Add personal API tokens and a public REST API (v1)

Authenticated automation for a user's own account, the grown-up version of Quick-codes:
- ApiToken model (+ migration): only a SHA-256 hash of the ocl_… secret is stored; CSV scopes
  (read/write), optional single-folder restriction, optional expiry, lastUsedAt.
- Bearer auth (app.tokenAuth(scope)) — no cookie, so not subject to CSRF. Throttled last-used.
- /api/v1: GET /me, GET+POST /folders, GET+POST /files (multipart upload), GET /files/:id/download.
  Vault folders are rejected (server can't decrypt ZK).
- Reusable storeUserFile() pipeline (quota + AV + server encryption + text versioning), shared
  with the app upload route's behaviour and ready for WebDAV.
- Account ▸ API tokens UI: create (name/scopes/folder/expiry), shown-once secret, list with
  last-used, revoke. docs/API.md with curl examples. FR/EN parity (438).

Author: softpython2884

apps/api/prisma/migrations/20260622140000_api_tokens/migration.sql

@@ -0,0 +1,24 @@
+-- CreateTable
+CREATE TABLE "ApiToken" (
+    "id" TEXT NOT NULL,
+    "ownerId" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "tokenHash" TEXT NOT NULL,
+    "prefix" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "folderId" TEXT,
+    "expiresAt" TIMESTAMP(3),
+    "lastUsedAt" TIMESTAMP(3),
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "ApiToken_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ApiToken_tokenHash_key" ON "ApiToken"("tokenHash");
+
+-- CreateIndex
+CREATE INDEX "ApiToken_ownerId_idx" ON "ApiToken"("ownerId");
+
+-- AddForeignKey
+ALTER TABLE "ApiToken" ADD CONSTRAINT "ApiToken_ownerId_fkey" FOREIGN KEY ("ownerId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;

apps/api/prisma/schema.prisma

@@ -69,6 +69,7 @@ model User {
   auditLogs       AuditLog[]
   shares          ShareLink[]
   recoveryCodes   RecoveryCode[]
+  apiTokens       ApiToken[]
 
   @@index([email])
 }
@@ -275,6 +276,25 @@ model Setting {
   updatedAt            DateTime @updatedAt
 }
 
+// A personal access token for the public REST API (Authorization: Bearer ocl_…). Only a SHA-256
+// hash of the secret is stored; the plaintext is shown once at creation. `scopes` is a CSV of
+// "read"/"write"; `folderId` optionally restricts the token to one folder (and its subtree).
+model ApiToken {
+  id         String    @id @default(cuid())
+  ownerId    String
+  owner      User      @relation(fields: [ownerId], references: [id], onDelete: Cascade)
+  name       String
+  tokenHash  String    @unique
+  prefix     String
+  scopes     String
+  folderId   String?
+  expiresAt  DateTime?
+  lastUsedAt DateTime?
+  createdAt  DateTime  @default(now())
+
+  @@index([ownerId])
+}
+
 // A shareable link to a SERVER-mode file or folder. ZK targets can't be shared (the
 // server can't decrypt them). The opaque `token` is the URL slug.
 model ShareLink {

apps/api/src/fastify.d.ts

@@ -8,10 +8,14 @@ declare module 'fastify' {
     requireAuth: import('fastify').preHandlerHookHandler;
     /** preHandler: require an authenticated ADMIN (+ CSRF on mutations). */
     requireAdmin: import('fastify').preHandlerHookHandler;
+    /** preHandler factory: require a valid API token (Authorization: Bearer) with a scope. */
+    tokenAuth: (scope: 'read' | 'write') => import('fastify').preHandlerHookHandler;
   }
 
   interface FastifyRequest {
     user: { id: string; email: string; role: 'ADMIN' | 'USER'; disabled: boolean } | null;
     sessionData: { id: string; csrfSecret: string } | null;
+    /** Set when the request authenticated via an API token instead of a session. */
+    apiToken: { id: string; ownerId: string; scopes: string[]; folderId: string | null } | null;
   }
 }

apps/api/src/lib/serialize.ts

@@ -4,6 +4,7 @@
  * response by accident — only the fields listed here are ever serialised.
  */
 import type {
+  ApiToken,
   FileObject,
   Folder,
   QuickUploadCode,
@@ -12,6 +13,7 @@ import type {
   User,
 } from '@prisma/client';
 import type {
+  PublicApiToken,
   PublicFile,
   PublicFolder,
   PublicQuickCode,
@@ -20,6 +22,19 @@ import type {
   PublicUser,
 } from '@opencoperlock/shared';
 
+export function toPublicApiToken(t: ApiToken): PublicApiToken {
+  return {
+    id: t.id,
+    name: t.name,
+    prefix: t.prefix,
+    scopes: t.scopes ? t.scopes.split(',').filter(Boolean) : [],
+    folderId: t.folderId,
+    expiresAt: t.expiresAt ? t.expiresAt.toISOString() : null,
+    lastUsedAt: t.lastUsedAt ? t.lastUsedAt.toISOString() : null,
+    createdAt: t.createdAt.toISOString(),
+  };
+}
+
 export function toPublicUser(u: User): PublicUser {
   return {
     id: u.id,

apps/api/src/plugins/auth.ts

@@ -10,12 +10,14 @@ import type { FastifyPluginAsync, FastifyReply, FastifyRequest } from 'fastify';
 import fp from 'fastify-plugin';
 import { CSRF_HEADER, SESSION_COOKIE, safeEqual } from '@opencoperlock/shared';
 import { getSession, touchSession } from '../services/session.js';
+import { authenticateToken, type ApiScope } from '../services/apiToken.js';
 
 const MUTATING_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
 
 const authPlugin: FastifyPluginAsync = async (app) => {
   app.decorateRequest('user', null);
   app.decorateRequest('sessionData', null);
+  app.decorateRequest('apiToken', null);
 
   // Resolve the session for every request (non-blocking; routes decide if it's required).
   app.addHook('onRequest', async (req) => {
@@ -53,6 +55,14 @@ const authPlugin: FastifyPluginAsync = async (app) => {
     if (req.user.role !== 'ADMIN') return reply.code(403).send({ error: 'Admin access required' });
     if (!enforceCsrf(req, reply)) return reply;
   });
+
+  // Bearer-token auth for the public REST API. No cookie is involved, so CSRF does not apply.
+  app.decorate('tokenAuth', (scope: ApiScope) => async (req: FastifyRequest, reply: FastifyReply) => {
+    const result = await authenticateToken(req.headers.authorization, scope);
+    if (!result.ok) return reply.code(result.status).send({ error: result.error });
+    req.user = result.owner;
+    req.apiToken = result.token;
+  });
 };
 
 export default fp(authPlugin, { name: 'auth' });

apps/api/src/routes/account.ts

@@ -3,15 +3,16 @@
  * permanently delete your account. Both are scoped strictly to the requesting user.
  */
 import type { FastifyPluginAsync } from 'fastify';
-import { passwordConfirmSchema, createQuickCodeSchema } from '@opencoperlock/shared';
+import { passwordConfirmSchema, createQuickCodeSchema, createApiTokenSchema } from '@opencoperlock/shared';
 import { prisma } from '../db.js';
 import { parseOr400 } from '../lib/validate.js';
 import { verifyPassword, hashPassword } from '../services/password.js';
 import { remainingRecoveryCodes } from '../services/recovery.js';
-import { toPublicFile, toPublicFolder, toPublicShare, toPublicUser, toPublicQuickCode } from '../lib/serialize.js';
+import { toPublicFile, toPublicFolder, toPublicShare, toPublicUser, toPublicQuickCode, toPublicApiToken } from '../lib/serialize.js';
 import { clearSessionCookie } from '../lib/cookies.js';
 import { audit } from '../services/audit.js';
 import { generateUniqueQuickCode, isCodeTakenError } from '../services/quickCode.js';
+import { generateToken } from '../services/apiToken.js';
 
 export const accountRoutes: FastifyPluginAsync = async (app) => {
   app.addHook('preHandler', app.requireAuth);
@@ -82,6 +83,51 @@ export const accountRoutes: FastifyPluginAsync = async (app) => {
     return { ok: true };
   });
 
+  // ── Personal API tokens ──────────────────────────────────────────────────────
+  app.get('/api-tokens', async (req) => {
+    const tokens = await prisma.apiToken.findMany({
+      where: { ownerId: req.user!.id },
+      orderBy: { createdAt: 'desc' },
+    });
+    return { tokens: tokens.map(toPublicApiToken) };
+  });
+
+  app.post('/api-tokens', async (req, reply) => {
+    const body = parseOr400(reply, createApiTokenSchema, req.body);
+    if (!body) return;
+
+    if (body.folderId) {
+      const folder = await prisma.folder.findFirst({ where: { id: body.folderId, ownerId: req.user!.id } });
+      if (!folder) return reply.code(404).send({ error: 'Folder not found' });
+      if (folder.isZeroKnowledge) return reply.code(400).send({ error: 'A vault cannot be an API target' });
+    }
+
+    const { token, hash, prefix } = generateToken();
+    const created = await prisma.apiToken.create({
+      data: {
+        ownerId: req.user!.id,
+        name: body.name,
+        tokenHash: hash,
+        prefix,
+        scopes: body.scopes.join(','),
+        folderId: body.folderId ?? null,
+        expiresAt: body.expiresInDays ? new Date(Date.now() + body.expiresInDays * 86_400_000) : null,
+      },
+    });
+    await audit(req, 'account.apitoken.create', { target: created.id });
+    // The plaintext token is returned ONCE here and never stored or shown again.
+    return reply.code(201).send({ token, apiToken: toPublicApiToken(created) });
+  });
+
+  app.delete('/api-tokens/:id', async (req, reply) => {
+    const { id } = req.params as { id: string };
+    const existing = await prisma.apiToken.findFirst({ where: { id, ownerId: req.user!.id } });
+    if (!existing) return reply.code(404).send({ error: 'Token not found' });
+    await prisma.apiToken.delete({ where: { id } });
+    await audit(req, 'account.apitoken.delete', { target: id });
+    return { ok: true };
+  });
+
   // GET /account/export — a JSON copy of the user's data (metadata, not file contents).
   app.get('/export', async (req, reply) => {
     const userId = req.user!.id;

apps/api/src/routes/api-v1.ts

@@ -0,0 +1,125 @@
+/**
+ * Public REST API (v1), authenticated by a personal API token: `Authorization: Bearer ocl_…`.
+ * Lets a user's own scripts/automations list folders, upload files into a folder, and download
+ * them — scoped to the token's permissions (read/write) and optional folder restriction.
+ *
+ * Zero-Knowledge vaults are encrypted in the browser, so the server API cannot read or write
+ * them; only normal (SERVER-encrypted) folders are accessible here.
+ */
+import type { FastifyPluginAsync } from 'fastify';
+import { prisma } from '../db.js';
+import { decryptServerFile } from '../services/download.js';
+import { FileTooLargeError, InfectedFileError } from '../services/ingest.js';
+import { storeUserFile, QuotaExhaustedError } from '../services/upload.js';
+import { toPublicFile, toPublicFolder } from '../lib/serialize.js';
+import { audit } from '../services/audit.js';
+
+export const apiV1Routes: FastifyPluginAsync = async (app) => {
+  // A token may be confined to one folder; everything it touches must match (MVP: exact folder).
+  const folderAllowed = (req: { apiToken: { folderId: string | null } | null }, folderId: string | null) =>
+    !req.apiToken?.folderId || req.apiToken.folderId === folderId;
+
+  // GET /me — confirm a token works and show what it can do.
+  app.get('/me', { preHandler: app.tokenAuth('read') }, async (req) => ({
+    user: { id: req.user!.id, email: req.user!.email },
+    token: { scopes: req.apiToken!.scopes, folderId: req.apiToken!.folderId },
+  }));
+
+  // GET /folders — list the user's normal folders.
+  app.get('/folders', { preHandler: app.tokenAuth('read') }, async (req) => {
+    const folders = await prisma.folder.findMany({
+      where: { ownerId: req.user!.id },
+      orderBy: { name: 'asc' },
+    });
+    return { folders: folders.map(toPublicFolder) };
+  });
+
+  // POST /folders — create a folder ({ name, parentId? }).
+  app.post('/folders', { preHandler: app.tokenAuth('write') }, async (req, reply) => {
+    const body = (req.body ?? {}) as { name?: unknown; parentId?: unknown };
+    const name = typeof body.name === 'string' ? body.name.trim() : '';
+    if (!name) return reply.code(400).send({ error: 'name is required' });
+    const parentId = typeof body.parentId === 'string' ? body.parentId : null;
+
+    if (parentId) {
+      const parent = await prisma.folder.findFirst({ where: { id: parentId, ownerId: req.user!.id } });
+      if (!parent) return reply.code(404).send({ error: 'Parent folder not found' });
+      if (parent.isZeroKnowledge) return reply.code(400).send({ error: 'Vault folders are not accessible via the API' });
+    }
+    if (!folderAllowed(req, parentId)) return reply.code(403).send({ error: 'Token is restricted to another folder' });
+
+    const folder = await prisma.folder.create({
+      data: { ownerId: req.user!.id, name, parentId, isZeroKnowledge: false },
+    });
+    await audit(req, 'api.folder.create', { actorId: req.user!.id, target: folder.id });
+    return reply.code(201).send({ folder: toPublicFolder(folder) });
+  });
+
+  // GET /files?folderId= — list files in a folder (omit folderId for the account root).
+  app.get('/files', { preHandler: app.tokenAuth('read') }, async (req, reply) => {
+    const { folderId } = req.query as { folderId?: string };
+    const target = folderId ?? null;
+    if (!folderAllowed(req, target)) return reply.code(403).send({ error: 'Token is restricted to another folder' });
+    if (target) {
+      const folder = await prisma.folder.findFirst({ where: { id: target, ownerId: req.user!.id } });
+      if (!folder) return reply.code(404).send({ error: 'Folder not found' });
+    }
+    const files = await prisma.fileObject.findMany({
+      where: { ownerId: req.user!.id, folderId: target, encMode: 'SERVER', deletedAt: null },
+      orderBy: { name: 'asc' },
+    });
+    return { files: files.map(toPublicFile) };
+  });
+
+  // POST /files?folderId= — upload a single file (multipart/form-data, field "file").
+  app.post('/files', { preHandler: app.tokenAuth('write') }, async (req, reply) => {
+    const { folderId } = req.query as { folderId?: string };
+    const target = folderId ?? req.apiToken!.folderId ?? null;
+    if (!folderAllowed(req, target)) return reply.code(403).send({ error: 'Token is restricted to another folder' });
+
+    if (target) {
+      const folder = await prisma.folder.findFirst({ where: { id: target, ownerId: req.user!.id } });
+      if (!folder) return reply.code(404).send({ error: 'Folder not found' });
+      if (folder.isZeroKnowledge) return reply.code(400).send({ error: 'Vault folders are not accessible via the API' });
+    }
+
+    const part = await req.file();
+    if (!part) return reply.code(400).send({ error: 'No file provided (multipart field "file")' });
+
+    try {
+      const { file } = await storeUserFile(app.ctx, {
+        ownerId: req.user!.id,
+        folderId: target,
+        stream: part.file,
+        filename: part.filename,
+        mimetype: part.mimetype,
+      });
+      await audit(req, 'api.file.upload', { actorId: req.user!.id, target: file.id });
+      return reply.code(201).send({ file: toPublicFile(file) });
+    } catch (err) {
+      if (err instanceof QuotaExhaustedError || err instanceof FileTooLargeError) {
+        return reply.code(413).send({ error: 'Upload exceeds your available quota' });
+      }
+      if (err instanceof InfectedFileError) {
+        return reply.code(422).send({ error: `File rejected: ${err.signature}`, code: 'INFECTED' });
+      }
+      throw err;
+    }
+  });
+
+  // GET /files/:id/download — stream a file's decrypted contents.
+  app.get('/files/:id/download', { preHandler: app.tokenAuth('read') }, async (req, reply) => {
+    const { id } = req.params as { id: string };
+    const file = await prisma.fileObject.findFirst({
+      where: { id, ownerId: req.user!.id, encMode: 'SERVER', deletedAt: null },
+    });
+    if (!file) return reply.code(404).send({ error: 'File not found' });
+    if (!folderAllowed(req, file.folderId)) return reply.code(403).send({ error: 'Token is restricted to another folder' });
+
+    reply
+      .header('Content-Type', file.mimeType)
+      .header('Content-Length', Number(file.sizeBytes))
+      .header('Content-Disposition', `attachment; filename="${encodeURIComponent(file.name)}"`);
+    return reply.send(decryptServerFile(app.ctx, file));
+  });
+};

apps/api/src/server.ts

@@ -20,6 +20,7 @@ import { sharePublicRoutes } from './routes/share-public.js';
 import { twoFactorRoutes } from './routes/twofa.js';
 import { accountRoutes } from './routes/account.js';
 import { adminRoutes } from './routes/admin.js';
+import { apiV1Routes } from './routes/api-v1.js';
 
 export async function buildServer(ctx: AppContext): Promise<FastifyInstance> {
   const app = Fastify({
@@ -82,6 +83,7 @@ export async function buildServer(ctx: AppContext): Promise<FastifyInstance> {
   await app.register(twoFactorRoutes, { prefix: '/2fa' });
   await app.register(accountRoutes, { prefix: '/account' });
   await app.register(adminRoutes, { prefix: '/admin' });
+  await app.register(apiV1Routes, { prefix: '/api/v1' });
 
   app.setErrorHandler((err: { statusCode?: number; message?: string }, req, reply) => {
     req.log.error({ err }, 'request failed');