Fixes #462

oharsta · oharsta · commit d54d5f2b8143 · 2025-09-18T13:26:03.000+02:00
diff --git a/client/src/components/UserMenu.jsx b/client/src/components/UserMenu.jsx
@@ -6,7 +6,7 @@ import {stopEvent} from "../utils/Utils";
 import {UserInfo} from "@surfnet/sds";
 import {useAppStore} from "../stores/AppStore";
 import {logout} from "../api";
-import {highestAuthority} from "../utils/UserRole";
+import {AUTHORITIES, highestAuthority} from "../utils/UserRole";
 
 
 export const UserMenu = ({user, config, actions}) => {
@@ -32,12 +32,17 @@ export const UserMenu = ({user, config, actions}) => {
     }
 
     const renderMenu = adminLinks => {
+        const authority = highestAuthority(user);
+        const apiTokenLink = authority === AUTHORITIES.INVITER || authority === AUTHORITIES.MANAGER;
         return (<>
                 <ul>
                     {user.superUser && adminLinks.map(l =>
                         <li key={l}>
                             <Link onClick={toggleUserMenu} to={`/${l}`}>{I18n.t(`header.links.${l}`)}</Link>
                         </li>)}
+                    {apiTokenLink && <li>
+                        <Link onClick={toggleUserMenu} to={`/tokens`}>{I18n.t(`header.links.tokens`)}</Link>
+                    </li>}
                     <li>
                         <Link onClick={toggleUserMenu} to={`/profile`}>{I18n.t(`header.links.profile`)}</Link>
                     </li>
diff --git a/client/src/locale/en.js b/client/src/locale/en.js
@@ -1,4 +1,4 @@
-const en = {
+    const en = {
     code: "EN",
     name: "English",
     select_locale: "Change language to English",
@@ -38,6 +38,7 @@ const en = {
             access: "Invite",
             help: "Help",
             profile: "Profile",
+            tokens: "Tokens",
             logout: "Log out"
         },
     },
@@ -400,6 +401,7 @@ const en = {
         createFlash: "API token has been created",
         submit: "Submit",
         required: "The description is required for an API token",
+        userTokens: "Your personal API tokens"
     },
     tooltips: {
         userIcon: "User {{name}} provisioned at {{createdAt}} with last activity on {{lastActivity}}",
diff --git a/client/src/locale/nl.js b/client/src/locale/nl.js
@@ -38,6 +38,7 @@ const nl = {
             access: "Invite",
             help: "Help",
             profile: "Profiel",
+            tokens: "Tokens",
             logout: "Uitloggen"
         },
     },
@@ -400,6 +401,7 @@ const nl = {
         createFlash: "API-token is aangemaakt",
         submit: "Opslaan",
         required: "Een omschrijving is verplicht voor een API-token",
+        userTokens: "Je persoonlijke API-tokens"
     },
     tooltips: {
         userIcon: "Gebruiker {{name}} geprovisiond op {{createdAt}}, laatst actief op {{lastActivity}}",
diff --git a/client/src/pages/App.js b/client/src/pages/App.js
@@ -26,6 +26,7 @@ import {Inviter} from "./Inviter";
 import {Application} from "./Application";
 import {System} from "./System";
 import {flushSync} from "react-dom";
+import {UserTokens} from "./UserTokens";
 
 
 export const App = () => {
@@ -113,6 +114,7 @@ export const App = () => {
                         <Route path="inviter" element={<Inviter/>}/>
                         <Route path="roles/:id/:tab?" element={<Role/>}/>
                         <Route path="applications/:manageId" element={<Application/>}/>
+                        <Route path="tokens" element={<UserTokens/>}/>
                         <Route path="invitation/accept"
                                element={<Invitation authenticated={true}/>}/>
                         <Route path="login" element={<Login/>}/>
diff --git a/client/src/tabs/Tokens.js b/client/src/tabs/Tokens.js
@@ -15,6 +15,7 @@ import InputField from "../components/InputField";
 import ErrorIndicator from "../components/ErrorIndicator";
 import {isEmpty, stopEvent} from "../utils/Utils";
 import {Page} from "../components/Page";
+import {AUTHORITIES, highestAuthority} from "../utils/UserRole";
 
 export const Tokens = () => {
     const {user, setFlash} = useAppStore(state => state);
@@ -23,6 +24,7 @@ export const Tokens = () => {
     const [tokenValue, setTokenValue] = useState(null);
     const [description, setDescription] = useState("");
     const [newToken, setNewToken] = useState(false);
+    const [isRegularUser, setIsRegularUser] = useState(null);
     const [loading, setLoading] = useState(true);
     const [initial, setInitial] = useState(true);
     const [confirmation, setConfirmation] = useState({});
@@ -41,7 +43,10 @@ export const Tokens = () => {
     }, []);
 
     useEffect(() => {
-        if (user.superUser || user.institutionAdmin) {
+        const authority = highestAuthority(user);
+        const isGuest = authority === AUTHORITIES.GUEST;
+        if (!isGuest) {
+            setIsRegularUser(authority === AUTHORITIES.INVITER || authority === AUTHORITIES.MANAGER);
             fetchTokens();
         } else {
             navigate("/404");
@@ -156,7 +161,7 @@ export const Tokens = () => {
             header: I18n.t("tokens.createdAt"),
             mapper: token => dateFromEpoch(token.createdAt)
         },
-        {
+        isRegularUser ? null : {
             key: "organizationGUID",
             header: I18n.t("tokens.organizationGUID"),
             mapper: token => token.organizationGUID
diff --git a/client/src/tabs/Tokens.scss b/client/src/tabs/Tokens.scss
@@ -52,7 +52,8 @@ div.mod-tokens {
             }
 
             td.trash {
-                text-align: center;
+                text-align: right;
+                padding-right: 10px;
             }
 
 
diff --git a/server/src/main/java/invite/api/APITokenController.java b/server/src/main/java/invite/api/APITokenController.java
@@ -4,6 +4,7 @@
 import invite.exception.NotFoundException;
 import invite.exception.UserRestrictionException;
 import invite.model.APIToken;
+import invite.model.Authority;
 import invite.model.User;
 import invite.repository.APITokenRepository;
 import invite.security.UserPermissions;
@@ -21,6 +22,7 @@
 
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 
 import static invite.SwaggerOpenIdConfig.API_TOKENS_SCHEME_NAME;
 import static invite.SwaggerOpenIdConfig.OPEN_ID_SCHEME_NAME;
@@ -44,16 +46,18 @@ public APITokenController(APITokenRepository apiTokenRepository) {
     @GetMapping("")
     public ResponseEntity<List<APIToken>> apiTokensByInstitution(@Parameter(hidden = true) User user) {
         LOG.debug(String.format("GET /tokens for user %s", user.getEduPersonPrincipalName()));
-        UserPermissions.assertInstitutionAdmin(user);
-        List<APIToken> apiTokens = user.isSuperUser() ? apiTokenRepository.findAll() : apiTokenRepository.findByOrganizationGUID(user.getOrganizationGUID());
+        UserPermissions.assertAuthority(user, Authority.INVITER);
+        List<APIToken> apiTokens = user.isSuperUser() ? apiTokenRepository.findAll() :
+                user.isInstitutionAdmin() ? apiTokenRepository.findByOrganizationGUID(user.getOrganizationGUID()) :
+                        apiTokenRepository.findByOwner(user);
         return ResponseEntity.ok(apiTokens);
     }
 
     @GetMapping("generate-token")
     public ResponseEntity<Map<String, String>> generateToken(@Parameter(hidden = true) User user,
                                                              @Parameter(hidden = true) HttpServletRequest request) {
         LOG.debug(String.format("GET /tokens/generateToken for user %s", user.getEduPersonPrincipalName()));
-        UserPermissions.assertInstitutionAdmin(user);
+        UserPermissions.assertAuthority(user, Authority.INVITER);
         String token = HashGenerator.generateToken();
         request.getSession().setAttribute(TOKEN_KEY, token);
         return ResponseEntity.ok(Map.of("token", token));
@@ -64,28 +68,37 @@ public ResponseEntity<APIToken> create(@Validated @RequestBody APIToken apiToken
                                            @Parameter(hidden = true) User user,
                                            @Parameter(hidden = true) HttpServletRequest request) {
         LOG.debug(String.format("POST /tokens/create for user %s", user.getEduPersonPrincipalName()));
-        UserPermissions.assertInstitutionAdmin(user);
+        UserPermissions.assertAuthority(user, Authority.INVITER);
         String token = (String) request.getSession().getAttribute(TOKEN_KEY);
         if (!StringUtils.hasText(token)) {
             throw new UserRestrictionException();
         }
-        APIToken apiToken = new APIToken(
-                user.getOrganizationGUID(),
-                HashGenerator.hashToken(token),
-                user.isSuperUser(),
-                apiTokenRequest.getDescription());
-        return ResponseEntity.ok(apiTokenRepository.save(apiToken));
+        APIToken apiToken;
+        if (user.isSuperUser() || user.isInstitutionAdmin()) {
+            apiToken = new APIToken(
+                    user.getOrganizationGUID(),
+                    HashGenerator.hashToken(token),
+                    user.isSuperUser(),
+                    apiTokenRequest.getDescription());
+        } else {
+            apiToken = new APIToken(HashGenerator.hashToken(token), apiTokenRequest.getDescription(), user);
+        }
+        apiToken = apiTokenRepository.save(apiToken);
+        return ResponseEntity.ok(apiToken);
     }
 
     @DeleteMapping("/{id}")
     public ResponseEntity<Void> deleteToken(@PathVariable("id") Long id, @Parameter(hidden = true) User user) {
-        LOG.debug(String.format("DETELE /tokens/deleteToken with id %s for user %s", id.toString(), user.getEduPersonPrincipalName()));
-        UserPermissions.assertInstitutionAdmin(user);
+        LOG.debug(String.format("DELETE /tokens/deleteToken with id %s for user %s", id.toString(), user.getEduPersonPrincipalName()));
+        UserPermissions.assertAuthority(user, Authority.INVITER);
         APIToken apiToken = apiTokenRepository.findById(id).orElseThrow(() -> new NotFoundException("API token not found"));
         if (apiToken.isSuperUserToken() && !user.isSuperUser()) {
             throw new UserRestrictionException();
         }
-        if (!user.isSuperUser() && !apiToken.getOrganizationGUID().equals(user.getOrganizationGUID())) {
+        if (user.isInstitutionAdmin() && !apiToken.getOrganizationGUID().equals(user.getOrganizationGUID())) {
+            throw new UserRestrictionException();
+        }
+        if (!user.isSuperUser() && !user.isInstitutionAdmin() && !Objects.equals(user.getId(), apiToken.getOwner().getId())) {
             throw new UserRestrictionException();
         }
         apiTokenRepository.delete(apiToken);
diff --git a/server/src/main/java/invite/model/APIToken.java b/server/src/main/java/invite/model/APIToken.java
@@ -1,5 +1,6 @@
 package invite.model;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import jakarta.persistence.*;
 import jakarta.validation.constraints.NotBlank;
@@ -37,6 +38,11 @@ public class APIToken implements Serializable {
     @Column(name = "created_at")
     private Instant createdAt;
 
+    @ManyToOne(fetch = FetchType.EAGER)
+    @JoinColumn(name = "owner_id")
+    private User owner;
+
+
     public APIToken(String organizationGUID, String hashedValue, boolean superUserToken, String description) {
         this.organizationGUID = organizationGUID;
         this.hashedValue = hashedValue;
@@ -45,5 +51,10 @@ public APIToken(String organizationGUID, String hashedValue, boolean superUserTo
         this.createdAt = Instant.now();
     }
 
-
+    public APIToken(String hashedValue, String description, User owner) {
+        this.hashedValue = hashedValue;
+        this.description = description;
+        this.owner = owner;
+        this.createdAt = Instant.now();
+    }
 }
diff --git a/server/src/main/java/invite/repository/APITokenRepository.java b/server/src/main/java/invite/repository/APITokenRepository.java
@@ -1,6 +1,7 @@
 package invite.repository;
 
 import invite.model.APIToken;
+import invite.model.User;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.stereotype.Repository;
 
@@ -12,7 +13,7 @@ public interface APITokenRepository extends JpaRepository<APIToken, Long> {
 
     List<APIToken> findByOrganizationGUID(String organizationGUID);
 
-    List<APIToken> findBySuperUserTokenTrue();
+    List<APIToken> findByOwner(User user);
 
     Optional<APIToken> findByHashedValue(String hashedValue);
 }
diff --git a/server/src/main/java/invite/security/UserHandlerMethodArgumentResolver.java b/server/src/main/java/invite/security/UserHandlerMethodArgumentResolver.java
@@ -72,13 +72,16 @@ public User resolveArgument(MethodParameter methodParameter,
             String organizationGUID = apiToken.getOrganizationGUID();
             List<User> apiUsers = apiToken.isSuperUserToken() ?
                     userRepository.findBySuperUserTrue() :
-                    userRepository.findByOrganizationGUIDAndInstitutionAdmin(organizationGUID, true);
+                    StringUtils.hasText(organizationGUID) ?
+                    userRepository.findByOrganizationGUIDAndInstitutionAdmin(organizationGUID, true) :
+                    List.of(apiToken.getOwner());
             if (apiUsers.isEmpty()) {
                 //we don't want to return null as this is not part of the happy-path
                 throw new UserRestrictionException();
             }
-            //Does not make any difference security-wise which user we return
-            User user = apiUsers.get(0);
+            //For superusers and institution admins it does not make any difference security-wise which user we return
+            //For inviters and managers the user is linked to the API token
+            User user = apiUsers.getFirst();
             if (StringUtils.hasText(organizationGUID)) {
                 //The overhead is needed / justified for API usage as this are stateless
                 addInstitutionAdminAttributes(user, organizationGUID);
diff --git a/server/src/main/resources/db/mysql/migration/V47_0__api_token_user.sql b/server/src/main/resources/db/mysql/migration/V47_0__api_token_user.sql
@@ -0,0 +1,6 @@
+ALTER TABLE api_tokens
+    ADD COLUMN owner_id BIGINT NULL,
+ADD CONSTRAINT fk_api_tokens_user
+    FOREIGN KEY (owner_id)
+    REFERENCES users(id)
+    ON DELETE CASCADE;
diff --git a/server/src/test/java/invite/AbstractTest.java b/server/src/test/java/invite/AbstractTest.java
@@ -101,6 +101,7 @@ public abstract class AbstractTest {
     public static final String ORGANISATION_GUID = "ad93daef-0911-e511-80d0-005056956c1a";
     public static final String API_TOKEN_HASH = HashGenerator.generateToken();
     public static final String API_TOKEN_SUPER_USER_HASH = HashGenerator.generateToken();
+    public static final String API_TOKEN_INVITER_USER_HASH = HashGenerator.generateToken();
 
     @Value("${manage.staticManageDirectory}")
     private String staticManageDirectory;
@@ -689,7 +690,9 @@ private void doSeed() {
         APIToken apiToken = new APIToken(ORGANISATION_GUID, HashGenerator.hashToken(API_TOKEN_HASH), false, "Test-token");
         APIToken superUserApiToken = new APIToken(null,
                 HashGenerator.hashToken(API_TOKEN_SUPER_USER_HASH), true, "Test super-user token");
-        doSave(apiTokenRepository, apiToken, superUserApiToken);
+        APIToken userApiToken = new APIToken(HashGenerator.hashToken(API_TOKEN_INVITER_USER_HASH),
+                "Test-user token", inviter);
+        doSave(apiTokenRepository, apiToken, superUserApiToken, userApiToken);
     }
 
     @SafeVarargs
diff --git a/server/src/test/java/invite/api/APITokenControllerTest.java b/server/src/test/java/invite/api/APITokenControllerTest.java
@@ -35,6 +35,23 @@ void apiTokensByInstitution() throws Exception {
         assertEquals(1, tokens.size());
     }
 
+    @Test
+    void apiTokensByUser() throws Exception {
+        AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/me", INVITER_SUB);
+
+        List<APIToken> tokens = given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .accept(ContentType.JSON)
+                .header(accessCookieFilter.csrfToken().getHeaderName(), accessCookieFilter.csrfToken().getToken())
+                .contentType(ContentType.JSON)
+                .get("/api/v1/tokens")
+                .as(new TypeRef<>() {
+                });
+        assertEquals(1, tokens.size());
+        assertEquals(INVITER_SUB, tokens.getFirst().getOwner().getSub());
+    }
+
     @Test
     void create() throws Exception {
         super.stubForManageProvidersAllowedByIdP(ORGANISATION_GUID);
@@ -94,7 +111,7 @@ void deleteToken() throws Exception {
         AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/me", INSTITUTION_ADMIN_SUB,
                 institutionalAdminEntitlementOperator(ORGANISATION_GUID));
 
-        assertEquals(2, apiTokenRepository.count());
+        assertEquals(3, apiTokenRepository.count());
 
         given()
                 .when()
@@ -106,7 +123,7 @@ void deleteToken() throws Exception {
                 .delete("/api/v1/tokens/{id}")
                 .then()
                 .statusCode(204);
-        assertEquals(1, apiTokenRepository.count());
+        assertEquals(2, apiTokenRepository.count());
     }
 
     @Test
@@ -162,7 +179,7 @@ void apiTokensBySuperAdmin() throws Exception {
                 .as(new TypeRef<>() {
                 });
 
-        assertEquals(2, tokens.size());
+        assertEquals(3, tokens.size());
         assertEquals(1L, tokens.stream().filter(token -> token.isSuperUserToken()).count());
         assertEquals(1L, tokens.stream().filter(token -> token.getOrganizationGUID() != null).count());
     }
@@ -172,7 +189,7 @@ void deleteSuperUserToken() throws Exception {
         AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/login", SUPER_SUB);
         APIToken apiToken = apiTokenRepository.findByHashedValue(HashGenerator.hashToken(API_TOKEN_SUPER_USER_HASH)).get();
 
-        assertEquals(2, apiTokenRepository.count());
+        assertEquals(3, apiTokenRepository.count());
 
         given()
                 .when()
@@ -185,7 +202,27 @@ void deleteSuperUserToken() throws Exception {
                 .then()
                 .statusCode(204);
 
-        assertEquals(1, apiTokenRepository.count());
+        assertEquals(2, apiTokenRepository.count());
     }
 
+    @Test
+    void deleteUserToken() throws Exception {
+        AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/login", INVITER_SUB);
+        APIToken apiToken = apiTokenRepository.findByHashedValue(HashGenerator.hashToken(API_TOKEN_INVITER_USER_HASH)).get();
+
+        assertEquals(3, apiTokenRepository.count());
+
+        given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .accept(ContentType.JSON)
+                .header(accessCookieFilter.csrfToken().getHeaderName(), accessCookieFilter.csrfToken().getToken())
+                .contentType(ContentType.JSON)
+                .pathParams("id", apiToken.getId())
+                .delete("/api/v1/tokens/{id}")
+                .then()
+                .statusCode(204);
+
+        assertEquals(2, apiTokenRepository.count());
+    }
 }
diff --git a/server/src/test/java/invite/api/InvitationControllerTest.java b/server/src/test/java/invite/api/InvitationControllerTest.java

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,8 @@ div.mod-tokens {`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`td.trash {`
`55`		`- text-align: center;`
	`55`	`+ text-align: right;`
	`56`	`+ padding-right: 10px;`
`56`	`57`	`}`
`57`	`58`
`58`	`59`