Add API token authentication (#990)

* add basic API token management frontend

* handle crud stuff for API tokens

* add copy step to add modal

* fix typo

* handle token auth

* handle token auth only if enterprise features are enabled

* adjust frontend styling

* lint fix

* hide API tokens if enterprise features are disabled

* update query data

* limit API tokens to admin users only

* prevent non-admin user token auth

* add integration tests

---------

Co-authored-by: Maciej Wójcik <[email protected]>

Author: wojcik91

.sqlx/query-17bf3525210568070619821a85778c3b2daff9fcb78b7f1a56a5f2555c8a3f79.json

@@ -63,6 +63,7 @@ serde_cbor = { version = "0.12.0-dev", package = "serde_cbor_2" }
 serde_json = "1.0"
 serde_urlencoded = "0.7"
 sha-1 = "0.10"
+sha256 = "1.5"
 sqlx = { version = "0.8", features = [
     "chrono",
     "ipnetwork",

.sqlx/query-3b3c28a99faeeaf24ff0fc5a3592e8010ceb453fbcf1672b23ef086e76c48958.json

@@ -0,0 +1 @@
+DROP TABLE api_token;

.sqlx/query-a9c89bbf3b1a74d9a703bc775255d20ff2c4a6c0806d574c8b398cf94acd38ea.json

@@ -0,0 +1,8 @@
+CREATE TABLE api_token (
+    id bigserial PRIMARY KEY,
+    user_id bigint NOT NULL,
+    created_at timestamp without time zone NOT NULL,
+    name text NOT NULL,
+    token_hash text NOT NULL,
+    FOREIGN KEY(user_id) REFERENCES "user"(id) ON DELETE CASCADE
+);

.sqlx/query-ca574efcc6bdee6b91f0896cbdf2d92b6410bfcf1067ee9362d4d2679bb78750.json

@@ -6,10 +6,15 @@ use std::{
 };
 
 use axum::{
-    extract::{FromRef, FromRequestParts},
+    extract::{FromRef, FromRequestParts, OptionalFromRequestParts},
     http::{header::AUTHORIZATION, request::Parts},
 };
-use axum_extra::extract::cookie::CookieJar;
+use axum_client_ip::InsecureClientIp;
+use axum_extra::{
+    extract::cookie::CookieJar,
+    headers::{authorization::Bearer, Authorization},
+    TypedHeader,
+};
 use jsonwebtoken::{
     decode, encode, errors::Error as JWTError, DecodingKey, EncodingKey, Header, Validation,
 };
@@ -21,6 +26,7 @@ use crate::{
         models::group::Permission, Group, Id, OAuth2AuthorizedApp, OAuth2Token, Session,
         SessionState, User,
     },
+    enterprise::{db::models::api_tokens::ApiToken, is_enterprise_enabled},
     error::WebError,
     handlers::SESSION_COOKIE_NAME,
 };
@@ -126,6 +132,42 @@ where
 
     async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
         let appstate = AppState::from_ref(state);
+
+        // first try to authenticate by API token if one is found in header
+        if is_enterprise_enabled() {
+            let maybe_auth_header: Option<TypedHeader<Authorization<Bearer>>> =
+                <TypedHeader<_> as OptionalFromRequestParts<S>>::from_request_parts(parts, state)
+                    .await
+                    .map_err(|err| {
+                        error!("Failed to extract optional auth header: {err}");
+                        WebError::Authorization("Invalid auth header".into())
+                    })?;
+            if let Some(header) = maybe_auth_header {
+                let token_string = header.token();
+                debug!("Trying to authorize request using API token: {token_string}");
+                return match ApiToken::try_find_by_auth_token(&appstate.pool, token_string).await {
+                    Ok(Some(api_token)) => {
+                        // create a dummy session and don't store it in the DB
+                        // since each request needs to be authorized anyway
+                        let ip_address = InsecureClientIp::from_request_parts(parts, state)
+                            .await
+                            .map_err(|err| {
+                            error!("Failed to get client IP: {err:?}");
+                            WebError::ClientIpError
+                        })?;
+                        Ok(Session::new(
+                            api_token.user_id,
+                            SessionState::ApiTokenVerified,
+                            ip_address.0.to_string(),
+                            None,
+                        ))
+                    }
+                    Ok(None) => Err(WebError::Authorization("Invalid API token".into())),
+                    Err(err) => Err(err.into()),
+                };
+            };
+        }
+
         let Ok(cookies) = CookieJar::from_request_parts(parts, state).await;
         if let Some(session_cookie) = cookies.get(SESSION_COOKIE_NAME) {
             return {
@@ -183,18 +225,29 @@ where
     type Rejection = WebError;
 
     async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
-        let appstate = AppState::from_ref(state);
         let session = Session::from_request_parts(parts, state).await?;
+        let appstate = AppState::from_ref(state);
         let user = User::find_by_id(&appstate.pool, session.user_id).await?;
 
         if let Some(user) = user {
-            if user.mfa_enabled && session.state != SessionState::MultiFactorVerified {
+            if user.mfa_enabled
+                && (session.state != SessionState::MultiFactorVerified
+                    && session.state != SessionState::ApiTokenVerified)
+            {
                 return Err(WebError::Authorization("MFA not verified".into()));
             }
             let Ok(groups) = user.member_of(&appstate.pool).await else {
                 return Err(WebError::DbError("cannot fetch groups".into()));
             };
             let is_admin = user.is_admin(&appstate.pool).await?;
+
+            // non-admin users are not allowed to use token auth
+            if !is_admin && session.state == SessionState::ApiTokenVerified {
+                return Err(WebError::Forbidden(
+                    "Token authentication is not allowed for normal users".into(),
+                ));
+            }
+
             Ok(SessionInfo {
                 session,
                 user,