screentinker

mirror of https://github.com/screentinker/screentinker.git synced 2026-06-17 03:32:32 -06:00

History

ScreenTinker 73ca3cf258 feat(api): scoped API token foundation + secure-by-exclusion mounts Introduce the public API's token layer and make the router partition data-driven. - api_tokens table: SHA-256 hashed secret, st_ prefix, workspace-bound, read/write/full scope. - middleware/apiToken.js: bearerAuth front door (Bearer st_ -> token auth, else the unchanged requireAuth); apiTokenAuth acts as the owner with platform powers stripped to 'user' and the workspace binding made authoritative (X-Workspace-Id ignored); tokenScopeGate (read=GET, write=mutations) + requireScope('full') for commands. - config/api-surface.js: single source of truth for the PUBLIC (token front door) vs JWT-ONLY (requireAuth) router partition. server.js mounts from these lists so the mount list and the partition firewall test cannot drift. - device-groups: operational group commands (reboot/shutdown) require the full scope. A Bearer st_ token fails jwt.verify on the JWT-only routers (401), so privileged surfaces (admin, workspaces, ai, provision, white-label) are unreachable by exclusion. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 18:45:09 -05:00
..
api-surface.js	feat(api): scoped API token foundation + secure-by-exclusion mounts	2026-06-12 18:45:09 -05:00
cloudflareIps.js	fix: log real client IPs through Cloudflare instead of CF edge	2026-05-07 15:26:37 -05:00

ScreenTinker 73ca3cf258 feat(api): scoped API token foundation + secure-by-exclusion mounts

Introduce the public API's token layer and make the router partition data-driven.

- api_tokens table: SHA-256 hashed secret, st_ prefix, workspace-bound, read/write/full scope.
- middleware/apiToken.js: bearerAuth front door (Bearer st_ -> token auth, else the
  unchanged requireAuth); apiTokenAuth acts as the owner with platform powers stripped
  to 'user' and the workspace binding made authoritative (X-Workspace-Id ignored);
  tokenScopeGate (read=GET, write=mutations) + requireScope('full') for commands.
- config/api-surface.js: single source of truth for the PUBLIC (token front door) vs
  JWT-ONLY (requireAuth) router partition. server.js mounts from these lists so the
  mount list and the partition firewall test cannot drift.
- device-groups: operational group commands (reboot/shutdown) require the full scope.

A Bearer st_ token fails jwt.verify on the JWT-only routers (401), so privileged
surfaces (admin, workspaces, ai, provision, white-label) are unreachable by exclusion.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-12 18:45:09 -05:00

api-surface.js

feat(api): scoped API token foundation + secure-by-exclusion mounts

2026-06-12 18:45:09 -05:00

cloudflareIps.js

fix: log real client IPs through Cloudflare instead of CF edge

2026-05-07 15:26:37 -05:00