v0.12.0 — REST API + personal access tokens
A bidirectional API so other apps (Home Assistant, phone shortcuts, scripts, and the coming MCP server) can read and update the homestead. - ApiToken model (sha256-hashed, scoped, with prefix/lastUsed/expiry/revoke) - authenticateRequest() accepts EITHER a NextAuth cookie session OR a Bearer PAT; cookie sessions get full access, tokens are limited to their scopes (write implies read; resource and global wildcards). ApiError + handleApiError - Shared service layer (plants/tasks/locations/plant-types) reused by every endpoint and, later, the MCP server — logic lives once - /api/v1: plants (read + add log), plant-types, locations, tasks (read/create/ complete), and a whoami/discovery root - Settings → API tokens: create with per-resource read/write checkboxes, raw token shown once, revoke; tokens added to backup/restore - Pure tests for scope matching + token hashing; verified end-to-end (401/403/ 201, lastUsedAt) against a running server Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,24 @@
|
||||
-- v0.12.0 — API tokens (personal access tokens for the REST API + MCP)
|
||||
|
||||
-- CreateTable
|
||||
CREATE TABLE "ApiToken" (
|
||||
"id" TEXT NOT NULL,
|
||||
"name" TEXT NOT NULL,
|
||||
"tokenHash" TEXT NOT NULL,
|
||||
"prefix" TEXT NOT NULL,
|
||||
"scopes" TEXT[],
|
||||
"userId" TEXT NOT NULL,
|
||||
"lastUsedAt" TIMESTAMP(3),
|
||||
"expiresAt" TIMESTAMP(3),
|
||||
"revokedAt" TIMESTAMP(3),
|
||||
"createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
||||
|
||||
CONSTRAINT "ApiToken_pkey" PRIMARY KEY ("id")
|
||||
);
|
||||
|
||||
-- CreateIndex
|
||||
CREATE UNIQUE INDEX "ApiToken_tokenHash_key" ON "ApiToken"("tokenHash");
|
||||
CREATE INDEX "ApiToken_userId_idx" ON "ApiToken"("userId");
|
||||
|
||||
-- AddForeignKey
|
||||
ALTER TABLE "ApiToken" ADD CONSTRAINT "ApiToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
||||
@@ -31,6 +31,29 @@ model User {
|
||||
mustChangePassword Boolean @default(false)
|
||||
createdAt DateTime @default(now())
|
||||
updatedAt DateTime @updatedAt
|
||||
apiTokens ApiToken[]
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// API tokens — personal access tokens for the REST API + MCP server.
|
||||
// Only the SHA-256 hash of the raw token is stored; the raw value (mb_…) is
|
||||
// shown once at creation. `scopes` gate what a token can do (e.g. "plants:read").
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
model ApiToken {
|
||||
id String @id @default(cuid())
|
||||
name String // human label ("Home Assistant", "phone shortcut")
|
||||
tokenHash String @unique // sha256(raw)
|
||||
prefix String // first 8 chars of the raw token, shown in the UI
|
||||
scopes String[] // e.g. ["plants:read","items:write"]; ["*"] = full
|
||||
userId String
|
||||
user User @relation(fields: [userId], references: [id], onDelete: Cascade)
|
||||
lastUsedAt DateTime?
|
||||
expiresAt DateTime?
|
||||
revokedAt DateTime?
|
||||
createdAt DateTime @default(now())
|
||||
|
||||
@@index([userId])
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user