Archive/screentinker

Fork 0

mirror of https://github.com/screentinker/screentinker.git synced 2026-06-17 11:42:40 -06:00

Commit graph

Author	SHA1	Message	Date
ScreenTinker	c8a24d2243	feat(api): agency-token security primitive - off-ladder scope + agencyGate (#73 ) The capability/target-restricted token model for the agency portal (#73 option B), proven before any endpoint sits on it: - 'agency' scope value is OFF the read/write/full ladder, so the existing tokenScopeGate rejects it on every public router by construction (auto-confinement, no new code). - api_token_targets join table: which playlists an agency token may act on. - agencyGate: THE single seam - agency-scope-only + (playlist in this token's allowlist AND in the bound workspace), one query enforcing target + cross-workspace isolation. - AGENCY_ROUTERS category in config/api-surface.js (mounted with agencyGate, not tokenScopeGate) - declared; router/mount land with the endpoints. Both bite-tested: spine (agency 403s on tokenScopeGate; read/write still pass) and the gate (non-designated/cross-workspace/non-agency/JWT -> 403; neutralizing the target check goes red). NARROW - not the general capability-scope system. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 21:30:38 -05:00
ScreenTinker	fab4ae909a	feat(api): token management endpoints + Settings UI - routes/tokens.js: create (returns the full secret once), list (never the secret), revoke. Mounted JWT-only via api-surface.js so an API token can never mint, list or revoke tokens - no self-escalation. - Settings "API Tokens" section: create form (name + read/write/full scope), one-time secret reveal with copy, token list, revoke; i18n across en/es/fr/de/pt. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 18:45:09 -05:00
ScreenTinker	73ca3cf258	feat(api): scoped API token foundation + secure-by-exclusion mounts Introduce the public API's token layer and make the router partition data-driven. - api_tokens table: SHA-256 hashed secret, st_ prefix, workspace-bound, read/write/full scope. - middleware/apiToken.js: bearerAuth front door (Bearer st_ -> token auth, else the unchanged requireAuth); apiTokenAuth acts as the owner with platform powers stripped to 'user' and the workspace binding made authoritative (X-Workspace-Id ignored); tokenScopeGate (read=GET, write=mutations) + requireScope('full') for commands. - config/api-surface.js: single source of truth for the PUBLIC (token front door) vs JWT-ONLY (requireAuth) router partition. server.js mounts from these lists so the mount list and the partition firewall test cannot drift. - device-groups: operational group commands (reboot/shutdown) require the full scope. A Bearer st_ token fails jwt.verify on the JWT-only routers (401), so privileged surfaces (admin, workspaces, ai, provision, white-label) are unreachable by exclusion. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 18:45:09 -05:00

Author

SHA1

Message

Date

ScreenTinker

c8a24d2243

feat(api): agency-token security primitive - off-ladder scope + agencyGate (#73 )

The capability/target-restricted token model for the agency portal (#73 option B),
proven before any endpoint sits on it:
- 'agency' scope value is OFF the read/write/full ladder, so the existing tokenScopeGate
  rejects it on every public router by construction (auto-confinement, no new code).
- api_token_targets join table: which playlists an agency token may act on.
- agencyGate: THE single seam - agency-scope-only + (playlist in this token's allowlist
  AND in the bound workspace), one query enforcing target + cross-workspace isolation.
- AGENCY_ROUTERS category in config/api-surface.js (mounted with agencyGate, not
  tokenScopeGate) - declared; router/mount land with the endpoints.

Both bite-tested: spine (agency 403s on tokenScopeGate; read/write still pass) and the
gate (non-designated/cross-workspace/non-agency/JWT -> 403; neutralizing the target check
goes red). NARROW - not the general capability-scope system.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-13 21:30:38 -05:00

ScreenTinker

fab4ae909a

feat(api): token management endpoints + Settings UI

- routes/tokens.js: create (returns the full secret once), list (never the secret),
  revoke. Mounted JWT-only via api-surface.js so an API token can never mint, list or
  revoke tokens - no self-escalation.
- Settings "API Tokens" section: create form (name + read/write/full scope), one-time
  secret reveal with copy, token list, revoke; i18n across en/es/fr/de/pt.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-12 18:45:09 -05:00

ScreenTinker

73ca3cf258

feat(api): scoped API token foundation + secure-by-exclusion mounts

Introduce the public API's token layer and make the router partition data-driven.

- api_tokens table: SHA-256 hashed secret, st_ prefix, workspace-bound, read/write/full scope.
- middleware/apiToken.js: bearerAuth front door (Bearer st_ -> token auth, else the
  unchanged requireAuth); apiTokenAuth acts as the owner with platform powers stripped
  to 'user' and the workspace binding made authoritative (X-Workspace-Id ignored);
  tokenScopeGate (read=GET, write=mutations) + requireScope('full') for commands.
- config/api-surface.js: single source of truth for the PUBLIC (token front door) vs
  JWT-ONLY (requireAuth) router partition. server.js mounts from these lists so the
  mount list and the partition firewall test cannot drift.
- device-groups: operational group commands (reboot/shutdown) require the full scope.

A Bearer st_ token fails jwt.verify on the JWT-only routers (401), so privileged
surfaces (admin, workspaces, ai, provision, white-label) are unreachable by exclusion.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-12 18:45:09 -05:00

3 commits