feat: personal API tokens for Bearer auth (list/create/revoke + Profile UI).

Tokens use a fixed jwk_ prefix so the auth path can branch on shape without
probing the DB; plaintext is shown exactly once on create, only SHA-256 is
stored. Viewers can't mint tokens (no use for them), and tokens can't mint
other tokens (prevents a stolen one from outliving its revocation).

Also refreshes CLAUDE.md with prior undocumented features (SSO, base_version,
AI chat) alongside the new API-token surface.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: PttCodingMan

CLAUDE.md

@@ -36,18 +36,23 @@ cd frontend && npm test -- src/path/to/file.test.jsx
 ### Backend (`backend/app/`)
 
 - **Framework**: FastAPI (async), aiosqlite for SQLite access (WAL mode)
-- **Entry**: `main.py` — app creation, CORS, lifespan hooks, router mounting
-- **Auth**: `auth.py` — JWT tokens in httpOnly cookies, bcrypt passwords, rate-limited login
+- **Entry**: `main.py` — app creation, CORS, lifespan hooks, router mounting, origin-based CSRF middleware
+- **Auth**: `auth.py` — issues and verifies credentials across three paths:
+  - **Cookie session** (web UI): JWT in httpOnly `token` cookie, bcrypt passwords, rate-limited login
+  - **Bearer API token** (`Authorization: Bearer jwk_…`): hashed SHA-256 on store, plaintext returned once at creation, revocable; managed via `routers/tokens.py`
+  - **SSO**: OIDC (Google/GitHub/generic, PKCE, authlib state stored in signed session cookie) via `routers/oauth_router.py` + `services/oidc.py`; LDAP via `services/ldap_auth.py`; invitation-only mode gates first-time signup
+  - **CSRF**: origin/referer check in `main.py` for mutating cookie-auth requests; Bearer-token and login/logout paths are exempt
 - **Config**: `config.py` — Pydantic Settings reading from `.env`
-- **Database**: `database.py` — schema DDL, migrations, FTS5 search index setup
-- **Routers**: One file per domain — `pages.py`, `search.py`, `media.py`, `versions.py`, `tags.py`, `templates.py`, `users.py`, `diagrams.py`, `comments.py`, `bookmarks.py`, `activity.py`, `backup.py`, `export.py`, `auth_router.py`, `trash.py`, `notifications.py`, `watch.py`, `public.py`, `dashboard.py`, `acl.py`, `groups.py`
-- **Services**: `search.py` (FTS5 indexing, CJK segmentation), `wikilink.py` (backlink tracking), `acl.py` (permission resolution — single source of truth, routers must use these helpers), `media_ref.py` (tracks which pages reference each media file), `diagram_ref.py`, `notifications.py` (fan-out to watchers on page events)
+- **Schemas**: `schemas.py` — shared Pydantic request/response models
+- **Database**: `database.py` — schema DDL and FTS5 search index setup; startup-time migrations live in `migrations.py` and record applied versions in the `schema_migrations` ledger so each migration runs once per DB
+- **Routers**: One file per domain — `pages.py`, `search.py`, `media.py`, `versions.py`, `tags.py`, `templates.py`, `users.py`, `diagrams.py`, `comments.py`, `bookmarks.py`, `activity.py`, `backup.py`, `export.py`, `auth_router.py`, `oauth_router.py`, `tokens.py`, `trash.py`, `notifications.py`, `watch.py`, `public.py`, `dashboard.py`, `acl.py`, `groups.py`, `ai.py`
+- **Services**: `search.py` (FTS5 indexing, CJK segmentation), `wikilink.py` (backlink tracking), `acl.py` (permission resolution — single source of truth, routers must use these helpers), `media_ref.py` (tracks which pages reference each media file), `diagram_ref.py`, `notifications.py` (fan-out to watchers on page events), `oidc.py` (OIDC client + provider config), `ldap_auth.py` (LDAP bind + attribute mapping)
 - **Deps**: Python 3.11+, managed with `uv`
 
 ### Frontend (`frontend/src/`)
 
 - **Framework**: React 19, Vite 8, Tailwind CSS 4
-- **State**: Zustand stores in `store/` — one per domain (useAuth, usePages, useTags, useBookmarks, useTheme, useSearch, useActivity, useNotifications, usePermissions, useGroups)
+- **State**: Zustand stores in `store/` — one per domain (useAuth, usePages, useTags, useBookmarks, useTheme, useSearch, useActivity, useNotifications, usePermissions, useGroups, useChat)
 - **API client**: `api/client.js` — Axios instance with interceptors, 401 redirect to login
 - **Routing**: React Router v7 in `App.jsx`, PrivateRoute wrapper for auth
 - **Keyboard shortcuts**: `hooks/useKeyboard.jsx` (Ctrl+E edit, Ctrl+K search, etc.)
@@ -66,7 +71,11 @@ Key tables: `users`, `pages` (with `parent_id` hierarchy and `slug` URL), `page_
 
 Pages use **soft-delete** (`deleted_at` column) — `DELETE /api/pages/{slug}` sets `deleted_at` rather than removing the row. Trash endpoints (`/api/trash`) handle list/restore/purge. Restore re-indexes FTS and re-parses backlinks.
 
-Schema auto-migrates on startup in `database.py`.
+Schema auto-migrates on startup — DDL lives in `database.py`, versioned migrations in `migrations.py`, and the `schema_migrations` ledger records which versions have run. Also relevant: `api_tokens` (token_hash, prefix, expires_at, revoked_at, last_used) backs personal API tokens.
+
+### Optimistic locking on page edits
+
+`PUT /api/pages/{slug}` **requires a `base_version`** in the body whenever `content` or `title` changes. If it doesn't match the current `pages.version`, the server returns **409** with `{"error": "base_version_stale" | "base_version_required", "your_version": …, "current_version": …}` so clients can resolve the conflict rather than silently clobbering a concurrent edit. New clients must send `base_version` — don't add a fallback.
 
 ### Wikilinks
 
@@ -76,12 +85,15 @@ Format: `[[slug]]` or `[[slug|display text]]`. Parsed on both backend (backlink
 
 All endpoints under `/api/`. Vite dev server proxies `/api` to `localhost:8000`. Key routes:
 
-- Pages CRUD: `/api/pages`, `/api/pages/{slug}`, `/api/pages/tree`, `/api/pages/graph`
+- Pages CRUD: `/api/pages`, `/api/pages/{slug}`, `/api/pages/tree`, `/api/pages/graph` (content/title edits require `base_version`)
 - Versions: `/api/pages/{slug}/versions`, `/api/pages/{slug}/diff/{v1}/{v2}`
 - Permission check: `GET /api/pages/{slug}/my-permission` → `{permission: 'admin'|'write'|'read'|'none'}`
 - Search: `/api/search?q=...`
 - Media upload: `POST /api/media/upload` (20MB limit)
 - Auth: `/api/auth/login`, `/api/auth/me`
+- API tokens: `GET/POST/DELETE /api/auth/tokens` — personal Bearer tokens (plaintext returned only on create)
+- SSO: `GET /api/auth/providers`, `GET /api/auth/oauth/{provider}/login`, `GET /api/auth/oauth/{provider}/callback`
+- AI chat: `/api/ai/*` — RAG over the wiki, scoped to the caller's ACL (only pages they can read are retrievable)
 - ACL: `/api/acl/pages/{page_id}` (GET/PUT page-level access rules)
 - Groups: `/api/groups` (admin-only CRUD + membership)
 - Trash: `/api/trash` (list/restore/purge soft-deleted pages)

backend/app/auth.py

@@ -1,3 +1,4 @@
+import hashlib
 from datetime import datetime, timedelta, timezone
 from fastapi import Depends, HTTPException, status, Request
 from jose import JWTError, jwt
@@ -9,6 +10,23 @@
 ALGORITHM = "HS256"
 TOKEN_EXPIRE_HOURS = 24
 
+# Personal API tokens use a fixed prefix so the auth path can branch on
+# token shape alone — no need to probe the DB for every request. 32 random
+# bytes (urlsafe-base64, ≈43 chars) give >128 bits of entropy, which is
+# comfortably larger than the HMAC secret for a forged JWT.
+API_TOKEN_PREFIX = "jwk_"
+API_TOKEN_DISPLAY_PREFIX_LEN = 12  # "jwk_" + 8 chars shown in the UI
+
+
+def hash_api_token(token: str) -> str:
+    """Return the canonical hash we store in api_tokens.token_hash.
+
+    Plain SHA-256 is fine here: the input is already 32 bytes of
+    cryptographic randomness, so a slow KDF would only add latency without
+    raising the bar for an attacker who's already stolen the DB.
+    """
+    return hashlib.sha256(token.encode()).hexdigest()
+
 
 def hash_password(password: str) -> str:
     return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
@@ -29,6 +47,57 @@ def create_token(user_id: int, username: str, role: str) -> str:
     return jwt.encode(payload, settings.SECRET_KEY, algorithm=ALGORITHM)
 
 
+async def _resolve_api_token(token: str) -> dict | None:
+    """Look up a personal API token and return the owning user dict, or None.
+
+    Bumps `last_used` on hit. Rejects tokens that are revoked or past their
+    `expires_at`; both paths simply return None so the caller emits a single
+    generic 401 rather than leaking token state.
+    """
+    db = await get_db()
+    rows = await db.execute_fetchall(
+        """SELECT t.id, t.expires_at, t.revoked_at,
+                  u.id AS user_id, u.username, u.role, u.display_name, u.email,
+                  u.deleted_at
+           FROM api_tokens t
+           JOIN users u ON u.id = t.user_id
+           WHERE t.token_hash = ?""",
+        (hash_api_token(token),),
+    )
+    if not rows:
+        return None
+    row = dict(rows[0])
+    if row["deleted_at"] is not None or row["revoked_at"] is not None:
+        return None
+    if row["expires_at"] is not None:
+        # SQLite stores these as strings; parse tolerantly so 'YYYY-MM-DD HH:MM:SS'
+        # and ISO8601 both round-trip. A naive datetime is interpreted as UTC,
+        # matching how create-token writes it below.
+        try:
+            exp = datetime.fromisoformat(str(row["expires_at"]).replace(" ", "T"))
+        except ValueError:
+            exp = None
+        if exp is not None:
+            if exp.tzinfo is None:
+                exp = exp.replace(tzinfo=timezone.utc)
+            if exp <= datetime.now(timezone.utc):
+                return None
+
+    await db.execute(
+        "UPDATE api_tokens SET last_used = CURRENT_TIMESTAMP WHERE id = ?",
+        (row["id"],),
+    )
+    await db.commit()
+
+    return {
+        "id": row["user_id"],
+        "username": row["username"],
+        "role": row["role"],
+        "display_name": row["display_name"],
+        "email": row["email"],
+    }
+
+
 async def get_current_user(request: Request):
     token = None
 
@@ -47,6 +116,17 @@ async def get_current_user(request: Request):
             detail="Not authenticated",
         )
 
+    # Personal API tokens are distinguished by a fixed prefix so we don't
+    # have to guess-and-fall-back. Anything else must parse as a JWT.
+    if token.startswith(API_TOKEN_PREFIX):
+        user = await _resolve_api_token(token)
+        if user is None:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid token",
+            )
+        return user
+
     try:
         payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[ALGORITHM])
         user_id = int(payload["sub"])

backend/app/main.py

@@ -10,7 +10,7 @@
 from app.config import settings
 from app.database import init_db, close_db, seed_welcome_page, get_db
 from app.auth import ensure_admin_exists
-from app.routers import auth_router, oauth_router, pages, media, templates, search, tags, activity, bookmarks, versions, diagrams, users, comments, backup, export, trash, notifications, watch, public, dashboard, acl, groups, ai
+from app.routers import auth_router, oauth_router, pages, media, templates, search, tags, activity, bookmarks, versions, diagrams, users, comments, backup, export, trash, notifications, watch, public, dashboard, acl, groups, ai, tokens
 
 logger = logging.getLogger("justwiki")
 
@@ -179,6 +179,7 @@ def _origin_of(url: str | None) -> str | None:
 app.include_router(acl.router)
 app.include_router(groups.router)
 app.include_router(ai.router)
+app.include_router(tokens.router)
 
 
 @app.get("/api/health")

backend/app/routers/tokens.py

@@ -0,0 +1,167 @@
+"""Personal API token management.
+
+Endpoints let the authenticated user list, create, and revoke their own
+tokens. Tokens inherit the owner's role and ACLs — there is no finer-grained
+scoping. Plaintext is shown **once** on creation and never stored; only the
+SHA-256 hash lives in the DB. A revoked token keeps its row so that the
+audit trail (and any `last_used` timestamp) survives.
+
+Viewers can't create tokens because a viewer can't do anything with one
+either. Revoking and listing stay available to every authenticated user.
+"""
+
+import secrets
+from datetime import datetime, timedelta, timezone
+from typing import Optional
+
+from fastapi import APIRouter, Depends, HTTPException, Request
+from pydantic import BaseModel, Field
+
+from app.auth import (
+    API_TOKEN_DISPLAY_PREFIX_LEN,
+    API_TOKEN_PREFIX,
+    get_current_user,
+    hash_api_token,
+)
+from app.database import get_db
+from app.routers.activity import log_activity
+
+router = APIRouter(prefix="/api/auth/tokens", tags=["tokens"])
+
+# Default lifetime for a new token. Callers can override down to 1 or up to
+# 365 days, or pass 0 to mean "never expires". The cap stops a token from
+# silently outliving the user that created it.
+_DEFAULT_EXPIRES_DAYS = 30
+_MAX_EXPIRES_DAYS = 365
+
+
+class TokenCreate(BaseModel):
+    name: str = Field(min_length=1, max_length=100)
+    expires_in_days: Optional[int] = Field(
+        default=_DEFAULT_EXPIRES_DAYS,
+        ge=0,
+        le=_MAX_EXPIRES_DAYS,
+        description="0 = never expires",
+    )
+
+
+class TokenResponse(BaseModel):
+    id: int
+    name: str
+    prefix: Optional[str] = None
+    created_at: Optional[str] = None
+    last_used: Optional[str] = None
+    expires_at: Optional[str] = None
+    revoked_at: Optional[str] = None
+
+
+class TokenCreateResponse(TokenResponse):
+    token: str  # plaintext — shown exactly once
+
+
+def _generate_plaintext() -> str:
+    """Return a fresh `jwk_<random>` token string.
+
+    32 bytes of randomness encoded urlsafe-b64 (no padding) comes out to
+    ≈43 chars, which fits comfortably in a header alongside the 4-char
+    prefix.
+    """
+    body = secrets.token_urlsafe(32).rstrip("=")
+    return f"{API_TOKEN_PREFIX}{body}"
+
+
+@router.get("", response_model=list[TokenResponse])
+async def list_tokens(user=Depends(get_current_user)):
+    """List the caller's own tokens (plaintext is not included)."""
+    db = await get_db()
+    rows = await db.execute_fetchall(
+        """SELECT id, name, prefix, created_at, last_used, expires_at, revoked_at
+           FROM api_tokens
+           WHERE user_id = ?
+           ORDER BY revoked_at IS NOT NULL, created_at DESC""",
+        (user["id"],),
+    )
+    return [dict(r) for r in rows]
+
+
+@router.post("", response_model=TokenCreateResponse, status_code=201)
+async def create_token(
+    body: TokenCreate,
+    request: Request,
+    user=Depends(get_current_user),
+):
+    # Refuse if the caller authenticated using an API token themselves.
+    # Otherwise a stolen token could be used to mint a replacement that
+    # outlives the victim revoking the original.
+    auth_header = request.headers.get("Authorization", "")
+    if auth_header.startswith(f"Bearer {API_TOKEN_PREFIX}"):
+        raise HTTPException(
+            status_code=403,
+            detail="API tokens cannot create other API tokens; sign in as the user",
+        )
+
+    if user.get("role") == "viewer":
+        raise HTTPException(
+            status_code=403, detail="Viewers cannot create API tokens"
+        )
+
+    plaintext = _generate_plaintext()
+    prefix = plaintext[:API_TOKEN_DISPLAY_PREFIX_LEN]
+    expires_at: Optional[str] = None
+    if body.expires_in_days and body.expires_in_days > 0:
+        exp = datetime.now(timezone.utc) + timedelta(days=body.expires_in_days)
+        # Store in the same textual shape SQLite uses for CURRENT_TIMESTAMP so
+        # the resolver can parse both rows written here and any legacy rows
+        # written by CURRENT_TIMESTAMP defaults without branching.
+        expires_at = exp.strftime("%Y-%m-%d %H:%M:%S")
+
+    db = await get_db()
+    cursor = await db.execute(
+        """INSERT INTO api_tokens (user_id, name, token_hash, prefix, expires_at)
+           VALUES (?, ?, ?, ?, ?)""",
+        (user["id"], body.name, hash_api_token(plaintext), prefix, expires_at),
+    )
+    token_id = cursor.lastrowid
+    await log_activity(
+        db, user["id"], "created", "api_token", token_id,
+        {"name": body.name, "expires_at": expires_at},
+    )
+    await db.commit()
+
+    rows = await db.execute_fetchall(
+        """SELECT id, name, prefix, created_at, last_used, expires_at, revoked_at
+           FROM api_tokens WHERE id = ?""",
+        (token_id,),
+    )
+    result = dict(rows[0])
+    result["token"] = plaintext
+    return result
+
+
+@router.delete("/{token_id}", status_code=204)
+async def revoke_token(token_id: int, user=Depends(get_current_user)):
+    """Revoke one of the caller's tokens. Already-revoked is a no-op.
+
+    The row stays in place so the audit log entry still has a target.
+    """
+    db = await get_db()
+    rows = await db.execute_fetchall(
+        "SELECT id, user_id, name, revoked_at FROM api_tokens WHERE id = ?",
+        (token_id,),
+    )
+    if not rows or rows[0]["user_id"] != user["id"]:
+        # Treat cross-user probes as "not found" so an attacker can't
+        # enumerate someone else's token ids.
+        raise HTTPException(status_code=404, detail="Token not found")
+    if rows[0]["revoked_at"] is not None:
+        return
+
+    await db.execute(
+        "UPDATE api_tokens SET revoked_at = CURRENT_TIMESTAMP WHERE id = ?",
+        (token_id,),
+    )
+    await log_activity(
+        db, user["id"], "revoked", "api_token", token_id,
+        {"name": rows[0]["name"]},
+    )
+    await db.commit()