feat: backend API key auth context and settings hardening (#406)
* feat: add backend api-key auth context and settings hardening * fix: harden api key token hashing
This commit is contained in:
Daniel Volz
GitHub
@@ -189,7 +189,21 @@ export async function runAlterMigrations(client: Client): Promise<{ success: boo
|
||||
packs_added INTEGER NOT NULL DEFAULT 0,
|
||||
loose_pills_added INTEGER NOT NULL DEFAULT 0,
|
||||
refill_date INTEGER NOT NULL DEFAULT (strftime('%s','now'))
|
||||
)`,
|
||||
)`,
|
||||
// Added in v1.20.x - API key authentication for programmatic access
|
||||
`CREATE TABLE IF NOT EXISTS api_keys (
|
||||
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
|
||||
name TEXT NOT NULL,
|
||||
key_hash TEXT NOT NULL UNIQUE,
|
||||
token_prefix TEXT NOT NULL DEFAULT '',
|
||||
scope TEXT NOT NULL DEFAULT 'write',
|
||||
is_active INTEGER NOT NULL DEFAULT 1,
|
||||
last_used_at INTEGER,
|
||||
expires_at INTEGER,
|
||||
created_at INTEGER NOT NULL DEFAULT (strftime('%s','now')),
|
||||
updated_at INTEGER NOT NULL DEFAULT (strftime('%s','now'))
|
||||
)`,
|
||||
];
|
||||
|
||||
for (const sql of createTableMigrations) {
|
||||
@@ -207,6 +221,9 @@ export async function runAlterMigrations(client: Client): Promise<{ success: boo
|
||||
const createIndexMigrations = [
|
||||
// Added in v1.6.x - case-insensitive unique usernames
|
||||
`CREATE UNIQUE INDEX IF NOT EXISTS users_username_lower_unique ON users(lower(username))`,
|
||||
// Added in v1.20.x - fast API key lookup and ownership filtering
|
||||
`CREATE UNIQUE INDEX IF NOT EXISTS api_keys_key_hash_unique ON api_keys(key_hash)`,
|
||||
`CREATE INDEX IF NOT EXISTS api_keys_user_id_idx ON api_keys(user_id)`,
|
||||
];
|
||||
|
||||
for (const sql of createIndexMigrations) {
|
||||
|
||||
@@ -146,6 +146,25 @@ export const refreshTokens = sqliteTable("refresh_tokens", {
|
||||
createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
|
||||
});
|
||||
|
||||
// =============================================================================
|
||||
// API Keys - Personal access tokens for programmatic API access
|
||||
// =============================================================================
|
||||
export const apiKeys = sqliteTable("api_keys", {
|
||||
id: integer("id").primaryKey({ autoIncrement: true }),
|
||||
userId: integer("user_id")
|
||||
.notNull()
|
||||
.references(() => users.id, { onDelete: "cascade" }),
|
||||
name: text("name", { length: 100 }).notNull(),
|
||||
keyHash: text("key_hash", { length: 128 }).notNull().unique(),
|
||||
tokenPrefix: text("token_prefix", { length: 24 }).notNull().default(""),
|
||||
scope: text("scope", { length: 10 }).notNull().default("write"), // 'read' | 'write'
|
||||
isActive: integer("is_active", { mode: "boolean" }).notNull().default(true),
|
||||
lastUsedAt: integer("last_used_at", { mode: "timestamp" }),
|
||||
expiresAt: integer("expires_at", { mode: "timestamp" }),
|
||||
createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
|
||||
updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
|
||||
});
|
||||
|
||||
// =============================================================================
|
||||
// Share Tokens - For public schedule sharing by takenBy person
|
||||
// =============================================================================
|
||||
|
||||
Reference in New Issue
Block a user