[7446] Scoped PATs: API routes and controllers#7766
Merged
Conversation
…based permissions
…d refactor duplicate PAT checks
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7766 +/- ##
==========================================
- Coverage 75.38% 75.06% -0.32%
==========================================
Files 428 429 +1
Lines 22539 22864 +325
Branches 5944 6073 +129
==========================================
+ Hits 16992 17164 +172
- Misses 5547 5700 +153
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
knolleary
approved these changes
Jul 10, 2026
Member
|
I do wonder if tokens should be immutable in terms of their auth properties. Renaming is okay. Not a thought for this PR. |
Contributor
Author
I have to admit, I was surprised when I noticed that the expiry date can be updated. We can create a follow up for it |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Wires
readOnly,adminOptIn, andteamIdsthrough the PAT CRUD layer.POST /api/v1/user/tokensandPUT /api/v1/user/tokens/:idnow acceptreadOnly,adminOptIn, andteamIdsin the request bodyGET /api/v1/user/tokensreturnsreadOnly,adminOptIn, andteams(array of{ id, name }) for each token403 pat_cannot_create_pat) via a newapp.blockPATpreHandler (reusable on any route that needs the same guard)400 invalid_teamadminOptIn: true(403)request.session.isPAT,request.session.pat, and mirrors the same object intorequest.requestContext. laying the groundwork for enforcement in later tasks without changing any existing behaviorAccessTokenandAccessTokenTeamScoperows consistentNo functional changes yet
teamIdswill almost never be sent in practice (existing token creation/update flows are unaffected)AccessTokenTeamScoperows will not be created until the UI shipsreadOnlyand team scope restrictions are not enforced on any other routes yet (that's a follow-up task)Related Issue(s)
closes #7446
closes #7515
Checklist
flowforge.yml?FlowFuse/helmto update ConfigMap TemplateFlowFuse/CloudProjectto update values for Staging/ProductionLabels
area:migrationlabel