feat: team api tokens

packages/lib/server-only/public-api/create-api-token.ts

@@ -2,6 +2,7 @@ import type { Duration } from 'luxon';
 import { DateTime } from 'luxon';
 
 import { prisma } from '@documenso/prisma';
+import { TeamMemberRole } from '@documenso/prisma/client';
 
 // temporary choice for testing only
 import * as timeConstants from '../../constants/time';
@@ -14,14 +15,16 @@ type TimeConstants = typeof timeConstants & {
 
 type CreateApiTokenInput = {
   userId: number;
+  teamId?: number;
   tokenName: string;
-  expirationDate: string | null;
+  expiresIn: string | null;
 };
 
 export const createApiToken = async ({
   userId,
+  teamId,
   tokenName,
-  expirationDate,
+  expiresIn,
 }: CreateApiTokenInput) => {
   const apiToken = `api_${alphaid(16)}`;
 
@@ -29,23 +32,36 @@ export const createApiToken = async ({
 
   const timeConstantsRecords: TimeConstants = timeConstants;
 
-  const dbToken = await prisma.apiToken.create({
+  if (teamId) {
+    const member = await prisma.teamMember.findFirst({
+      where: {
+        userId,
+        teamId,
+        role: TeamMemberRole.ADMIN,
+      },
+    });
+
+    if (!member) {
+      throw new Error('You do not have permission to create a token for this team');
+    }
+  }
+
+  const storedToken = await prisma.apiToken.create({
     data: {
-      token: hashedToken,
       name: tokenName,
-      userId,
-      expires: expirationDate
-        ? DateTime.now().plus(timeConstantsRecords[expirationDate]).toJSDate()
-        : null,
+      token: hashedToken,
+      expires: expiresIn ? DateTime.now().plus(timeConstantsRecords[expiresIn]).toJSDate() : null,
+      userId: teamId ? null : userId,
+      teamId,
     },
   });
 
-  if (!dbToken) {
+  if (!storedToken) {
     throw new Error('Failed to create the API token');
   }
 
   return {
-    id: dbToken.id,
+    id: storedToken.id,
     token: apiToken,
   };
 };

packages/lib/server-only/public-api/delete-api-token-by-id.ts

@@ -1,15 +1,32 @@
 import { prisma } from '@documenso/prisma';
+import { TeamMemberRole } from '@documenso/prisma/client';
 
 export type DeleteTokenByIdOptions = {
   id: number;
   userId: number;
+  teamId?: number;
 };
 
-export const deleteTokenById = async ({ id, userId }: DeleteTokenByIdOptions) => {
+export const deleteTokenById = async ({ id, userId, teamId }: DeleteTokenByIdOptions) => {
+  if (teamId) {
+    const member = await prisma.teamMember.findFirst({
+      where: {
+        userId,
+        teamId,
+        role: TeamMemberRole.ADMIN,
+      },
+    });
+
+    if (!member) {
+      throw new Error('You do not have permission to delete this token');
+    }
+  }
+
   return await prisma.apiToken.delete({
     where: {
       id,
-      userId,
+      userId: teamId ? null : userId,
+      teamId,
     },
   });
 };

packages/lib/server-only/public-api/get-all-team-tokens.ts

@@ -0,0 +1,36 @@
+import { prisma } from '@documenso/prisma';
+import { TeamMemberRole } from '@documenso/prisma/client';
+
+export type GetUserTokensOptions = {
+  userId: number;
+  teamId: number;
+};
+
+export const getTeamTokens = async ({ userId, teamId }: GetUserTokensOptions) => {
+  const teamMember = await prisma.teamMember.findFirst({
+    where: {
+      userId,
+      teamId,
+    },
+  });
+
+  if (teamMember?.role !== TeamMemberRole.ADMIN) {
+    throw new Error('You do not have permission to view tokens for this team');
+  }
+
+  return await prisma.apiToken.findMany({
+    where: {
+      teamId,
+    },
+    select: {
+      id: true,
+      name: true,
+      algorithm: true,
+      createdAt: true,
+      expires: true,
+    },
+    orderBy: {
+      createdAt: 'desc',
+    },
+  });
+};

packages/lib/server-only/public-api/get-api-token-by-token.ts

@@ -0,0 +1,41 @@
+import { prisma } from '@documenso/prisma';
+
+import { hashString } from '../auth/hash';
+
+export const getApiTokenByToken = async ({ token }: { token: string }) => {
+  const hashedToken = hashString(token);
+
+  const apiToken = await prisma.apiToken.findFirst({
+    where: {
+      token: hashedToken,
+    },
+    include: {
+      team: true,
+      user: true,
+    },
+  });
+
+  if (!apiToken) {
+    throw new Error('Invalid token');
+  }
+
+  if (apiToken.expires && apiToken.expires < new Date()) {
+    throw new Error('Expired token');
+  }
+
+  if (apiToken.team) {
+    apiToken.user = await prisma.user.findFirst({
+      where: {
+        id: apiToken.team.ownerUserId,
+      },
+    });
+  }
+
+  const { user } = apiToken;
+
+  if (!user) {
+    throw new Error('Invalid token');
+  }
+
+  return { ...apiToken, user };
+};

packages/lib/server-only/public-api/get-user-by-token.ts

@@ -1,37 +0,0 @@
-import { prisma } from '@documenso/prisma';
-
-import { hashString } from '../auth/hash';
-
-export const getUserByApiToken = async ({ token }: { token: string }) => {
-  const hashedToken = hashString(token);
-
-  const user = await prisma.user.findFirst({
-    where: {
-      ApiToken: {
-        some: {
-          token: hashedToken,
-        },
-      },
-    },
-    include: {
-      ApiToken: true,
-    },
-  });
-
-  if (!user) {
-    throw new Error('Invalid token');
-  }
-
-  const retrievedToken = user.ApiToken.find((apiToken) => apiToken.token === hashedToken);
-
-  // This should be impossible but we need to satisfy TypeScript
-  if (!retrievedToken) {
-    throw new Error('Invalid token');
-  }
-
-  if (retrievedToken.expires && retrievedToken.expires < new Date()) {
-    throw new Error('Expired token');
-  }
-
-  return user;
-};