feat: add personal access tokens (#434)

This commit adds API endpoints for managing personal access tokens.
Users
can create and revoke tokens, and tokens can be used to authenticate API
requests.

Tokens are created with a description, and an optional expiry date.
Tokens
can be revoked at any time.

There is a UI for managing tokens in the account settings - users can
create
and revoke tokens from there. Tokens are displayed with their
description,
expiry date, the granted permissions, and the date they were created.

An email is sent to users when a new token is created to notify them of
the
token's creation.

The token creation UI contains a questionnaire flow to help users
understand
that what they are doing is potentially dangerous, and to guide users to
use
alternative authentication mechanisms such as OIDC or interactive flow
where
possible.


Fixes #393

Author: lucacasonato

api/.sqlx/query-766d32b1437d5ae0a40ce065d1306ed46b739bb972f1b83cda07841bb0f07453.json

@@ -1945,6 +1945,31 @@ components:
 
     Permission:
       oneOf:
+        - type: object
+          properties:
+            permission:
+              type: string
+              description: The permission name.
+              enum: ["package/publish"]
+            scope:
+              $ref: "#/components/schemas/ScopeName"
+          required:
+            - permission
+            - scope
+        - type: object
+          properties:
+            permission:
+              type: string
+              description: The permission name.
+              enum: ["package/publish"]
+            scope:
+              $ref: "#/components/schemas/ScopeName"
+            package:
+              $ref: "#/components/schemas/PackageName"
+          required:
+            - permission
+            - scope
+            - package
         - type: object
           properties:
             permission:

api/.sqlx/query-9e0369495156d984196939d4cb2838ed135acca6f927abd071760f0924e7492d.json

@@ -255,6 +255,7 @@ mod tests {
   use crate::api::ApiAuthorizationExchangeResponse;
   use crate::api::ApiCreateAuthorizationResponse;
   use crate::api::ApiFullUser;
+  use crate::db::PackagePublishPermission;
   use crate::db::Permission;
   use crate::db::Permissions;
   use crate::util::test::ApiResultExt;
@@ -367,12 +368,14 @@ mod tests {
 
     let (verifier, challenge) = new_verifier_and_challenge();
 
-    let permissions = Permissions(vec![Permission::VersionPublish {
-      scope: t.scope.scope.clone(),
-      package: "test".try_into().unwrap(),
-      version: "1.0.0".try_into().unwrap(),
-      tarball_hash: "sha256-1234567890".into(),
-    }]);
+    let permissions = Permissions(vec![Permission::PackagePublish(
+      PackagePublishPermission::Version {
+        scope: t.scope.scope.clone(),
+        package: "test".try_into().unwrap(),
+        version: "1.0.0".try_into().unwrap(),
+        tarball_hash: "sha256-1234567890".into(),
+      },
+    )]);
 
     let mut resp =
       create_authorization(&mut t, &challenge, Some(permissions)).await;

api/src/api.yml

@@ -52,6 +52,10 @@ errors!(
     status: NOT_FOUND,
     "The requested path was not found.",
   },
+  TokenNotFound {
+    status: NOT_FOUND,
+    "The requested token was not found.",
+  },
   InternalServerError {
     status: INTERNAL_SERVER_ERROR,
     "Internal Server Error",

api/src/api/authorization.rs

@@ -1408,14 +1408,19 @@ mod test {
   use crate::db::NewPackageVersion;
   use crate::db::NewPublishingTask;
   use crate::db::NewScopeInvite;
+  use crate::db::PackagePublishPermission;
+  use crate::db::Permission;
+  use crate::db::Permissions;
   use crate::db::PublishingTaskStatus;
+  use crate::db::TokenType;
   use crate::ids::PackageName;
   use crate::ids::PackagePath;
   use crate::ids::ScopeName;
   use crate::ids::Version;
   use crate::publish::tests::create_mock_tarball;
   use crate::publish::tests::process_tarball_setup;
   use crate::publish::tests::process_tarball_setup2;
+  use crate::token::create_token;
   use crate::util::test::ApiResultExt;
   use crate::util::test::TestSetup;
 
@@ -2379,6 +2384,51 @@ ggHohNAjhbzDaY2iBW/m3NC5dehGUP4T2GBo/cwGhg==
       .await;
   }
 
+  #[tokio::test]
+  async fn test_publishing_with_missing_auth() {
+    let mut t = TestSetup::new().await;
+
+    let permission =
+      Permission::PackagePublish(PackagePublishPermission::Scope {
+        scope: ScopeName::new("otherscope".to_owned()).unwrap(),
+      });
+
+    let token = create_token(
+      &t.db(),
+      t.user1.user.id,
+      TokenType::Web,
+      None,
+      None,
+      Some(Permissions(vec![permission])),
+    )
+    .await
+    .unwrap();
+
+    let scope = t.scope.scope.clone();
+
+    let name = PackageName::new("foo".to_owned()).unwrap();
+
+    let CreatePackageResult::Ok(_) =
+      t.db().create_package(&scope, &name).await.unwrap()
+    else {
+      unreachable!();
+    };
+
+    let data = create_mock_tarball("ok");
+    let mut resp = t
+      .http()
+      .post("/api/scopes/scope/packages/foo/versions/1.2.3?config=/jsr.json")
+      .gzip()
+      .token(Some(&token))
+      .body(Body::from(data))
+      .call()
+      .await
+      .unwrap();
+    resp
+      .expect_err_code(StatusCode::FORBIDDEN, "missingPermission")
+      .await;
+  }
+
   #[tokio::test]
   async fn test_package_docs() {
     let mut t = TestSetup::new().await;