d2de49a591
Implements API key authentication for all rdev endpoints:
## Database (internal/db)
- Auto-migrating postgres connection
- Embedded SQL migrations via go:embed
- api_keys table with scopes, expiration, project restrictions
## Auth Package (internal/auth)
- Key generation: rdev_sk_<prefix>_<random> format
- Scopes: projects:read, projects:execute, keys:read, keys:write, admin
- SHA-256 key hashing (secrets never stored)
- Expiration options: 30d, 60d, 90d, 1y, never
- Middleware skips /health, /ready, /docs, /openapi.json
## Key Management API
- GET /keys - List keys (keys:read)
- POST /keys - Create key (keys:write)
- GET /keys/{id} - Get key details (keys:read)
- DELETE /keys/{id} - Revoke key (keys:write)
## Environment Variables
- DB_HOST, DB_PORT, DB_USER, DB_PASSWORD, DB_NAME
- RDEV_ADMIN_KEY - Super admin key for bootstrapping
Version bumped to 0.5.0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
207 lines
5.3 KiB
Go
207 lines
5.3 KiB
Go
package handlers
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/orchard9/rdev/internal/auth"
|
|
"github.com/orchard9/rdev/pkg/api"
|
|
)
|
|
|
|
// KeysHandler handles API key management endpoints.
|
|
type KeysHandler struct {
|
|
authService *auth.Service
|
|
}
|
|
|
|
// NewKeysHandler creates a new keys handler.
|
|
func NewKeysHandler(authService *auth.Service) *KeysHandler {
|
|
return &KeysHandler{authService: authService}
|
|
}
|
|
|
|
// Mount registers the keys routes.
|
|
func (h *KeysHandler) Mount(r api.Router) {
|
|
r.Route("/keys", func(r chi.Router) {
|
|
// All key endpoints require authentication (handled by global middleware)
|
|
r.With(auth.RequireScope(auth.ScopeKeysRead, auth.ScopeAdmin)).Get("/", h.List)
|
|
r.With(auth.RequireScope(auth.ScopeKeysWrite, auth.ScopeAdmin)).Post("/", h.Create)
|
|
r.With(auth.RequireScope(auth.ScopeKeysRead, auth.ScopeAdmin)).Get("/{id}", h.Get)
|
|
r.With(auth.RequireScope(auth.ScopeKeysWrite, auth.ScopeAdmin)).Delete("/{id}", h.Revoke)
|
|
})
|
|
}
|
|
|
|
// CreateKeyRequest is the JSON body for creating a key.
|
|
type CreateKeyRequest struct {
|
|
Name string `json:"name"`
|
|
Scopes []string `json:"scopes"`
|
|
ProjectIDs []string `json:"project_ids,omitempty"` // null = all projects
|
|
ExpiresIn string `json:"expires_in,omitempty"` // "30d", "60d", "90d", "1y", "never"
|
|
}
|
|
|
|
// KeyResponse is the JSON response for a key (without secret).
|
|
type KeyResponse struct {
|
|
ID string `json:"id"`
|
|
Name string `json:"name"`
|
|
KeyPrefix string `json:"key_prefix"`
|
|
Scopes []string `json:"scopes"`
|
|
ProjectIDs []string `json:"project_ids,omitempty"`
|
|
CreatedAt string `json:"created_at"`
|
|
ExpiresAt *string `json:"expires_at,omitempty"`
|
|
LastUsedAt *string `json:"last_used_at,omitempty"`
|
|
RevokedAt *string `json:"revoked_at,omitempty"`
|
|
CreatedBy string `json:"created_by"`
|
|
Active bool `json:"active"`
|
|
}
|
|
|
|
// CreateKeyResponse includes the secret (shown only once).
|
|
type CreateKeyResponse struct {
|
|
Key KeyResponse `json:"key"`
|
|
Secret string `json:"secret"`
|
|
}
|
|
|
|
// apiKeyToResponse converts an APIKey to a JSON response.
|
|
func apiKeyToResponse(k *auth.APIKey) KeyResponse {
|
|
resp := KeyResponse{
|
|
ID: k.ID,
|
|
Name: k.Name,
|
|
KeyPrefix: k.KeyPrefix,
|
|
Scopes: auth.ScopesToStrings(k.Scopes),
|
|
CreatedAt: k.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
|
|
CreatedBy: k.CreatedBy,
|
|
Active: k.IsActive(),
|
|
}
|
|
|
|
if k.ProjectIDs != nil {
|
|
resp.ProjectIDs = k.ProjectIDs
|
|
}
|
|
|
|
if k.ExpiresAt != nil {
|
|
s := k.ExpiresAt.Format("2006-01-02T15:04:05Z07:00")
|
|
resp.ExpiresAt = &s
|
|
}
|
|
|
|
if k.LastUsedAt != nil {
|
|
s := k.LastUsedAt.Format("2006-01-02T15:04:05Z07:00")
|
|
resp.LastUsedAt = &s
|
|
}
|
|
|
|
if k.RevokedAt != nil {
|
|
s := k.RevokedAt.Format("2006-01-02T15:04:05Z07:00")
|
|
resp.RevokedAt = &s
|
|
}
|
|
|
|
return resp
|
|
}
|
|
|
|
// List returns all API keys.
|
|
// GET /keys
|
|
func (h *KeysHandler) List(w http.ResponseWriter, r *http.Request) {
|
|
keys, err := h.authService.List(r.Context())
|
|
if err != nil {
|
|
api.WriteInternalError(w, r, "Failed to list keys")
|
|
return
|
|
}
|
|
|
|
resp := make([]KeyResponse, len(keys))
|
|
for i, k := range keys {
|
|
resp[i] = apiKeyToResponse(k)
|
|
}
|
|
|
|
api.WriteSuccess(w, r, resp)
|
|
}
|
|
|
|
// Create generates a new API key.
|
|
// POST /keys
|
|
func (h *KeysHandler) Create(w http.ResponseWriter, r *http.Request) {
|
|
var req CreateKeyRequest
|
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
api.WriteBadRequest(w, r, "Invalid JSON body")
|
|
return
|
|
}
|
|
|
|
if req.Name == "" {
|
|
api.WriteBadRequest(w, r, "name is required")
|
|
return
|
|
}
|
|
|
|
if len(req.Scopes) == 0 {
|
|
api.WriteBadRequest(w, r, "scopes is required")
|
|
return
|
|
}
|
|
|
|
// Validate scopes
|
|
scopes := auth.ScopesFromStrings(req.Scopes)
|
|
if !auth.ValidateScopes(scopes) {
|
|
api.WriteBadRequest(w, r, "invalid scope(s)")
|
|
return
|
|
}
|
|
|
|
// Parse expiration
|
|
expiresIn, err := auth.ParseExpiration(req.ExpiresIn)
|
|
if err != nil {
|
|
api.WriteBadRequest(w, r, err.Error())
|
|
return
|
|
}
|
|
|
|
// Get creator from authenticated key
|
|
creator := "admin"
|
|
if apiKey := auth.GetAPIKey(r.Context()); apiKey != nil && apiKey.ID != "admin" {
|
|
creator = apiKey.ID
|
|
}
|
|
|
|
result, err := h.authService.Create(r.Context(), auth.CreateKeyRequest{
|
|
Name: req.Name,
|
|
Scopes: scopes,
|
|
ProjectIDs: req.ProjectIDs,
|
|
ExpiresIn: expiresIn,
|
|
CreatedBy: creator,
|
|
})
|
|
if err != nil {
|
|
api.WriteInternalError(w, r, "Failed to create key")
|
|
return
|
|
}
|
|
|
|
api.WriteCreated(w, r, CreateKeyResponse{
|
|
Key: apiKeyToResponse(result.Key),
|
|
Secret: result.Secret,
|
|
})
|
|
}
|
|
|
|
// Get returns a single API key.
|
|
// GET /keys/{id}
|
|
func (h *KeysHandler) Get(w http.ResponseWriter, r *http.Request) {
|
|
id := chi.URLParam(r, "id")
|
|
|
|
key, err := h.authService.Get(r.Context(), id)
|
|
if err != nil {
|
|
if err == auth.ErrKeyNotFound {
|
|
api.WriteNotFound(w, r, "Key not found")
|
|
return
|
|
}
|
|
api.WriteInternalError(w, r, "Failed to get key")
|
|
return
|
|
}
|
|
|
|
api.WriteSuccess(w, r, apiKeyToResponse(key))
|
|
}
|
|
|
|
// Revoke marks an API key as revoked.
|
|
// DELETE /keys/{id}
|
|
func (h *KeysHandler) Revoke(w http.ResponseWriter, r *http.Request) {
|
|
id := chi.URLParam(r, "id")
|
|
|
|
if err := h.authService.Revoke(r.Context(), id); err != nil {
|
|
if err == auth.ErrKeyNotFound {
|
|
api.WriteNotFound(w, r, "Key not found")
|
|
return
|
|
}
|
|
api.WriteInternalError(w, r, "Failed to revoke key")
|
|
return
|
|
}
|
|
|
|
api.WriteSuccess(w, r, map[string]string{
|
|
"status": "revoked",
|
|
"id": id,
|
|
})
|
|
}
|