access token endpoints and other backend support

server/routers/accessToken/deleteAccessToken.ts

@@ -0,0 +1,67 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import response from "@server/utils/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { resourceAccessToken } from "@server/db/schema";
+import { and, eq } from "drizzle-orm";
+import db from "@server/db";
+
+const deleteAccessTokenParamsSchema = z.object({
+    accessTokenId: z.string()
+});
+
+export async function deleteAccessToken(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = deleteAccessTokenParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { accessTokenId } = parsedParams.data;
+
+        const [accessToken] = await db
+            .select()
+            .from(resourceAccessToken)
+            .where(and(eq(resourceAccessToken.accessTokenId, accessTokenId)));
+
+        if (!accessToken) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "Resource access token not found"
+                )
+            );
+        }
+
+        await db
+            .delete(resourceAccessToken)
+            .where(and(eq(resourceAccessToken.accessTokenId, accessTokenId)));
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Resource access token deleted successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/routers/accessToken/generateAccessToken.ts

@@ -0,0 +1,120 @@
+import { hash } from "@node-rs/argon2";
+import {
+    generateId,
+    generateIdFromEntropySize,
+    SESSION_COOKIE_EXPIRES
+} from "@server/auth";
+import db from "@server/db";
+import { resourceAccessToken, resources } from "@server/db/schema";
+import HttpCode from "@server/types/HttpCode";
+import response from "@server/utils/response";
+import { eq } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import logger from "@server/logger";
+import { createDate, TimeSpan } from "oslo";
+
+export const generateAccessTokenBodySchema = z.object({
+    validForSeconds: z.number().int().positive().optional(), // seconds
+    title: z.string().optional(),
+    description: z.string().optional()
+});
+
+export const generateAccssTokenParamsSchema = z.object({
+    resourceId: z.string().transform(Number).pipe(z.number().int().positive())
+});
+
+export type GenerateAccessTokenResponse = {
+    token: string;
+};
+
+export async function generateAccessToken(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    const parsedBody = generateAccessTokenBodySchema.safeParse(req.body);
+
+    if (!parsedBody.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedBody.error).toString()
+            )
+        );
+    }
+
+    const parsedParams = generateAccssTokenParamsSchema.safeParse(req.params);
+
+    if (!parsedParams.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedParams.error).toString()
+            )
+        );
+    }
+
+    const { resourceId } = parsedParams.data;
+    const { validForSeconds, title, description } = parsedBody.data;
+
+    const [resource] = await db
+        .select()
+        .from(resources)
+        .where(eq(resources.resourceId, resourceId));
+
+    if (!resource) {
+        return next(createHttpError(HttpCode.NOT_FOUND, "Resource not found"));
+    }
+
+    try {
+        const sessionLength = validForSeconds
+            ? validForSeconds * 1000
+            : SESSION_COOKIE_EXPIRES;
+        const expiresAt = validForSeconds
+            ? createDate(new TimeSpan(validForSeconds, "s")).getTime()
+            : undefined;
+
+        const token = generateIdFromEntropySize(25);
+
+        const tokenHash = await hash(token, {
+            memoryCost: 19456,
+            timeCost: 2,
+            outputLen: 32,
+            parallelism: 1
+        });
+
+        const id = generateId(15);
+        await db.insert(resourceAccessToken).values({
+            accessTokenId: id,
+            orgId: resource.orgId,
+            resourceId,
+            tokenHash,
+            expiresAt: expiresAt || null,
+            sessionLength: sessionLength,
+            title: title || `${resource.name} Token ${new Date().getTime()}`,
+            description: description || null,
+            createdAt: new Date().getTime()
+        });
+
+        return response<GenerateAccessTokenResponse>(res, {
+            data: {
+                token: `${id}.${token}`
+            },
+            success: true,
+            error: false,
+            message: "Resource access token generated successfully",
+            status: HttpCode.OK
+        });
+    } catch (e) {
+        logger.error(e);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to authenticate with resource"
+            )
+        );
+    }
+}

server/routers/accessToken/index.ts

@@ -0,0 +1,3 @@
+export * from "./generateAccessToken";
+export * from "./listAccessTokens";
+export * from "./deleteAccessToken";

server/routers/accessToken/listAccessTokens.ts

@@ -0,0 +1,183 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import {
+    resources,
+    userResources,
+    roleResources,
+    resourceAccessToken
+} from "@server/db/schema";
+import response from "@server/utils/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { sql, eq, or, inArray, and, count } from "drizzle-orm";
+import logger from "@server/logger";
+import stoi from "@server/utils/stoi";
+
+const listAccessTokensParamsSchema = z
+    .object({
+        resourceId: z
+            .string()
+            .optional()
+            .transform(stoi)
+            .pipe(z.number().int().positive().optional()),
+        orgId: z.string().optional()
+    })
+    .refine((data) => !!data.resourceId !== !!data.orgId, {
+        message: "Either resourceId or orgId must be provided, but not both"
+    });
+
+const listAccessTokensSchema = z.object({
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.number().int().nonnegative()),
+
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.number().int().nonnegative())
+});
+
+function queryAccessTokens(
+    accessibleResourceIds: number[],
+    orgId?: string,
+    resourceId?: number
+) {
+    const cols = {
+        accessTokenId: resourceAccessToken.accessTokenId,
+        orgId: resourceAccessToken.orgId,
+        resourceId: resourceAccessToken.resourceId,
+        sessionLength: resourceAccessToken.sessionLength,
+        expiresAt: resourceAccessToken.expiresAt,
+        title: resourceAccessToken.title,
+        description: resourceAccessToken.description,
+        createdAt: resourceAccessToken.createdAt
+    };
+
+    if (orgId) {
+        return db
+            .select(cols)
+            .from(resourceAccessToken)
+            .where(
+                and(
+                    inArray(resourceAccessToken.resourceId, accessibleResourceIds),
+                    eq(resourceAccessToken.orgId, orgId)
+                )
+            );
+    } else if (resourceId) {
+        return db
+            .select(cols)
+            .from(resourceAccessToken)
+            .where(
+                and(
+                    inArray(resources.resourceId, accessibleResourceIds),
+                    eq(resources.resourceId, resourceId)
+                )
+            );
+    }
+}
+
+export type ListAccessTokensResponse = {
+    accessTokens: NonNullable<Awaited<ReturnType<typeof queryAccessTokens>>>;
+    pagination: { total: number; limit: number; offset: number };
+};
+
+export async function listAccessTokens(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedQuery = listAccessTokensSchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    parsedQuery.error.errors.map((e) => e.message).join(", ")
+                )
+            );
+        }
+        const { limit, offset } = parsedQuery.data;
+
+        const parsedParams = listAccessTokensParamsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    parsedParams.error.errors.map((e) => e.message).join(", ")
+                )
+            );
+        }
+        const { orgId, resourceId } = parsedParams.data;
+
+        if (orgId && orgId !== req.userOrgId) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have access to this organization"
+                )
+            );
+        }
+
+        const accessibleResources = await db
+            .select({
+                resourceId: sql<number>`COALESCE(${userResources.resourceId}, ${roleResources.resourceId})`
+            })
+            .from(userResources)
+            .fullJoin(
+                roleResources,
+                eq(userResources.resourceId, roleResources.resourceId)
+            )
+            .where(
+                or(
+                    eq(userResources.userId, req.user!.userId),
+                    eq(roleResources.roleId, req.userOrgRoleId!)
+                )
+            );
+
+        const accessibleResourceIds = accessibleResources.map(
+            (resource) => resource.resourceId
+        );
+
+        let countQuery: any = db
+            .select({ count: count() })
+            .from(resources)
+            .where(inArray(resources.resourceId, accessibleResourceIds));
+
+        const baseQuery = queryAccessTokens(
+            accessibleResourceIds,
+            orgId,
+            resourceId
+        );
+
+        const list = await baseQuery!.limit(limit).offset(offset);
+        const totalCountResult = await countQuery;
+        const totalCount = totalCountResult[0].count;
+
+        return response<ListAccessTokensResponse>(res, {
+            data: {
+                accessTokens: list,
+                pagination: {
+                    total: totalCount,
+                    limit,
+                    offset
+                }
+            },
+            success: true,
+            error: false,
+            message: "Access tokens retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        throw error;
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}