Add Internal v2 API Access Token Generation for Users#3597
Draft
aaronskiba wants to merge 21 commits intoapi_v2_dmponlinefrom
Draft
Add Internal v2 API Access Token Generation for Users#3597aaronskiba wants to merge 21 commits intoapi_v2_dmponlinefrom
aaronskiba wants to merge 21 commits intoapi_v2_dmponlinefrom
Conversation
Generated by 🚫 Danger |
momo3404
reviewed
Feb 11, 2026
Collaborator
|
There's two documentation related Rubocop errors
|
aaronskiba
force-pushed
the
aaron/feature/v2-api-token-for-internal-users
branch
3 times, most recently
from
a5c24c6 to
23a2230
Compare
- Creates a first-party Doorkeeper client for issuing internal v2 API tokens - Sets redirect_uri to OOB, scopes to 'read', and marks it as confidential - Ensures the internal application exists in all environments before token service is used
aaronskiba
force-pushed
the
aaron/feature/v2-api-token-for-internal-users
branch
2 times, most recently
from
ad94297 to
5c24cdf
Compare
This service manages user-scoped v2 API access tokens for internal app users. - Tokens are equivalent to first-party Personal Access Tokens (PATs) and are issued directly to authenticated users, bypassing the full OAuth 2.0 authorization_code flow. - Supports token creation, rotation, and revocation. - Uses Doorkeeper::AccessToken records for consistent scoping, expiry, and revocation handling. - Designed strictly for internal usage; third-party OAuth clients are not supported.
Adds `Api::V2::InternalUserAccessTokensController#create` with Pundit authorization and routing. Also reuses the existing `users/refresh_token.js.erb` response to update the UI via JS. `@success` is read by `app/views/users/refresh_token.js.erb` (similar approach as `UsersController#refresh_token`)
This change updates `app/views/devise/registrations/_api_token.html.erb` to include support for the v2 API access token. Existing v0/v1 token support is retained. - Introduce V2 token lookup via `Api::V2::InternalUserAccessTokenService` - Display a dedicated V2 API access token section with its own regeneration action
This change breaks refactors `_api_token.html.erb` into additional separate partials: 1) app/views/devise/registrations/_legacy_api_token.html.erb 2) app/views/devise/registrations/_v2_api_token.html.erb In addition to the refactor, the following changes have been made: - `<div id="api-token"` has been renamed to `<div id="legacy-api-token"` - A `<div id="api-tokens">` wrapper has been added in app/views/devise/registrations/_api_token.html.erb. - `app/views/users/refresh_token.js.erb` now references the '#api-tokens' wrapper.
The API Access tab is now visible to all users to support the new v2 API token, which is accessible to everyone. The existing v0/v1 legacy token remains restricted and continues to use the previous authorization and rendering logic within the tab.
Styling changes can be viewed at /users/edit#api-details
`InternalUserAccessTokenService`: add `application!` (lookup + raise) and `application_present?` (safe check with logging) `_v2_api_token.html.erb`: gate token UI on `application_present?` and show a warning when missing.
Add request specs for InternalUserAccessTokensController - Include both authenticated & unauthenticated user scenarios - Include both present & absent internal OAuth app scenarios Add service specs for InternalUserAccessTokenService - Test token retrieval, rotation, and OAuth app presence - Verify old token revocation when rotating Add view specs for API token partials - Test legacy partial rendering based on `user.can_use_api?` - Test OAuth application availability scenarios
Add `defaults: { format: :js }` to the internal_user_access_token route, allowing callers to omit the explicit format parameter.
aaronskiba
force-pushed
the
aaron/feature/v2-api-token-for-internal-users
branch
from
5c24cdf to
6a54ad5
Compare
aaronskiba
changed the title
Commit 6e7c21c allows us to have a NULL `redirect_uri`. Previously, this value was merely a placeholder due to the NOT NULL constraint.
This comment was marked as outdated.
This comment was marked as outdated.
With `hash_token_secrets` enabled, `token.plaintext_token` is only available at creation or rotation time and cannot be retrieved later. This change ensures secure handling of API tokens in line with best practices for hashed token storage. - Update `InternalUserAccessTokenService#rotate!` to return `token.plaintext_token` at creation time - Pass the plaintext token from InternalUserAccessTokensController#create to `app/views/devise/registrations/_v2_api_token.html.erb` - In `_v2_api_token.html.erb`, render the plaintext token when available and display a warning to users to copy and store the token securely, as it will not be shown again after leaving or refreshing the page. - Updated all affected Spec files as well. - The `context 'when user is not authenticated' do` test has been updated. It now enables CSRF protection, enabling the test to accurately capture the behaviour that will be captured in production.
Replace the "Regenerate token" link with a real `<button>` for improved accessibility and native disabled styling. The button is disabled when a token is present, preventing users from generating multiple tokens in rapid succession. This change improves user experience and prevents token spamming.
aaronskiba
force-pushed
the
aaron/feature/v2-api-token-for-internal-users
branch
from
01cf821 to
1928d53
Compare
update html
- The button initially displays 'Copy', then a check mark after it is clicked for two seconds
- 'code' was replaced by `api-token-val`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
Summary
This PR introduces support for issuing internal, user-scoped v2 API access tokens, managed entirely within the application (first-party tokens) for internal users.
Key Changes
Create internal Doorkeeper app via rake task
bundle exec rake doorkeeper:ensure_internal_appCreate Api::V2::InternalUserAccessTokenService
Doorkeeper::AccessTokenrecords for consistent scoping, expiry, and revocation handling.Add "POST /api/v2/internal_user_access_token" action & route
Adds
Api::V2::InternalUserAccessTokensController#createwith Pundit authorization and routing. Also reuses the existingusers/refresh_token.js.erbresponse to update the UI via JS.@successis read byapp/views/users/refresh_token.js.erb(similar approach asUsersController#refresh_token)Add API v2 section to /users/edit#api-details
app/views/devise/registrations/_api_token.html.erbto include support for the v2 API access token. Existing v0/v1 token support is retained.Api::V2::InternalUserAccessTokenServiceExpose API Access tab to all users / restrict legacy token rendering
which is accessible to everyone.
Add test coverage for internal v2 token generation
Add request specs for InternalUserAccessTokensController
Add service specs for
InternalUserAccessTokenServiceAdd view specs for API token partials
user.can_use_api?