v0.12.0 — REST API + personal access tokens
A bidirectional API so other apps (Home Assistant, phone shortcuts, scripts, and the coming MCP server) can read and update the homestead. - ApiToken model (sha256-hashed, scoped, with prefix/lastUsed/expiry/revoke) - authenticateRequest() accepts EITHER a NextAuth cookie session OR a Bearer PAT; cookie sessions get full access, tokens are limited to their scopes (write implies read; resource and global wildcards). ApiError + handleApiError - Shared service layer (plants/tasks/locations/plant-types) reused by every endpoint and, later, the MCP server — logic lives once - /api/v1: plants (read + add log), plant-types, locations, tasks (read/create/ complete), and a whoami/discovery root - Settings → API tokens: create with per-resource read/write checkboxes, raw token shown once, revoke; tokens added to backup/restore - Pure tests for scope matching + token hashing; verified end-to-end (401/403/ 201, lastUsedAt) against a running server Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
29
src/app/api/account/tokens/[id]/route.ts
Normal file
29
src/app/api/account/tokens/[id]/route.ts
Normal file
@@ -0,0 +1,29 @@
|
||||
import { NextResponse } from "next/server";
|
||||
import { db } from "@/lib/db";
|
||||
import { requireAuth } from "@/lib/auth";
|
||||
|
||||
// DELETE /api/account/tokens/:id — revoke one of your own tokens.
|
||||
export async function DELETE(_req: Request, { params }: { params: { id: string } }) {
|
||||
try {
|
||||
const session = await requireAuth();
|
||||
const token = await db.apiToken.findUnique({ where: { id: params.id } });
|
||||
if (!token || token.userId !== session.user.id)
|
||||
return NextResponse.json({ error: "Not found" }, { status: 404 });
|
||||
|
||||
await db.apiToken.update({ where: { id: params.id }, data: { revokedAt: new Date() } });
|
||||
await db.auditEvent.create({
|
||||
data: {
|
||||
action: "api_token.revoke",
|
||||
entityId: params.id,
|
||||
actorId: session.user.id,
|
||||
payload: { name: token.name },
|
||||
},
|
||||
});
|
||||
return NextResponse.json({ ok: true });
|
||||
} catch (err) {
|
||||
if (err instanceof Error && err.message === "Unauthorized")
|
||||
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
||||
console.error(err);
|
||||
return NextResponse.json({ error: "Server error" }, { status: 500 });
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user