dragonflight/services/mam-api/src/routes/tokens.js

// Current-user API token CRUD. The raw token is returned exactly once at
// creation time; only the SHA-256 hash and an 8-char display prefix are stored.
import express from 'express';
import pool from '../db/pool.js';
import { generateToken, hashToken, tokenDisplayPrefix } from '../auth/tokens.js';

const router = express.Router();

// GET / — list current user's tokens (prefix only, never the raw token)
router.get('/', async (req, res, next) => {
  try {
    const { rows } = await pool.query(
      `SELECT id, name, token_prefix AS prefix, bound_hostname, last_used_at, expires_at, created_at
       FROM api_tokens WHERE user_id = $1 ORDER BY created_at DESC`,
      [req.user.id]);
    res.json(rows);
  } catch (err) { next(err); }
});

// POST / — create a new token. Optional bound_hostname binds the token to a
// specific node-agent hostname (migration 019) — the /cluster/heartbeat handler
// rejects heartbeats whose body.hostname doesn't match a bound token.
router.post('/', async (req, res, next) => {
  try {
    const { name, expires_at, bound_hostname } = req.body || {};
    if (!name || typeof name !== 'string') return res.status(400).json({ error: 'name required' });
    if (bound_hostname !== undefined && bound_hostname !== null && typeof bound_hostname !== 'string') {
      return res.status(400).json({ error: 'bound_hostname must be a string' });
    }
    const raw = generateToken();
    const { rows } = await pool.query(
      `INSERT INTO api_tokens (user_id, name, token_hash, token_prefix, expires_at, bound_hostname)
       VALUES ($1, $2, $3, $4, $5, $6)
       RETURNING id, name, token_prefix AS prefix, bound_hostname, expires_at, created_at`,
      [req.user.id, name.trim(), hashToken(raw), tokenDisplayPrefix(raw),
       expires_at || null, bound_hostname?.trim() || null]);
    res.status(201).json({ ...rows[0], token: raw });   // raw token shown exactly once
  } catch (err) { next(err); }
});

// DELETE /:id — revoke; only the owner can revoke
router.delete('/:id', async (req, res, next) => {
  try {
    const { rowCount } = await pool.query(
      `DELETE FROM api_tokens WHERE id = $1 AND user_id = $2`,
      [req.params.id, req.user.id]);
    if (rowCount === 0) return res.status(404).json({ error: 'token not found' });
    res.status(204).end();
  } catch (err) { next(err); }
});

export default router;
feat(mam-api): API token CRUD — show raw once, bearer-authenticate via SHA-256 lookup 2026-05-27 14:52:07 -04:00			`// Current-user API token CRUD. The raw token is returned exactly once at`
			`// creation time; only the SHA-256 hash and an 8-char display prefix are stored.`
			`import express from 'express';`
			`import pool from '../db/pool.js';`
			`import { generateToken, hashToken, tokenDisplayPrefix } from '../auth/tokens.js';`

			`const router = express.Router();`

			`// GET / — list current user's tokens (prefix only, never the raw token)`
			`router.get('/', async (req, res, next) => {`
			`try {`
			`const { rows } = await pool.query(`
feat(auth): bound-hostname tokens for node-agent + return role from /me - requireAuth bearer path now selects api_tokens.bound_hostname and users.role, populates req.tokenBoundHostname and req.user.role. /cluster/heartbeat can now authenticate via a bound api_token (issued via POST /auth/tokens with bound_hostname). - routes/tokens.js POST accepts bound_hostname; GET returns it so users can see which tokens are bound. - Remove /cluster/heartbeat from SERVICE_PATHS so requireAuth runs on it (the bearer auth handles the gate; the heartbeat handler still enforces the body.hostname === bound match). - /auth/me now returns role (final-review I2). Closes the gap where every signed-in user appeared as 'viewer' in the UI regardless of actual role. - loadUser SELECTs role for session auth. - Backend tests still 37/15/0/22 — no test changes needed; existing token CRUD tests stay passing since bound_hostname is optional. 2026-05-27 19:27:51 -04:00			`SELECT id, name, token_prefix AS prefix, bound_hostname, last_used_at, expires_at, created_at
feat(mam-api): API token CRUD — show raw once, bearer-authenticate via SHA-256 lookup 2026-05-27 14:52:07 -04:00			FROM api_tokens WHERE user_id = $1 ORDER BY created_at DESC`,
			`[req.user.id]);`
			`res.json(rows);`
			`} catch (err) { next(err); }`
			`});`

feat(auth): bound-hostname tokens for node-agent + return role from /me - requireAuth bearer path now selects api_tokens.bound_hostname and users.role, populates req.tokenBoundHostname and req.user.role. /cluster/heartbeat can now authenticate via a bound api_token (issued via POST /auth/tokens with bound_hostname). - routes/tokens.js POST accepts bound_hostname; GET returns it so users can see which tokens are bound. - Remove /cluster/heartbeat from SERVICE_PATHS so requireAuth runs on it (the bearer auth handles the gate; the heartbeat handler still enforces the body.hostname === bound match). - /auth/me now returns role (final-review I2). Closes the gap where every signed-in user appeared as 'viewer' in the UI regardless of actual role. - loadUser SELECTs role for session auth. - Backend tests still 37/15/0/22 — no test changes needed; existing token CRUD tests stay passing since bound_hostname is optional. 2026-05-27 19:27:51 -04:00			`// POST / — create a new token. Optional bound_hostname binds the token to a`
			`// specific node-agent hostname (migration 019) — the /cluster/heartbeat handler`
			`// rejects heartbeats whose body.hostname doesn't match a bound token.`
feat(mam-api): API token CRUD — show raw once, bearer-authenticate via SHA-256 lookup 2026-05-27 14:52:07 -04:00			`router.post('/', async (req, res, next) => {`
			`try {`
feat(auth): bound-hostname tokens for node-agent + return role from /me - requireAuth bearer path now selects api_tokens.bound_hostname and users.role, populates req.tokenBoundHostname and req.user.role. /cluster/heartbeat can now authenticate via a bound api_token (issued via POST /auth/tokens with bound_hostname). - routes/tokens.js POST accepts bound_hostname; GET returns it so users can see which tokens are bound. - Remove /cluster/heartbeat from SERVICE_PATHS so requireAuth runs on it (the bearer auth handles the gate; the heartbeat handler still enforces the body.hostname === bound match). - /auth/me now returns role (final-review I2). Closes the gap where every signed-in user appeared as 'viewer' in the UI regardless of actual role. - loadUser SELECTs role for session auth. - Backend tests still 37/15/0/22 — no test changes needed; existing token CRUD tests stay passing since bound_hostname is optional. 2026-05-27 19:27:51 -04:00			`const { name, expires_at, bound_hostname } = req.body \|\| {};`
feat(mam-api): API token CRUD — show raw once, bearer-authenticate via SHA-256 lookup 2026-05-27 14:52:07 -04:00			`if (!name \|\| typeof name !== 'string') return res.status(400).json({ error: 'name required' });`
feat(auth): bound-hostname tokens for node-agent + return role from /me - requireAuth bearer path now selects api_tokens.bound_hostname and users.role, populates req.tokenBoundHostname and req.user.role. /cluster/heartbeat can now authenticate via a bound api_token (issued via POST /auth/tokens with bound_hostname). - routes/tokens.js POST accepts bound_hostname; GET returns it so users can see which tokens are bound. - Remove /cluster/heartbeat from SERVICE_PATHS so requireAuth runs on it (the bearer auth handles the gate; the heartbeat handler still enforces the body.hostname === bound match). - /auth/me now returns role (final-review I2). Closes the gap where every signed-in user appeared as 'viewer' in the UI regardless of actual role. - loadUser SELECTs role for session auth. - Backend tests still 37/15/0/22 — no test changes needed; existing token CRUD tests stay passing since bound_hostname is optional. 2026-05-27 19:27:51 -04:00			`if (bound_hostname !== undefined && bound_hostname !== null && typeof bound_hostname !== 'string') {`
			`return res.status(400).json({ error: 'bound_hostname must be a string' });`
			`}`
feat(mam-api): API token CRUD — show raw once, bearer-authenticate via SHA-256 lookup 2026-05-27 14:52:07 -04:00			`const raw = generateToken();`
			`const { rows } = await pool.query(`
feat(auth): bound-hostname tokens for node-agent + return role from /me - requireAuth bearer path now selects api_tokens.bound_hostname and users.role, populates req.tokenBoundHostname and req.user.role. /cluster/heartbeat can now authenticate via a bound api_token (issued via POST /auth/tokens with bound_hostname). - routes/tokens.js POST accepts bound_hostname; GET returns it so users can see which tokens are bound. - Remove /cluster/heartbeat from SERVICE_PATHS so requireAuth runs on it (the bearer auth handles the gate; the heartbeat handler still enforces the body.hostname === bound match). - /auth/me now returns role (final-review I2). Closes the gap where every signed-in user appeared as 'viewer' in the UI regardless of actual role. - loadUser SELECTs role for session auth. - Backend tests still 37/15/0/22 — no test changes needed; existing token CRUD tests stay passing since bound_hostname is optional. 2026-05-27 19:27:51 -04:00			`INSERT INTO api_tokens (user_id, name, token_hash, token_prefix, expires_at, bound_hostname)
			`VALUES ($1, $2, $3, $4, $5, $6)`
			RETURNING id, name, token_prefix AS prefix, bound_hostname, expires_at, created_at`,
			`[req.user.id, name.trim(), hashToken(raw), tokenDisplayPrefix(raw),`
			`expires_at \|\| null, bound_hostname?.trim() \|\| null]);`
feat(mam-api): API token CRUD — show raw once, bearer-authenticate via SHA-256 lookup 2026-05-27 14:52:07 -04:00			`res.status(201).json({ ...rows[0], token: raw }); // raw token shown exactly once`
			`} catch (err) { next(err); }`
			`});`

			`// DELETE /:id — revoke; only the owner can revoke`
			`router.delete('/:id', async (req, res, next) => {`
			`try {`
			`const { rowCount } = await pool.query(`
			`DELETE FROM api_tokens WHERE id = $1 AND user_id = $2`,
			`[req.params.id, req.user.id]);`
			`if (rowCount === 0) return res.status(404).json({ error: 'token not found' });`
			`res.status(204).end();`
			`} catch (err) { next(err); }`
			`});`

			`export default router;`