feat(auth): add DB-based token authentication for dashboard-created clients

Add client_tokens table with auto-generated sk-{hex} tokens so clients created in the dashboard get working API keys. Auth flow: DB token lookup first, then env token fallback, then permissive mode. Includes token management CRUD endpoints and copy-once reveal modal in the frontend.
2026-03-02 15:14:12 -05:00
parent 4e53b05126
commit 54c45cbfca
8 changed files with 373 additions and 24 deletions
--- a/src/dashboard/clients.rs
+++ b/src/dashboard/clients.rs
@@ -3,6 +3,7 @@ use axum::{
    response::Json,
 };
 use chrono;
+use rand::Rng;
 use serde::Deserialize;
 use serde_json;
 use sqlx::Row;
@@ -11,6 +12,13 @@ use uuid;

 use super::{ApiResponse, DashboardState};

+/// Generate a random API token: sk-{48 hex chars}
+fn generate_token() -> String {
+    let mut rng = rand::rng();
+    let bytes: Vec<u8> = (0..24).map(|_| rng.random::<u8>()).collect();
+    format!("sk-{}", hex::encode(bytes))
+}
+
 #[derive(Deserialize)]
 pub(super) struct CreateClientRequest {
    pub(super) name: String,
@@ -98,12 +106,29 @@ pub(super) async fn handle_create_client(
    .await;

    match result {
-        Ok(row) => Json(ApiResponse::success(serde_json::json!({
-            "id": row.get::<String, _>("client_id"),
-            "name": row.get::<Option<String>, _>("name"),
-            "created_at": row.get::<chrono::DateTime<chrono::Utc>, _>("created_at"),
-            "status": "active",
-        }))),
+        Ok(row) => {
+            // Auto-generate a token for the new client
+            let token = generate_token();
+            let token_result = sqlx::query(
+                "INSERT INTO client_tokens (client_id, token, name) VALUES (?, ?, 'default')",
+            )
+            .bind(&client_id)
+            .bind(&token)
+            .execute(pool)
+            .await;
+
+            if let Err(e) = token_result {
+                warn!("Client created but failed to generate token: {}", e);
+            }
+
+            Json(ApiResponse::success(serde_json::json!({
+                "id": row.get::<String, _>("client_id"),
+                "name": row.get::<Option<String>, _>("name"),
+                "created_at": row.get::<chrono::DateTime<chrono::Utc>, _>("created_at"),
+                "status": "active",
+                "token": token,
+            })))
+        }
        Err(e) => {
            warn!("Failed to create client: {}", e);
            Json(ApiResponse::error(format!("Failed to create client: {}", e)))
@@ -333,3 +358,131 @@ pub(super) async fn handle_client_usage(
        }
    }
 }
+
+// ── Token management endpoints ──────────────────────────────────────
+
+pub(super) async fn handle_get_client_tokens(
+    State(state): State<DashboardState>,
+    Path(id): Path<String>,
+) -> Json<ApiResponse<serde_json::Value>> {
+    let pool = &state.app_state.db_pool;
+
+    let result = sqlx::query(
+        r#"
+        SELECT id, token, name, is_active, created_at, last_used_at
+        FROM client_tokens
+        WHERE client_id = ?
+        ORDER BY created_at DESC
+        "#,
+    )
+    .bind(&id)
+    .fetch_all(pool)
+    .await;
+
+    match result {
+        Ok(rows) => {
+            let tokens: Vec<serde_json::Value> = rows
+                .into_iter()
+                .map(|row| {
+                    let token: String = row.get("token");
+                    // Mask all but last 8 chars: sk-••••abcd1234
+                    let masked = if token.len() > 8 {
+                        format!("{}••••{}", &token[..3], &token[token.len() - 8..])
+                    } else {
+                        "••••".to_string()
+                    };
+                    serde_json::json!({
+                        "id": row.get::<i64, _>("id"),
+                        "token_masked": masked,
+                        "name": row.get::<Option<String>, _>("name").unwrap_or_else(|| "default".to_string()),
+                        "is_active": row.get::<bool, _>("is_active"),
+                        "created_at": row.get::<chrono::DateTime<chrono::Utc>, _>("created_at"),
+                        "last_used_at": row.get::<Option<chrono::DateTime<chrono::Utc>>, _>("last_used_at"),
+                    })
+                })
+                .collect();
+
+            Json(ApiResponse::success(serde_json::json!(tokens)))
+        }
+        Err(e) => {
+            warn!("Failed to fetch client tokens: {}", e);
+            Json(ApiResponse::error(format!("Failed to fetch client tokens: {}", e)))
+        }
+    }
+}
+
+#[derive(Deserialize)]
+pub(super) struct CreateTokenRequest {
+    pub(super) name: Option<String>,
+}
+
+pub(super) async fn handle_create_client_token(
+    State(state): State<DashboardState>,
+    Path(id): Path<String>,
+    Json(payload): Json<CreateTokenRequest>,
+) -> Json<ApiResponse<serde_json::Value>> {
+    let pool = &state.app_state.db_pool;
+
+    // Verify client exists
+    let exists: Option<(i64,)> = sqlx::query_as("SELECT 1 as x FROM clients WHERE client_id = ?")
+        .bind(&id)
+        .fetch_optional(pool)
+        .await
+        .unwrap_or(None);
+
+    if exists.is_none() {
+        return Json(ApiResponse::error(format!("Client '{}' not found", id)));
+    }
+
+    let token = generate_token();
+    let token_name = payload.name.unwrap_or_else(|| "default".to_string());
+
+    let result = sqlx::query(
+        "INSERT INTO client_tokens (client_id, token, name) VALUES (?, ?, ?) RETURNING id, created_at",
+    )
+    .bind(&id)
+    .bind(&token)
+    .bind(&token_name)
+    .fetch_one(pool)
+    .await;
+
+    match result {
+        Ok(row) => Json(ApiResponse::success(serde_json::json!({
+            "id": row.get::<i64, _>("id"),
+            "token": token,
+            "name": token_name,
+            "created_at": row.get::<chrono::DateTime<chrono::Utc>, _>("created_at"),
+        }))),
+        Err(e) => {
+            warn!("Failed to create client token: {}", e);
+            Json(ApiResponse::error(format!("Failed to create token: {}", e)))
+        }
+    }
+}
+
+pub(super) async fn handle_delete_client_token(
+    State(state): State<DashboardState>,
+    Path((client_id, token_id)): Path<(String, i64)>,
+) -> Json<ApiResponse<serde_json::Value>> {
+    let pool = &state.app_state.db_pool;
+
+    let result = sqlx::query("DELETE FROM client_tokens WHERE id = ? AND client_id = ?")
+        .bind(token_id)
+        .bind(&client_id)
+        .execute(pool)
+        .await;
+
+    match result {
+        Ok(r) => {
+            if r.rows_affected() == 0 {
+                Json(ApiResponse::error("Token not found".to_string()))
+            } else {
+                Json(ApiResponse::success(serde_json::json!({ "message": "Token revoked" })))
+            }
+        }
+        Err(e) => {
+            warn!("Failed to delete client token: {}", e);
+            Json(ApiResponse::error(format!("Failed to revoke token: {}", e)))
+        }
+    }
+}
--- a/src/dashboard/mod.rs
+++ b/src/dashboard/mod.rs
@@ -11,7 +11,7 @@ mod websocket;

 use axum::{
    Router,
-    routing::{get, post, put},
+    routing::{delete, get, post, put},
 };
 use serde::Serialize;

@@ -87,6 +87,14 @@ pub fn router(state: AppState) -> Router {
                .delete(clients::handle_delete_client),
        )
        .route("/api/clients/{id}/usage", get(clients::handle_client_usage))
+        .route(
+            "/api/clients/{id}/tokens",
+            get(clients::handle_get_client_tokens).post(clients::handle_create_client_token),
+        )
+        .route(
+            "/api/clients/{id}/tokens/{token_id}",
+            delete(clients::handle_delete_client_token),
+        )
        .route("/api/providers", get(providers::handle_get_providers))
        .route(
            "/api/providers/{name}",