v0.12.0 — REST API + personal access tokens

A bidirectional API so other apps (Home Assistant, phone shortcuts, scripts,
and the coming MCP server) can read and update the homestead.

- ApiToken model (sha256-hashed, scoped, with prefix/lastUsed/expiry/revoke)
- authenticateRequest() accepts EITHER a NextAuth cookie session OR a Bearer
  PAT; cookie sessions get full access, tokens are limited to their scopes
  (write implies read; resource and global wildcards). ApiError + handleApiError
- Shared service layer (plants/tasks/locations/plant-types) reused by every
  endpoint and, later, the MCP server — logic lives once
- /api/v1: plants (read + add log), plant-types, locations, tasks (read/create/
  complete), and a whoami/discovery root
- Settings → API tokens: create with per-resource read/write checkboxes, raw
  token shown once, revoke; tokens added to backup/restore
- Pure tests for scope matching + token hashing; verified end-to-end (401/403/
  201, lastUsedAt) against a running server

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-15 23:55:58 -05:00
parent cdb21ed58a
commit c5bf108cb9
27 changed files with 880 additions and 4 deletions

View File

@@ -31,6 +31,29 @@ model User {
mustChangePassword Boolean @default(false)
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
apiTokens ApiToken[]
}
// ---------------------------------------------------------------------------
// API tokens — personal access tokens for the REST API + MCP server.
// Only the SHA-256 hash of the raw token is stored; the raw value (mb_…) is
// shown once at creation. `scopes` gate what a token can do (e.g. "plants:read").
// ---------------------------------------------------------------------------
model ApiToken {
id String @id @default(cuid())
name String // human label ("Home Assistant", "phone shortcut")
tokenHash String @unique // sha256(raw)
prefix String // first 8 chars of the raw token, shown in the UI
scopes String[] // e.g. ["plants:read","items:write"]; ["*"] = full
userId String
user User @relation(fields: [userId], references: [id], onDelete: Cascade)
lastUsedAt DateTime?
expiresAt DateTime?
revokedAt DateTime?
createdAt DateTime @default(now())
@@index([userId])
}
// ---------------------------------------------------------------------------