mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-04-25 17:14:57 +02:00
a4d9b0a5fa
* feat(auth): user-facing API key management (create / list / revoke) Adds full-stack API key management so authenticated users can create, list, and revoke their own API keys from the Settings UI. Backend: - Convex `userApiKeys` table with SHA-256 key hash storage - Mutations: createApiKey, listApiKeys, revokeApiKey - Internal query validateKeyByHash + touchKeyLastUsed for gateway - HTTP endpoints: /api/api-keys (CRUD) + /api/internal-validate-api-key - Gateway middleware validates user-owned keys via Convex + Redis cache Frontend: - New "API Keys" tab in UnifiedSettings (visible when signed in) - Create form with copy-on-creation banner (key shown once) - List with prefix display, timestamps, and revoke action - Client-side key generation + hashing (plaintext never sent to DB) Closes #3116 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(api-keys): address PR review — cache invalidation, prefix validation, revoked-key guard - Invalidate Redis cache on key revocation so gateway rejects revoked keys immediately instead of waiting for 5-min TTL expiry (P1) - Enforce `wm_` prefix format with regex instead of loose length check (P2) - Skip `touchKeyLastUsed` for revoked keys to preserve clean audit trail (P2) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(api-keys): address consolidated PR review (P0–P3) P0: gate createApiKey on pro entitlement (tier >= 1); isCallerPremium now verifies key-owner tier instead of treating existence as premium. P1: wire wm_ user keys into the domain gateway auth path with async Convex-backed validation; user keys go through entitlement checks (only admin keys bypass). Lower cache TTL 300s → 60s and await revocation cache-bust instead of fire-and-forget. P2: remove dead HTTP create/list/revoke path from convex/http.ts; switch to cachedFetchJson (stampede protection, env-prefixed keys, standard NEG_SENTINEL); add tenancy check on cache-invalidation endpoint via new /api/internal-get-key-owner route; add 22 Convex tests covering tier gate, per-user limit, duplicate hash, ownership revoke guard, getKeyOwner, and touchKeyLastUsed debounce. P3: tighten keyPrefix regex to exactly 5 hex chars; debounce touchKeyLastUsed (5 min); surface PRO_REQUIRED in UI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(api-keys): gate on apiAccess (not tier), wire wm_ keys through edge routes, harden error paths - Gate API key creation/validation on features.apiAccess instead of tier >= 1. Pro (tier 1, apiAccess=false) can no longer mint keys — only API_STARTER+. - Wire wm_ user keys through standalone edge routes (shipping/route-intelligence, shipping/webhooks) that were short-circuiting on validateApiKey before async Convex validation could run. - Restore fail-soft behavior in validateUserApiKey: transient Convex/network errors degrade to unauthorized instead of bubbling a 500. - Fail-closed on cache invalidation endpoint: ownership check errors now return 503 instead of silently proceeding (surfaces Convex outages in logs). - Tests updated: positive paths use api_starter (apiAccess=true), new test locks Pro-without-API-access rejection. 23 tests pass. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(webhooks): remove wm_ user key fallback from shipping webhooks Webhook ownership is keyed to SHA-256(apiKey) via callerFingerprint(), not to the user. With user-owned keys (up to 5 per user), this causes cross-key blindness (webhooks invisible when calling with a different key) and revoke-orphaning (revoking the creating key makes the webhook permanently unmanageable). User keys remain supported on the read-only route-intelligence endpoint. Webhook ownership migration to userId will follow in a separate PR. --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Elie Habib <elie.habib@gmail.com>
185 lines
5.6 KiB
TypeScript
185 lines
5.6 KiB
TypeScript
import { ConvexError, v } from "convex/values";
|
|
import { internalMutation, internalQuery, mutation, query } from "./_generated/server";
|
|
import { requireUserId } from "./lib/auth";
|
|
|
|
/** Maximum number of active (non-revoked) API keys per user. */
|
|
const MAX_KEYS_PER_USER = 5;
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Public mutations & queries (require Clerk JWT via ctx.auth)
|
|
// ---------------------------------------------------------------------------
|
|
|
|
/**
|
|
* Create a new API key.
|
|
*
|
|
* The caller must generate the random key client-side (or in the HTTP action)
|
|
* and pass the SHA-256 hex hash + the first 8 chars (prefix) here.
|
|
* The plaintext key is NEVER stored in Convex.
|
|
*
|
|
* Requires an active entitlement with apiAccess=true (API_STARTER+ plans).
|
|
* Pro plans (tier 1) have apiAccess=false and cannot create keys.
|
|
*/
|
|
export const createApiKey = mutation({
|
|
args: {
|
|
name: v.string(),
|
|
keyPrefix: v.string(),
|
|
keyHash: v.string(),
|
|
},
|
|
handler: async (ctx, args) => {
|
|
const userId = await requireUserId(ctx);
|
|
|
|
// Entitlement gate: only users with apiAccess may create API keys.
|
|
// This is catalog-driven — Pro (tier 1) has apiAccess=false;
|
|
// API_STARTER+ (tier 2+) have apiAccess=true.
|
|
const entitlement = await ctx.db
|
|
.query("entitlements")
|
|
.withIndex("by_userId", (q) => q.eq("userId", userId))
|
|
.first();
|
|
if (
|
|
!entitlement ||
|
|
entitlement.validUntil < Date.now() ||
|
|
!entitlement.features.apiAccess
|
|
) {
|
|
throw new ConvexError("API_ACCESS_REQUIRED");
|
|
}
|
|
|
|
if (!args.name.trim()) {
|
|
throw new ConvexError("INVALID_NAME");
|
|
}
|
|
if (!/^wm_[a-f0-9]{5}$/.test(args.keyPrefix)) {
|
|
throw new ConvexError("INVALID_PREFIX");
|
|
}
|
|
if (!/^[a-f0-9]{64}$/.test(args.keyHash)) {
|
|
throw new ConvexError("INVALID_HASH");
|
|
}
|
|
|
|
// Enforce per-user key limit (count only non-revoked keys)
|
|
const existing = await ctx.db
|
|
.query("userApiKeys")
|
|
.withIndex("by_userId", (q) => q.eq("userId", userId))
|
|
.collect();
|
|
const activeCount = existing.filter((k) => !k.revokedAt).length;
|
|
if (activeCount >= MAX_KEYS_PER_USER) {
|
|
throw new ConvexError("KEY_LIMIT_REACHED");
|
|
}
|
|
|
|
// Guard against duplicate hash (astronomically unlikely, but belt-and-suspenders)
|
|
const dup = await ctx.db
|
|
.query("userApiKeys")
|
|
.withIndex("by_keyHash", (q) => q.eq("keyHash", args.keyHash))
|
|
.first();
|
|
if (dup) {
|
|
throw new ConvexError("DUPLICATE_KEY");
|
|
}
|
|
|
|
const id = await ctx.db.insert("userApiKeys", {
|
|
userId,
|
|
name: args.name.trim(),
|
|
keyPrefix: args.keyPrefix,
|
|
keyHash: args.keyHash,
|
|
createdAt: Date.now(),
|
|
});
|
|
|
|
return { id, name: args.name.trim(), keyPrefix: args.keyPrefix };
|
|
},
|
|
});
|
|
|
|
/** List all API keys for the current user (active + revoked). */
|
|
export const listApiKeys = query({
|
|
args: {},
|
|
handler: async (ctx) => {
|
|
const userId = await requireUserId(ctx);
|
|
const keys = await ctx.db
|
|
.query("userApiKeys")
|
|
.withIndex("by_userId", (q) => q.eq("userId", userId))
|
|
.collect();
|
|
|
|
return keys.map((k) => ({
|
|
id: k._id,
|
|
name: k.name,
|
|
keyPrefix: k.keyPrefix,
|
|
createdAt: k.createdAt,
|
|
lastUsedAt: k.lastUsedAt,
|
|
revokedAt: k.revokedAt,
|
|
}));
|
|
},
|
|
});
|
|
|
|
/** Revoke a key owned by the current user. */
|
|
export const revokeApiKey = mutation({
|
|
args: { keyId: v.id("userApiKeys") },
|
|
handler: async (ctx, args) => {
|
|
const userId = await requireUserId(ctx);
|
|
const key = await ctx.db.get(args.keyId);
|
|
|
|
if (!key || key.userId !== userId) {
|
|
throw new ConvexError("NOT_FOUND");
|
|
}
|
|
if (key.revokedAt) {
|
|
throw new ConvexError("ALREADY_REVOKED");
|
|
}
|
|
|
|
await ctx.db.patch(args.keyId, { revokedAt: Date.now() });
|
|
return { ok: true, keyHash: key.keyHash };
|
|
},
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Internal (service-to-service) — called from HTTP actions / middleware
|
|
// ---------------------------------------------------------------------------
|
|
|
|
/**
|
|
* Look up an API key by its SHA-256 hash.
|
|
* Returns the key row (with userId) if found and not revoked, else null.
|
|
* Used by the edge gateway to validate incoming API keys.
|
|
*/
|
|
export const validateKeyByHash = internalQuery({
|
|
args: { keyHash: v.string() },
|
|
handler: async (ctx, args) => {
|
|
const key = await ctx.db
|
|
.query("userApiKeys")
|
|
.withIndex("by_keyHash", (q) => q.eq("keyHash", args.keyHash))
|
|
.first();
|
|
|
|
if (!key || key.revokedAt) return null;
|
|
|
|
return {
|
|
id: key._id,
|
|
userId: key.userId,
|
|
name: key.name,
|
|
};
|
|
},
|
|
});
|
|
|
|
/**
|
|
* Look up the owner of a key by its hash, regardless of revoked status.
|
|
* Used by the cache-invalidation endpoint to verify tenancy.
|
|
*/
|
|
export const getKeyOwner = internalQuery({
|
|
args: { keyHash: v.string() },
|
|
handler: async (ctx, args) => {
|
|
const key = await ctx.db
|
|
.query("userApiKeys")
|
|
.withIndex("by_keyHash", (q) => q.eq("keyHash", args.keyHash))
|
|
.first();
|
|
return key ? { userId: key.userId } : null;
|
|
},
|
|
});
|
|
|
|
/**
|
|
* Bump lastUsedAt for a key (fire-and-forget from the gateway).
|
|
* Skips the write if lastUsedAt was updated within the last 5 minutes
|
|
* to reduce Convex write load for hot keys.
|
|
*/
|
|
const TOUCH_DEBOUNCE_MS = 5 * 60 * 1000;
|
|
|
|
export const touchKeyLastUsed = internalMutation({
|
|
args: { keyId: v.id("userApiKeys") },
|
|
handler: async (ctx, args) => {
|
|
const key = await ctx.db.get(args.keyId);
|
|
if (!key || key.revokedAt) return;
|
|
if (key.lastUsedAt && key.lastUsedAt > Date.now() - TOUCH_DEBOUNCE_MS) return;
|
|
await ctx.db.patch(args.keyId, { lastUsedAt: Date.now() });
|
|
},
|
|
});
|