Skip to content

[7446] Scoped PATs: API routes and controllers#7766

Merged
knolleary merged 7 commits into
mainfrom
7446_pat-metadata
Jul 10, 2026
Merged

[7446] Scoped PATs: API routes and controllers#7766
knolleary merged 7 commits into
mainfrom
7446_pat-metadata

Conversation

@cstns

@cstns cstns commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Description

Wires readOnly, adminOptIn, and teamIds through the PAT CRUD layer.

  • POST /api/v1/user/tokens and PUT /api/v1/user/tokens/:id now accept readOnly, adminOptIn, and teamIds in the request body
  • GET /api/v1/user/tokens returns readOnly, adminOptIn, and teams (array of { id, name }) for each token
  • Both mutating endpoints are blocked for PAT-authenticated requests (403 pat_cannot_create_pat) via a new app.blockPAT preHandler (reusable on any route that needs the same guard)
  • Team membership is validated on create/update — unknown or non-member teams are rejected with 400 invalid_team
  • Non-admin users cannot set adminOptIn: true (403)
  • Named PAT authentication now populates request.session.isPAT, request.session.pat, and mirrors the same object into request.requestContext. laying the groundwork for enforcement in later tasks without changing any existing behavior
  • Token create and update operations use transactions to keep AccessToken and AccessTokenTeamScope rows consistent
  • getOrExpire now eager-loads AccessTokenTeamScope (with nested Team) for all token lookups, avoiding a second DB hit during auth
  • request.session.pat now includes teamScopes: null when no team scope entries (all teams accessible), or an array of { [hashid]: role } objects (with the user's actual team role from TeamMember)
  • Both request.session.pat and request.requestContext receive the full PAT metadata including teamScopes

No functional changes yet

  • No UI exists for scoped PATs yet, so teamIds will almost never be sent in practice (existing token creation/update flows are unaffected)
  • AccessTokenTeamScope rows will not be created until the UI ships
  • readOnly and team scope restrictions are not enforced on any other routes yet (that's a follow-up task)

Related Issue(s)

closes #7446
closes #7515

Checklist

  • I have read the contribution guidelines
  • Suitable unit/system level tests have been added and they pass
  • Documentation has been updated
    • Upgrade instructions
    • Configuration details
    • Concepts
  • Changes flowforge.yml?
    • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
    • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production
  • Link to Changelog Entry PR, or note why one is not needed.

Labels

  • Includes a DB migration? -> add the area:migration label

@cstns cstns self-assigned this Jul 7, 2026
@cstns cstns requested a review from knolleary July 7, 2026 11:41
@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 73.97260% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.06%. Comparing base (3a61885) to head (2e24865).
⚠️ Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
forge/routes/api/user.js 71.42% 8 Missing ⚠️
forge/routes/auth/index.js 61.11% 7 Missing ⚠️
forge/db/controllers/AccessToken.js 81.81% 4 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #7766      +/-   ##
==========================================
- Coverage   75.38%   75.06%   -0.32%     
==========================================
  Files         428      429       +1     
  Lines       22539    22864     +325     
  Branches     5944     6073     +129     
==========================================
+ Hits        16992    17164     +172     
- Misses       5547     5700     +153     
Flag Coverage Δ
backend 75.06% <73.97%> (-0.32%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@cstns cstns changed the title [7446] Scoped PATs — API routes and controllers [7446] Scoped PATs: API routes and controllers Jul 8, 2026
@knolleary

Copy link
Copy Markdown
Member

I do wonder if tokens should be immutable in terms of their auth properties. Renaming is okay. Not a thought for this PR.

@cstns

cstns commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

I do wonder if tokens should be immutable in terms of their auth properties. Renaming is okay. Not a thought for this PR.

I have to admit, I was surprised when I noticed that the expiry date can be updated. We can create a follow up for it

@knolleary knolleary merged commit 80066ac into main Jul 10, 2026
71 of 72 checks passed
@knolleary knolleary deleted the 7446_pat-metadata branch July 10, 2026 10:10
@knolleary knolleary mentioned this pull request Jul 10, 2026
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Scoped PATs - API Routes and Controllers Scoped PATs - Auth Middleware: Populate PAT Metadata

2 participants