feat: add personal access tokens

Author: jsfez

apps/backend/db/migrations/20260401084427_user_access_tokens.js

@@ -0,0 +1,36 @@
+/**
+ * @param {import('knex').Knex} knex
+ */
+export const up = async (knex) => {
+  await knex.schema.createTable("user_access_tokens", (table) => {
+    table.bigIncrements("id").primary();
+    table.dateTime("createdAt").notNullable();
+    table.dateTime("updatedAt").notNullable();
+    table.bigInteger("userId").notNullable().index();
+    table.foreign("userId").references("users.id");
+    table.string("name").notNullable();
+    table.string("token").notNullable().unique();
+    table.dateTime("expireAt").nullable();
+    table.dateTime("lastUsedAt").nullable();
+    table.string("createdBy").notNullable();
+  });
+
+  await knex.schema.createTable("user_access_token_scopes", (table) => {
+    table.bigIncrements("id").primary();
+    table.dateTime("createdAt").notNullable();
+    table.dateTime("updatedAt").notNullable();
+    table.bigInteger("userAccessTokenId").notNullable().index();
+    table.foreign("userAccessTokenId").references("user_access_tokens.id");
+    table.bigInteger("accountId").notNullable().index();
+    table.foreign("accountId").references("accounts.id");
+    table.unique(["userAccessTokenId", "accountId"]);
+  });
+};
+
+/**
+ * @param {import('knex').Knex} knex
+ */
+export const down = async (knex) => {
+  await knex.schema.dropTable("user_access_token_scopes");
+  await knex.schema.dropTable("user_access_tokens");
+};

apps/backend/src/api/handlers/getAuthBuildByNumber.e2e.test.ts

@@ -3,6 +3,8 @@ import request from "supertest";
 import { beforeAll, beforeEach, describe, expect, it } from "vitest";
 import z from "zod";
 
+import { UserAccessToken, UserAccessTokenScope } from "@/database/models";
+import { hashToken } from "@/database/services/crypto";
 import { factory, setupDatabase } from "@/database/testing";
 
 import { createTestHandlerApp } from "../test-util";
@@ -137,4 +139,52 @@ describe("getAuthBuildByNumber", () => {
         .expect(400);
     });
   });
+
+  describe("with a user access token on explicit project route", () => {
+    it("returns the build", async () => {
+      const [user, account] = await Promise.all([
+        factory.User.create(),
+        factory.TeamAccount.create({ slug: "acme" }),
+      ]);
+
+      const [project] = await Promise.all([
+        factory.Project.create({
+          accountId: account.id,
+          name: "web",
+        }),
+        factory.UserAccount.create({ userId: user.id }),
+        factory.TeamUser.create({
+          teamId: account.teamId,
+          userId: user.id,
+          userLevel: "member",
+        }),
+      ]);
+      const bucket = await factory.ScreenshotBucket.create({
+        projectId: project.id,
+      });
+      const build = await factory.Build.create({
+        projectId: project.id,
+        compareScreenshotBucketId: bucket.id,
+        number: 4,
+      });
+
+      const token = UserAccessToken.generateToken();
+      const userAccessToken = await factory.UserAccessToken.create({
+        userId: user.id,
+        token: hashToken(token),
+      });
+      await UserAccessTokenScope.query().insert({
+        userAccessTokenId: userAccessToken.id,
+        accountId: account.id,
+      });
+
+      await request(app)
+        .get("/projects/acme/web/builds/4")
+        .set("Authorization", `Bearer ${token}`)
+        .expect(200)
+        .expect((res) => {
+          expect(res.body.id).toBe(build.id);
+        });
+    });
+  });
 });

apps/backend/src/api/handlers/getAuthBuildByNumber.ts

@@ -7,12 +7,17 @@ import { repoAuth } from "@/web/middlewares/repoAuth";
 
 import { BuildSchema, serializeBuild } from "../schema/primitives/build";
 import {
+  forbidden,
   invalidParameters,
   notFound,
   serverError,
   unauthorized,
 } from "../schema/util/error";
 import { CreateAPIHandler } from "../util";
+import {
+  getAuthorizedProjectFromRequest,
+  getAuthorizedProjectFromRequestResponses,
+} from "./projectAccess";
 
 const BuildNumberSchema = z
   .string()
@@ -23,45 +28,85 @@ const BuildNumberSchema = z
     id: "BuildNumber",
   });
 
+const ProjectPathParamsSchema = z.object({
+  owner: z.string().min(1),
+  project: z.string().min(1),
+  buildNumber: BuildNumberSchema,
+});
+
+const responses = {
+  ...getAuthorizedProjectFromRequestResponses,
+  "200": {
+    description: "Build",
+    content: { "application/json": { schema: BuildSchema } },
+  },
+  "400": invalidParameters,
+  "401": unauthorized,
+  "404": notFound,
+  "500": serverError,
+} satisfies ZodOpenApiOperationObject["responses"];
+
 export const getAuthBuildByNumberOperation = {
   operationId: "getAuthBuildByNumber",
-  requestParams: {
-    path: z.object({
-      buildNumber: BuildNumberSchema,
-    }),
-  },
-  responses: {
-    "200": {
-      description: "Build",
-      content: {
-        "application/json": {
-          schema: BuildSchema,
-        },
-      },
-    },
-    "400": invalidParameters,
-    "401": unauthorized,
-    "404": notFound,
-    "500": serverError,
-  },
+  requestParams: { path: z.object({ buildNumber: BuildNumberSchema }) },
+  responses,
 } satisfies ZodOpenApiOperationObject;
 
+export const getProjectBuildByNumberOperation = {
+  operationId: "getProjectBuildByNumber",
+  requestParams: { path: ProjectPathParamsSchema },
+  responses: { ...responses, "403": forbidden },
+} satisfies ZodOpenApiOperationObject;
+
+async function fetchBuildOrThrow(args: {
+  projectId: string;
+  buildNumber: number;
+}) {
+  const { buildNumber, projectId } = args;
+
+  const build = await Build.query().findOne({
+    number: buildNumber,
+    projectId,
+  });
+
+  if (!build) {
+    throw boom(404, "Not found");
+  }
+
+  return build;
+}
+
 export const getAuthBuildByNumber: CreateAPIHandler = ({ get }) => {
-  return get("/project/builds/{buildNumber}", repoAuth, async (req, res) => {
+  get("/project/builds/{buildNumber}", repoAuth, async (req, res) => {
     if (!req.authProject) {
       throw boom(401, "Unauthorized");
     }
-    const { params } = req.ctx;
 
-    const build = await Build.query().findOne({
-      number: params.buildNumber,
+    const build = await fetchBuildOrThrow({
       projectId: req.authProject.id,
+      buildNumber: req.ctx.params.buildNumber,
     });
 
-    if (!build) {
-      throw boom(404, "Not found");
-    }
-
     res.send(await serializeBuild(build));
   });
+
+  get(
+    "/projects/{owner}/{project}/builds/{buildNumber}",
+    repoAuth,
+    async (req, res) => {
+      const { owner, project, buildNumber } = req.ctx.params;
+      const authorizedProject = await getAuthorizedProjectFromRequest({
+        request: req,
+        owner,
+        projectName: project,
+      });
+
+      const build = await fetchBuildOrThrow({
+        projectId: authorizedProject.id,
+        buildNumber,
+      });
+
+      res.send(await serializeBuild(build));
+    },
+  );
 };

apps/backend/src/api/handlers/getAuthProject.e2e.test.ts

@@ -2,6 +2,8 @@ import request from "supertest";
 import { beforeEach, describe, expect, it } from "vitest";
 
 import type { Build, Project } from "@/database/models";
+import { UserAccessToken, UserAccessTokenScope } from "@/database/models";
+import { hashToken } from "@/database/services/crypto";
 import { factory, setupDatabase } from "@/database/testing";
 
 import { createTestHandlerApp } from "../test-util";
@@ -53,4 +55,41 @@ describe("getAuthProject", () => {
         });
       });
   });
+
+  it("returns a project on explicit route with a user access token", async () => {
+    const [user, account] = await Promise.all([
+      factory.User.create(),
+      factory.TeamAccount.create({ slug: "acme" }),
+    ]);
+    const [project] = await Promise.all([
+      factory.Project.create({
+        accountId: account.id,
+        name: "web",
+      }),
+      factory.UserAccount.create({ userId: user.id }),
+      factory.TeamUser.create({
+        teamId: account.teamId,
+        userId: user.id,
+        userLevel: "member",
+      }),
+    ]);
+
+    const token = UserAccessToken.generateToken();
+    const userAccessToken = await factory.UserAccessToken.create({
+      userId: user.id,
+      token: hashToken(token),
+    });
+    await UserAccessTokenScope.query().insert({
+      userAccessTokenId: userAccessToken.id,
+      accountId: account.id,
+    });
+
+    await request(app)
+      .get("/projects/acme/web")
+      .set("Authorization", `Bearer ${token}`)
+      .expect(200)
+      .expect((res) => {
+        expect(res.body.id).toBe(project.id);
+      });
+  });
 });