argos-ci
diff --git a/‎apps/backend/db/migrations/20260401084427_user_access_tokens.js‎
Lines changed: 36 additions & 0 deletions b/‎apps/backend/db/migrations/20260401084427_user_access_tokens.js‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎apps/backend/db/structure.sql‎
Lines changed: 191 additions & 3 deletions b/‎apps/backend/db/structure.sql‎
Lines changed: 191 additions & 3 deletions
diff --git a/‎apps/backend/src/api/handlers/getAuthBuildByNumber.e2e.test.ts‎
Lines changed: 50 additions & 0 deletions b/‎apps/backend/src/api/handlers/getAuthBuildByNumber.e2e.test.ts‎
Lines changed: 50 additions & 0 deletions
@@ -0,0 +1,36 @@
+/**
+ * @param {import('knex').Knex} knex
+ */
+export const up = async (knex) => {
+  await knex.schema.createTable("user_access_tokens", (table) => {
+    table.bigIncrements("id").primary();
+    table.dateTime("createdAt").notNullable();
+    table.dateTime("updatedAt").notNullable();
+    table.bigInteger("userId").notNullable().index();
+    table.foreign("userId").references("users.id");
+    table.string("name").notNullable();
+    table.string("token").notNullable().unique();
+    table.dateTime("expireAt").nullable();
+    table.dateTime("lastUsedAt").nullable();
+    table.string("createdBy").notNullable();
+  });
+
+  await knex.schema.createTable("user_access_token_scopes", (table) => {
+    table.bigIncrements("id").primary();
+    table.dateTime("createdAt").notNullable();
+    table.dateTime("updatedAt").notNullable();
+    table.bigInteger("userAccessTokenId").notNullable().index();
+    table.foreign("userAccessTokenId").references("user_access_tokens.id");
+    table.bigInteger("accountId").notNullable().index();
+    table.foreign("accountId").references("accounts.id");
+    table.unique(["userAccessTokenId", "accountId"]);
+  });
+};
+
+/**
+ * @param {import('knex').Knex} knex
+ */
+export const down = async (knex) => {
+  await knex.schema.dropTable("user_access_token_scopes");
+  await knex.schema.dropTable("user_access_tokens");
+};
@@ -2,8 +2,10 @@
 -- PostgreSQL database dump
 --
 
+\restrict JfsOuN39OUWpiPypbkunGr6fxbeB43MaGJ83Ohqy3EUrRTZUZKCGaWZR0OCiau5
+
 -- Dumped from database version 17.5
--- Dumped by pg_dump version 17.5 (Homebrew)
+-- Dumped by pg_dump version 17.9 (Homebrew)
 
 SET statement_timeout = 0;
 SET lock_timeout = 0;
@@ -693,7 +695,7 @@ ALTER SEQUENCE public.github_installations_id_seq OWNED BY public.github_install
 --
 
 CREATE TABLE public.github_pull_requests (
-    id bigint NOT NULL,
+    id integer NOT NULL,
     "createdAt" timestamp with time zone NOT NULL,
     "updatedAt" timestamp with time zone NOT NULL,
     "commentDeleted" boolean DEFAULT false NOT NULL,
@@ -1825,6 +1827,82 @@ ALTER SEQUENCE public.tests_id_seq OWNER TO postgres;
 ALTER SEQUENCE public.tests_id_seq OWNED BY public.tests.id;
 
 
+--
+-- Name: user_access_token_scopes; Type: TABLE; Schema: public; Owner: postgres
+--
+
+CREATE TABLE public.user_access_token_scopes (
+    id bigint NOT NULL,
+    "createdAt" timestamp with time zone NOT NULL,
+    "updatedAt" timestamp with time zone NOT NULL,
+    "userAccessTokenId" bigint NOT NULL,
+    "accountId" bigint NOT NULL
+);
+
+
+ALTER TABLE public.user_access_token_scopes OWNER TO postgres;
+
+--
+-- Name: user_access_token_scopes_id_seq; Type: SEQUENCE; Schema: public; Owner: postgres
+--
+
+CREATE SEQUENCE public.user_access_token_scopes_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+
+ALTER SEQUENCE public.user_access_token_scopes_id_seq OWNER TO postgres;
+
+--
+-- Name: user_access_token_scopes_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: postgres
+--
+
+ALTER SEQUENCE public.user_access_token_scopes_id_seq OWNED BY public.user_access_token_scopes.id;
+
+
+--
+-- Name: user_access_tokens; Type: TABLE; Schema: public; Owner: postgres
+--
+
+CREATE TABLE public.user_access_tokens (
+    id bigint NOT NULL,
+    "createdAt" timestamp with time zone NOT NULL,
+    "updatedAt" timestamp with time zone NOT NULL,
+    "userId" bigint NOT NULL,
+    name character varying(255) NOT NULL,
+    token character varying(255) NOT NULL,
+    "expireAt" timestamp with time zone,
+    "lastUsedAt" timestamp with time zone,
+    "createdBy" character varying(255) NOT NULL
+);
+
+
+ALTER TABLE public.user_access_tokens OWNER TO postgres;
+
+--
+-- Name: user_access_tokens_id_seq; Type: SEQUENCE; Schema: public; Owner: postgres
+--
+
+CREATE SEQUENCE public.user_access_tokens_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+
+ALTER SEQUENCE public.user_access_tokens_id_seq OWNER TO postgres;
+
+--
+-- Name: user_access_tokens_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: postgres
+--
+
+ALTER SEQUENCE public.user_access_tokens_id_seq OWNED BY public.user_access_tokens.id;
+
+
 --
 -- Name: user_emails; Type: TABLE; Schema: public; Owner: postgres
 --
@@ -2152,6 +2230,20 @@ ALTER TABLE ONLY public.teams ALTER COLUMN id SET DEFAULT nextval('public.teams_
 ALTER TABLE ONLY public.tests ALTER COLUMN id SET DEFAULT nextval('public.tests_id_seq'::regclass);
 
 
+--
+-- Name: user_access_token_scopes id; Type: DEFAULT; Schema: public; Owner: postgres
+--
+
+ALTER TABLE ONLY public.user_access_token_scopes ALTER COLUMN id SET DEFAULT nextval('public.user_access_token_scopes_id_seq'::regclass);
+
+
+--
+-- Name: user_access_tokens id; Type: DEFAULT; Schema: public; Owner: postgres
+--
+
+ALTER TABLE ONLY public.user_access_tokens ALTER COLUMN id SET DEFAULT nextval('public.user_access_tokens_id_seq'::regclass);
+
+
 --
 -- Name: users id; Type: DEFAULT; Schema: public; Owner: postgres
 --
@@ -2663,6 +2755,38 @@ ALTER TABLE ONLY public.tests
     ADD CONSTRAINT tests_pkey PRIMARY KEY (id);
 
 
+--
+-- Name: user_access_token_scopes user_access_token_scopes_pkey; Type: CONSTRAINT; Schema: public; Owner: postgres
+--
+
+ALTER TABLE ONLY public.user_access_token_scopes
+    ADD CONSTRAINT user_access_token_scopes_pkey PRIMARY KEY (id);
+
+
+--
+-- Name: user_access_token_scopes user_access_token_scopes_useraccesstokenid_accountid_unique; Type: CONSTRAINT; Schema: public; Owner: postgres
+--
+
+ALTER TABLE ONLY public.user_access_token_scopes
+    ADD CONSTRAINT user_access_token_scopes_useraccesstokenid_accountid_unique UNIQUE ("userAccessTokenId", "accountId");
+
+
+--
+-- Name: user_access_tokens user_access_tokens_pkey; Type: CONSTRAINT; Schema: public; Owner: postgres
+--
+
+ALTER TABLE ONLY public.user_access_tokens
+    ADD CONSTRAINT user_access_tokens_pkey PRIMARY KEY (id);
+
+
+--
+-- Name: user_access_tokens user_access_tokens_token_unique; Type: CONSTRAINT; Schema: public; Owner: postgres
+--
+
+ALTER TABLE ONLY public.user_access_tokens
+    ADD CONSTRAINT user_access_tokens_token_unique UNIQUE (token);
+
+
 --
 -- Name: user_emails user_emails_pkey; Type: CONSTRAINT; Schema: public; Owner: postgres
 --
@@ -2671,6 +2795,22 @@ ALTER TABLE ONLY public.user_emails
     ADD CONSTRAINT user_emails_pkey PRIMARY KEY (email);
 
 
+--
+-- Name: users users_email_unique; Type: CONSTRAINT; Schema: public; Owner: postgres
+--
+
+ALTER TABLE ONLY public.users
+    ADD CONSTRAINT users_email_unique UNIQUE (email);
+
+
+--
+-- Name: users users_gitlabuserid_unique; Type: CONSTRAINT; Schema: public; Owner: postgres
+--
+
+ALTER TABLE ONLY public.users
+    ADD CONSTRAINT users_gitlabuserid_unique UNIQUE ("gitlabUserId");
+
+
 --
 -- Name: users users_pkey; Type: CONSTRAINT; Schema: public; Owner: postgres
 --
@@ -3169,6 +3309,27 @@ CREATE INDEX tests_projectid_buildname_createdat_id_idx ON public.tests USING bt
 CREATE INDEX tests_projectid_index ON public.tests USING btree ("projectId");
 
 
+--
+-- Name: user_access_token_scopes_accountid_index; Type: INDEX; Schema: public; Owner: postgres
+--
+
+CREATE INDEX user_access_token_scopes_accountid_index ON public.user_access_token_scopes USING btree ("accountId");
+
+
+--
+-- Name: user_access_token_scopes_useraccesstokenid_index; Type: INDEX; Schema: public; Owner: postgres
+--
+
+CREATE INDEX user_access_token_scopes_useraccesstokenid_index ON public.user_access_token_scopes USING btree ("userAccessTokenId");
+
+
+--
+-- Name: user_access_tokens_userid_index; Type: INDEX; Schema: public; Owner: postgres
+--
+
+CREATE INDEX user_access_tokens_userid_index ON public.user_access_tokens USING btree ("userId");
+
+
 --
 -- Name: users_googleuserid_fk_index; Type: INDEX; Schema: public; Owner: postgres
 --
@@ -3728,6 +3889,30 @@ ALTER TABLE ONLY public.tests
     ADD CONSTRAINT tests_projectid_foreign FOREIGN KEY ("projectId") REFERENCES public.projects(id);
 
 
+--
+-- Name: user_access_token_scopes user_access_token_scopes_accountid_foreign; Type: FK CONSTRAINT; Schema: public; Owner: postgres
+--
+
+ALTER TABLE ONLY public.user_access_token_scopes
+    ADD CONSTRAINT user_access_token_scopes_accountid_foreign FOREIGN KEY ("accountId") REFERENCES public.accounts(id);
+
+
+--
+-- Name: user_access_token_scopes user_access_token_scopes_useraccesstokenid_foreign; Type: FK CONSTRAINT; Schema: public; Owner: postgres
+--
+
+ALTER TABLE ONLY public.user_access_token_scopes
+    ADD CONSTRAINT user_access_token_scopes_useraccesstokenid_foreign FOREIGN KEY ("userAccessTokenId") REFERENCES public.user_access_tokens(id);
+
+
+--
+-- Name: user_access_tokens user_access_tokens_userid_foreign; Type: FK CONSTRAINT; Schema: public; Owner: postgres
+--
+
+ALTER TABLE ONLY public.user_access_tokens
+    ADD CONSTRAINT user_access_tokens_userid_foreign FOREIGN KEY ("userId") REFERENCES public.users(id);
+
+
 --
 -- Name: user_emails user_emails_userid_foreign; Type: FK CONSTRAINT; Schema: public; Owner: postgres
 --
@@ -3756,6 +3941,8 @@ ALTER TABLE ONLY public.users
 -- PostgreSQL database dump complete
 --
 
+\unrestrict JfsOuN39OUWpiPypbkunGr6fxbeB43MaGJ83Ohqy3EUrRTZUZKCGaWZR0OCiau5
+
 -- Knex migrations
 
 INSERT INTO public.knex_migrations(name, batch, migration_time) VALUES ('20161217154940_init.js', 1, NOW());
@@ -3937,4 +4124,5 @@ INSERT INTO public.knex_migrations(name, batch, migration_time) VALUES ('2026021
 INSERT INTO public.knex_migrations(name, batch, migration_time) VALUES ('20260216200736_enforce-sso.js', 1, NOW());
 INSERT INTO public.knex_migrations(name, batch, migration_time) VALUES ('20260219170000_project-auto-ignore.js', 1, NOW());
 INSERT INTO public.knex_migrations(name, batch, migration_time) VALUES ('20260222100000_team-saml-expiration-check.js', 1, NOW());
-INSERT INTO public.knex_migrations(name, batch, migration_time) VALUES ('20260328120000_build-merge-queue-gh-pull-requests.js', 1, NOW());
+INSERT INTO public.knex_migrations(name, batch, migration_time) VALUES ('20260328120000_build-merge-queue-gh-pull-requests.js', 1, NOW());
+INSERT INTO public.knex_migrations(name, batch, migration_time) VALUES ('20260401084427_user_access_tokens.js', 1, NOW());
@@ -3,6 +3,8 @@ import request from "supertest";
 import { beforeAll, beforeEach, describe, expect, it } from "vitest";
 import z from "zod";
 
+import { UserAccessTokenScope } from "@/database/models";
+import { hashToken } from "@/database/services/crypto";
 import { factory, setupDatabase } from "@/database/testing";
 
 import { createTestHandlerApp } from "../test-util";
@@ -137,4 +139,52 @@ describe("getAuthBuildByNumber", () => {
         .expect(400);
     });
   });
+
+  describe("with a user access token on explicit project route", () => {
+    it("returns the build", async () => {
+      const [user, account] = await Promise.all([
+        factory.User.create(),
+        factory.TeamAccount.create({ slug: "acme" }),
+      ]);
+
+      const [project] = await Promise.all([
+        factory.Project.create({
+          accountId: account.id,
+          name: "web",
+        }),
+        factory.UserAccount.create({ userId: user.id }),
+        factory.TeamUser.create({
+          teamId: account.teamId,
+          userId: user.id,
+          userLevel: "member",
+        }),
+      ]);
+      const bucket = await factory.ScreenshotBucket.create({
+        projectId: project.id,
+      });
+      const build = await factory.Build.create({
+        projectId: project.id,
+        compareScreenshotBucketId: bucket.id,
+        number: 4,
+      });
+
+      const token = `arp_${"f".repeat(36)}`;
+      const userAccessToken = await factory.UserAccessToken.create({
+        userId: user.id,
+        token: hashToken(token),
+      });
+      await UserAccessTokenScope.query().insert({
+        userAccessTokenId: userAccessToken.id,
+        accountId: account.id,
+      });
+
+      await request(app)
+        .get("/projects/acme/web/builds/4")
+        .set("Authorization", `Bearer ${token}`)
+        .expect(200)
+        .expect((res) => {
+          expect(res.body.id).toBe(build.id);
+        });
+    });
+  });
 });