  fn from(value: Token) -> Self {
+    Self {
+      id: value.id,
+      description: value.description,
+      user_id: value.user_id,
+      r#type: value.r#type.into(),
+      expires_at: value.expires_at,
+      updated_at: value.updated_at,
+      created_at: value.created_at,
+      permissions: value.permissions,
+    }
+  }
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct ApiCreateTokenRequest {
+  pub description: String,
+  pub expires_at: Option<DateTime<Utc>>,
+  pub permissions: Option<Permissions>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct ApiCreatedToken {
+  pub secret: String,
+  pub token: ApiToken,
+}

api/src/config.rs

@@ -173,6 +173,7 @@ impl std::fmt::Debug for Config {
         &self.postmark_token.as_ref().map(|_| "***"),
       )
       .field("email_from", &self.email_from)
+      .field("email_from_name", &self.email_from_name)
       .finish()
   }
 }

api/src/db/database.rs

@@ -2567,13 +2567,41 @@ impl Database {
     .await
   }
 
-  #[instrument(name = "Database::get_token", skip(self), err)]
-  pub async fn get_token(&self, hash: &str) -> Result<Option<Token>> {
+  #[instrument(name = "Database::get_token_by_hash", skip(self), err)]
+  pub async fn get_token_by_hash(&self, hash: &str) -> Result<Option<Token>> {
     sqlx::query_as!(Token, r#"SELECT id, hash, user_id, type "type: _", description, expires_at, permissions "permissions: _", updated_at, created_at FROM tokens WHERE hash = $1"#, hash)
       .fetch_optional(&self.pool)
       .await
   }
 
+  #[instrument(name = "Database::list_token", skip(self), err)]
+  pub async fn list_tokens(&self, user_id: Uuid) -> Result<Vec<Token>> {
+    // list a user's tokens where the expiration date is at most 1 day in the past
+    sqlx::query_as!(
+      Token,
+      r#"SELECT id, hash, user_id, type "type: _", description, expires_at, permissions "permissions: _", updated_at, created_at
+      FROM tokens
+      WHERE user_id = $1 AND (expires_at > now() - interval '1 day' OR expires_at IS NULL)
+      ORDER BY expires_at DESC NULLS FIRST, created_at DESC
+      "#,
+      user_id
+    )
+    .fetch_all(&self.pool)
+    .await
+  }
+
+  #[instrument(name = "Database::delete_token", skip(self), err)]
+  pub async fn delete_token(&self, user_id: Uuid, id: Uuid) -> Result<bool> {
+    let res = sqlx::query!(
+      r#"DELETE FROM tokens WHERE user_id = $1 ANd id = $2"#,
+      user_id,
+      id
+    )
+    .execute(&self.pool)
+    .await?;
+    Ok(res.rows_affected() > 0)
+  }
+
   #[instrument(
     name = "Database::create_authorization",
     skip(self, new_authorization),