feat: api keys

2026-02-15 12:20:31 +00:00 · 2025-07-01 23:05:58 +02:00
parent 9f6e9e85a5
commit 84cb7693c8
16 changed files with 266 additions and 8 deletions
--- a/packages/server/src/modules/Accounts/Accounts.controller.ts
+++ b/packages/server/src/modules/Accounts/Accounts.controller.ts
@@ -176,7 +176,6 @@ export class AccountsController {
      items: { $ref: getSchemaPath(AccountResponseDto) },
    },
  })
-  @ApiResponse({})
  async getAccounts(@Query() filter: Partial<IAccountsFilter>) {
    return this.accountsApplication.getAccounts(filter);
  }
--- a/packages/server/src/modules/Auth/Auth.module.ts
+++ b/packages/server/src/modules/Auth/Auth.module.ts
@@ -32,11 +32,22 @@ import { AuthedController } from './Authed.controller';
 import { GetAuthenticatedAccount } from './queries/GetAuthedAccount.service';
 import { TenancyModule } from '../Tenancy/Tenancy.module';
 import { EnsureUserVerifiedGuard } from './guards/EnsureUserVerified.guard';
+import { ApiKeyAuthGuard } from './api-key/AuthApiKey.guard';
+import { MixedAuthGuard } from './api-key/MixedAuth.guard';
+import { ApiKeyStrategy } from './api-key/AuthApiKey.strategy';
+import { ApiKeyModel } from './models/ApiKey.model';
+import { AuthApiKeysController } from './AuthApiKeys.controllers';
+import { AuthApiKeyAuthorizeService } from './commands/AuthApiKeyAuthorization.service';
+import { GenerateApiKey } from './commands/GenerateApiKey.service';
+import { GetApiKeysService } from './queries/GetApiKeys.service';

-const models = [InjectSystemModel(PasswordReset)];
+const models = [
+  InjectSystemModel(PasswordReset),
+  InjectSystemModel(ApiKeyModel),
+];

@Module({
-  controllers: [AuthController, AuthedController],
+  controllers: [AuthController, AuthedController, AuthApiKeysController],
  imports: [
    MailModule,
    PassportModule.register({ defaultStrategy: 'jwt' }),
@@ -70,9 +81,15 @@ const models = [InjectSystemModel(PasswordReset)];
    SendSignupVerificationMailProcessor,
    GetAuthMetaService,
    GetAuthenticatedAccount,
+    ApiKeyAuthGuard,
+    ApiKeyStrategy,
+    AuthApiKeyAuthorizeService,
+    GenerateApiKey,
+    GetApiKeysService,
+    JwtAuthGuard,
    {
      provide: APP_GUARD,
-      useClass: JwtAuthGuard,
+      useClass: MixedAuthGuard,
    },
    {
      provide: APP_GUARD,
--- a/packages/server/src/modules/Auth/AuthApiKeys.controllers.ts
+++ b/packages/server/src/modules/Auth/AuthApiKeys.controllers.ts
@@ -0,0 +1,26 @@
+import { Controller, Post, Param, Get } from '@nestjs/common';
+import { GenerateApiKey } from './commands/GenerateApiKey.service';
+import { GetApiKeysService } from './queries/GetApiKeys.service';
+
+@Controller('api-keys')
+export class AuthApiKeysController {
+  constructor(
+    private readonly getApiKeysService: GetApiKeysService,
+    private readonly generateApiKeyService: GenerateApiKey,
+  ) {}
+
+  @Post('generate')
+  async generate() {
+    return this.generateApiKeyService.generate();
+  }
+
+  @Post(':id/revoke')
+  async revoke(@Param('id') id: number) {
+    return this.generateApiKeyService.revoke(id);
+  }
+
+  @Get()
+  async getApiKeys() {
+    return this.getApiKeysService.getApiKeys();
+  }
+}
--- a/packages/server/src/modules/Auth/api-key/AuthApiKey.guard.ts
+++ b/packages/server/src/modules/Auth/api-key/AuthApiKey.guard.ts
@@ -0,0 +1,13 @@
+import { ExecutionContext, Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+
+@Injectable()
+export class ApiKeyAuthGuard extends AuthGuard('apiKey') {
+  constructor() {
+    super();
+  }
+
+  canActivate(context: ExecutionContext) {
+    return super.canActivate(context);
+  }
+}
--- a/packages/server/src/modules/Auth/api-key/AuthApiKey.strategy.ts
+++ b/packages/server/src/modules/Auth/api-key/AuthApiKey.strategy.ts
@@ -0,0 +1,26 @@
+import { HeaderAPIKeyStrategy } from 'passport-headerapikey';
+import { PassportStrategy } from '@nestjs/passport';
+import { Injectable } from '@nestjs/common';
+import { AuthApiKeyAuthorizeService } from '../commands/AuthApiKeyAuthorization.service';
+
+@Injectable()
+export class ApiKeyStrategy extends PassportStrategy(
+  HeaderAPIKeyStrategy,
+  'apiKey',
+) {
+  constructor(
+    private readonly authApiKeyAuthorizeService: AuthApiKeyAuthorizeService,
+  ) {
+    super(
+      {
+        header: 'x-api-key',
+        prefix: '',
+      },
+      false,
+    );
+  }
+
+  validate(apiKey: string): unknown {
+    return this.authApiKeyAuthorizeService.authorize(apiKey);
+  }
+}
--- a/packages/server/src/modules/Auth/api-key/MixedAuth.guard.ts
+++ b/packages/server/src/modules/Auth/api-key/MixedAuth.guard.ts
@@ -0,0 +1,23 @@
+import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+import { JwtAuthGuard } from '../guards/jwt.guard';
+import { ApiKeyAuthGuard } from './AuthApiKey.guard';
+
+// mixed-auth.guard.ts
+@Injectable()
+export class MixedAuthGuard implements CanActivate {
+  constructor(
+    private jwtGuard: JwtAuthGuard,
+    private apiKeyGuard: ApiKeyAuthGuard,
+  ) {}
+
+  canActivate(context: ExecutionContext) {
+    const request = context.switchToHttp().getRequest();
+    const apiKey = request.headers['x-api-key'];
+
+    if (apiKey) {
+      return this.apiKeyGuard.canActivate(context);
+    } else {
+      return this.jwtGuard.canActivate(context);
+    }
+  }
+}
--- a/packages/server/src/modules/Auth/commands/AuthApiKeyAuthorization.service.ts
+++ b/packages/server/src/modules/Auth/commands/AuthApiKeyAuthorization.service.ts
@@ -0,0 +1,33 @@
+import { Inject, Injectable } from '@nestjs/common';
+import { ApiKeyModel } from '../models/ApiKey.model';
+
+@Injectable()
+export class AuthApiKeyAuthorizeService {
+  constructor(
+    @Inject(ApiKeyModel.name)
+    private readonly apikeyModel: typeof ApiKeyModel,
+  ) {}
+
+  /**
+   * Authenticate using the given api key.
+   */
+  async authorize(apiKey: string): Promise<boolean> {
+    const apiKeyRecord = await this.apikeyModel
+      .query()
+      .findOne({ key: apiKey });
+
+    if (!apiKeyRecord) {
+      return false;
+    }
+    if (apiKeyRecord.revoked) {
+      return false;
+    }
+    if (
+      apiKeyRecord.expiresAt &&
+      new Date(apiKeyRecord.expiresAt) < new Date()
+    ) {
+      return false;
+    }
+    return true;
+  }
+}
--- a/packages/server/src/modules/Auth/commands/GenerateApiKey.service.ts
+++ b/packages/server/src/modules/Auth/commands/GenerateApiKey.service.ts
@@ -0,0 +1,41 @@
+import { Inject, Injectable } from '@nestjs/common';
+import * as crypto from 'crypto';
+import { ApiKeyModel } from '../models/ApiKey.model';
+import { TenancyContext } from '@/modules/Tenancy/TenancyContext.service';
+
+@Injectable()
+export class GenerateApiKey {
+  constructor(
+    private readonly tenancyContext: TenancyContext,
+    @Inject(ApiKeyModel.name)
+    private readonly apiKeyModel: typeof ApiKeyModel,
+  ) {}
+
+  /**
+   *
+   * @returns
+   */
+  async generate() {
+    const tenant = await this.tenancyContext.getTenant();
+    const user = await this.tenancyContext.getSystemUser();
+
+    // Generate a secure random API key
+    const key = crypto.randomBytes(48).toString('hex');
+    // Save the API key to the database
+    const apiKeyRecord = await this.apiKeyModel.query().insert({
+      key,
+      tenantId: tenant.id,
+      userId: user.id,
+      createdAt: new Date(),
+      revoked: false,
+    });
+    // Return the created API key (not the full record for security)
+    return { key: apiKeyRecord.key, id: apiKeyRecord.id };
+  }
+
+  async revoke(apiKeyId: number) {
+    // Set the revoked flag to true for the given API key
+    await ApiKeyModel.query().findById(apiKeyId).patch({ revoked: true });
+    return { id: apiKeyId, revoked: true };
+  }
+}
--- a/packages/server/src/modules/Auth/guards/jwt.guard.ts
+++ b/packages/server/src/modules/Auth/guards/jwt.guard.ts
@@ -16,6 +16,7 @@ export class JwtAuthGuard extends AuthGuard('jwt') {
  }

  canActivate(context: ExecutionContext) {
+    const request = context.switchToHttp().getRequest();
    const isPublic = this.reflector.getAllAndOverride<boolean>(
      IS_PUBLIC_ROUTE,
      [context.getHandler(), context.getClass()],
--- a/packages/server/src/modules/Auth/models/ApiKey.model.ts
+++ b/packages/server/src/modules/Auth/models/ApiKey.model.ts
@@ -0,0 +1,25 @@
+import { SystemModel } from '@/modules/System/models/SystemModel';
+
+export class ApiKeyModel extends SystemModel {
+  readonly key: string;
+  readonly name?: string;
+  readonly createdAt: Date;
+  readonly expiresAt?: Date;
+  readonly revoked?: boolean;
+  readonly userId: number;
+  readonly tenantId: number;
+
+  /**
+   * Table name
+   */
+  static get tableName() {
+    return 'api_keys';
+  }
+
+  /**
+   * Timestamps columns.
+   */
+  get timestamps() {
+    return ['createdAt'];
+  }
+}
--- a/packages/server/src/modules/Auth/queries/GetApiKeys.service.ts
+++ b/packages/server/src/modules/Auth/queries/GetApiKeys.service.ts
@@ -0,0 +1,28 @@
+import { Inject, Injectable } from '@nestjs/common';
+import { ApiKeyModel } from '../models/ApiKey.model';
+import { GetApiKeysTransformer } from './GetApiKeys.transformer';
+import { TransformerInjectable } from '@/modules/Transformer/TransformerInjectable.service';
+import { TenancyContext } from '@/modules/Tenancy/TenancyContext.service';
+
+@Injectable()
+export class GetApiKeysService {
+  constructor(
+    private readonly injectableTransformer: TransformerInjectable,
+    private readonly tenancyContext: TenancyContext,
+
+    @Inject(ApiKeyModel.name)
+    private readonly apiKeyModel: typeof ApiKeyModel,
+  ) {}
+
+  async getApiKeys() {
+    const tenant = await this.tenancyContext.getTenant();
+    const apiKeys = await this.apiKeyModel
+      .query()
+      .where({ tenantId: tenant.id });
+
+    return this.injectableTransformer.transform(
+      apiKeys,
+      new GetApiKeysTransformer(),
+    );
+  }
+}
--- a/packages/server/src/modules/Auth/queries/GetApiKeys.transformer.ts
+++ b/packages/server/src/modules/Auth/queries/GetApiKeys.transformer.ts
@@ -0,0 +1,16 @@
+import { Transformer } from '@/modules/Transformer/Transformer';
+
+export class GetApiKeysTransformer extends Transformer {
+  public includeAttributes = (): string[] => {
+    return [
+      'id',
+      'key',
+      'name',
+      'createdAt',
+      'expiresAt',
+      'revoked',
+      'userId',
+      'tenantId',
+    ];
+  };
+}
--- a/packages/server/src/modules/Items/Item.controller.ts
+++ b/packages/server/src/modules/Items/Item.controller.ts
@@ -11,8 +11,8 @@ import {
  Query,
 } from '@nestjs/common';
 import { TenantController } from '../Tenancy/Tenant.controller';
-import { SubscriptionGuard } from '../Subscription/interceptors/Subscription.guard';
-import { JwtAuthGuard } from '../Auth/guards/jwt.guard';
+// import { SubscriptionGuard } from '../Subscription/interceptors/Subscription.guard';
+// import { JwtAuthGuard } from '../Auth/guards/jwt.guard';
 import { ItemsApplicationService } from './ItemsApplication.service';
 import {
  ApiExtraModels,
@@ -31,6 +31,7 @@ import { ItemInvoiceResponseDto } from './dtos/itemInvoiceResponse.dto';
 import { ItemEstimatesResponseDto } from './dtos/ItemEstimatesResponse.dto';
 import { ItemBillsResponseDto } from './dtos/itemBillsResponse.dto';
 import { ItemReceiptsResponseDto } from './dtos/ItemReceiptsResponse.dto';
+import { SubscriptionGuard } from '../Subscription/interceptors/Subscription.guard';

@Controller('/items')
@ApiTags('Items')
@@ -138,7 +139,6 @@ export class ItemsController extends TenantController {
   * @returns The updated item id.
   */
  @Put(':id')
-  @UseGuards(JwtAuthGuard)
  @ApiOperation({ summary: 'Edit the given item (product or service).' })
  @ApiResponse({
    status: 200,
--- a/packages/server/src/modules/SaleInvoices/ledger/InvoiceGLEntries.ts
+++ b/packages/server/src/modules/SaleInvoices/ledger/InvoiceGLEntries.ts
@@ -63,7 +63,6 @@ export class SaleInvoiceGLEntries {

  /**
   * Rewrites the given invoice GL entries.
-   * @param {number} tenantId
   * @param {number} saleInvoiceId
   * @param {Knex.Transaction} trx
   */