feat: API token management in workspace settings

foundations/core/packages/account-client/src/client.ts

@@ -35,6 +35,8 @@ import {
 import platform, { PlatformError, Severity, Status } from '@hcengineering/platform'
 import type {
   AccountAggregatedInfo,
+  ApiTokenInfo,
+  ApiTokenResult,
   Integration,
   IntegrationKey,
   IntegrationSecret,
@@ -255,6 +257,17 @@ export interface AccountClient {
   getWorkspaceUsersWithPermission: (params: { permission: string }) => Promise<AccountUuid[]>
 
   verify2fa: (code: string) => Promise<LoginInfo>
+  createApiToken: (
+    name: string,
+    workspaceUuid: WorkspaceUuid,
+    expiryDays: number,
+    scopes?: string[]
+  ) => Promise<ApiTokenResult>
+  listApiTokens: () => Promise<ApiTokenInfo[]>
+  revokeApiToken: (tokenId: string) => Promise<void>
+  listWorkspaceApiTokens: (workspaceUuid: WorkspaceUuid) => Promise<ApiTokenInfo[]>
+  revokeWorkspaceApiToken: (tokenId: string, workspaceUuid: WorkspaceUuid) => Promise<void>
+  checkApiTokenRevoked: (apiTokenId: string) => Promise<boolean>
 
   setCookie: () => Promise<void>
   deleteCookie: () => Promise<void>
@@ -1224,6 +1237,65 @@ class AccountClientImpl implements AccountClient {
     await this.rpc(request)
   }
 
+  async createApiToken (
+    name: string,
+    workspaceUuid: WorkspaceUuid,
+    expiryDays: number,
+    scopes?: string[]
+  ): Promise<ApiTokenResult> {
+    const request = {
+      method: 'createApiToken' as const,
+      params: { name, workspaceUuid, expiryDays, scopes }
+    }
+
+    return await this.rpc(request)
+  }
+
+  async listApiTokens (): Promise<ApiTokenInfo[]> {
+    const request = {
+      method: 'listApiTokens' as const,
+      params: {}
+    }
+
+    return await this.rpc(request)
+  }
+
+  async revokeApiToken (tokenId: string): Promise<void> {
+    const request = {
+      method: 'revokeApiToken' as const,
+      params: { tokenId }
+    }
+
+    await this.rpc(request)
+  }
+
+  async listWorkspaceApiTokens (workspaceUuid: WorkspaceUuid): Promise<ApiTokenInfo[]> {
+    const request = {
+      method: 'listWorkspaceApiTokens' as const,
+      params: { workspaceUuid }
+    }
+
+    return await this.rpc(request)
+  }
+
+  async revokeWorkspaceApiToken (tokenId: string, workspaceUuid: WorkspaceUuid): Promise<void> {
+    const request = {
+      method: 'revokeWorkspaceApiToken' as const,
+      params: { tokenId, workspaceUuid }
+    }
+
+    await this.rpc(request)
+  }
+
+  async checkApiTokenRevoked (apiTokenId: string): Promise<boolean> {
+    const request = {
+      method: 'checkApiTokenRevoked' as const,
+      params: { apiTokenId }
+    }
+
+    return await this.rpc(request)
+  }
+
   async setCookie (): Promise<void> {
     const url = concatLink(this.url, '/cookie')
     const response = await fetch(url, { ...this.request, method: 'PUT' })

foundations/core/packages/account-client/src/types.ts

@@ -112,6 +112,23 @@ export interface MailboxInfo {
   appPasswords: string[]
 }
 
+export interface ApiTokenInfo {
+  id: string
+  name: string
+  workspaceUuid: WorkspaceUuid
+  workspaceName: string
+  createdOn: number
+  expiresOn: number
+  revoked: boolean
+  scopes?: string[]
+}
+
+export interface ApiTokenResult {
+  id: string
+  token: string
+  expiresOn: number
+}
+
 export interface MailboxSecret {
   mailbox: string
   app?: string

models/setting/src/index.ts

@@ -440,6 +440,19 @@ export function createModel (builder: Builder): void {
     setting.ids.OfficeSettings
   )
 
+  builder.createDoc(
+    setting.class.WorkspaceSettingCategory,
+    core.space.Model,
+    {
+      name: 'apiTokens',
+      label: setting.string.ApiTokens,
+      icon: setting.icon.ApiToken,
+      component: setting.component.ApiTokens,
+      order: 1050,
+      role: AccountRole.Owner
+    },
+    setting.ids.ApiTokens
+  )
   // Currently remove Support item from settings
   // builder.createDoc(
   //   setting.class.SettingsCategory,

plugins/setting-assets/lang/cs.json

@@ -234,6 +234,47 @@
     "TwoFactorAuthEnabled": "Dvoufaktorové ověřování je povoleno",
     "TwoFactorAuthDisabled": "Dvoufaktorové ověřování je zakázáno",
     "ShowQRCode": "Zobrazit QR kód",
-    "EnterVerificationCode": "Zadejte ověřovací kód"
+    "EnterVerificationCode": "Zadejte ověřovací kód",
+    "ApiBaseUrl": "Base URL",
+    "ApiEndpointAccount": "Get account info",
+    "ApiEndpointFindAll": "Query documents by class",
+    "ApiEndpointFindAllPost": "Query with filters (JSON body)",
+    "ApiEndpointLoadModel": "Load the data model",
+    "ApiEndpointPing": "Health check",
+    "ApiEndpointTx": "Create or update documents",
+    "ApiTokenCopyWarning": "Copy this token now. You won't be able to see it again.",
+    "ApiTokenCreated": "Token created",
+    "ApiTokenExpiry": "Expiration",
+    "ApiTokenName": "Token name",
+    "ApiTokenNoTokens": "No API tokens yet",
+    "ApiTokenRevoke": "Revoke token",
+    "ApiTokenRevokeConfirm": "Are you sure you want to revoke this token? It will no longer be usable for API access.",
+    "ApiTokenWorkspace": "Workspace",
+    "ApiTokens": "API Tokens",
+    "ApiUsageDescription": "Use your API token with the built-in REST API to query and modify workspace data. Pass the token as a Bearer token in the Authorization header.",
+    "ApiUsageTitle": "Using the REST API",
+    "ApiWorkspaceId": "Your workspace ID (UUID) is included in the token. Pass it as :workspaceId in the URL.",
+    "CreateApiToken": "Create token",
+    "Created": "Created",
+    "Expires": "Expires",
+    "Login": "Login",
+    "Primary": "Primary",
+    "TokenStatus": "Status",
+    "ApiTokenStatusActive": "Active",
+    "ApiTokenStatusExpiring": "Expiring",
+    "ApiTokenStatusRevoked": "Revoked",
+    "ApiTokenStatusExpired": "Expired",
+    "ApiTokenExpiry7Days": "7 days",
+    "ApiTokenExpiry30Days": "30 days",
+    "ApiTokenExpiry90Days": "90 days",
+    "ApiTokenExpiry180Days": "180 days",
+    "ApiTokenExpiry365Days": "365 days",
+    "ApiTokenLoadError": "Failed to load API tokens",
+    "ApiTokenCreateError": "Failed to create token. Please try again.",
+    "ApiTokenPermissions": "Permissions",
+    "ApiTokenScopePreset": "Permissions",
+    "ApiTokenScopeReadOnly": "Read Only",
+    "ApiTokenScopeReadWrite": "Read & Write",
+    "ApiTokenScopeFullAccess": "Full Access"
   }
 }

plugins/setting-assets/lang/de.json

@@ -236,6 +236,46 @@
     "TwoFactorAuthEnabled": "Zweistufige Authentifizierung ist aktiviert",
     "TwoFactorAuthDisabled": "Zweistufige Authentifizierung ist deaktiviert",
     "ShowQRCode": "QR-Code anzeigen",
-    "EnterVerificationCode": "Verifizierungscode eingeben"
+    "EnterVerificationCode": "Verifizierungscode eingeben",
+    "ApiBaseUrl": "Base URL",
+    "ApiEndpointAccount": "Get account info",
+    "ApiEndpointFindAll": "Query documents by class",
+    "ApiEndpointFindAllPost": "Query with filters (JSON body)",
+    "ApiEndpointLoadModel": "Load the data model",
+    "ApiEndpointPing": "Health check",
+    "ApiEndpointTx": "Create or update documents",
+    "ApiTokenCopyWarning": "Copy this token now. You won't be able to see it again.",
+    "ApiTokenCreated": "Token created",
+    "ApiTokenExpiry": "Expiration",
+    "ApiTokenName": "Token name",
+    "ApiTokenNoTokens": "No API tokens yet",
+    "ApiTokenRevoke": "Revoke token",
+    "ApiTokenRevokeConfirm": "Are you sure you want to revoke this token? It will no longer be usable for API access.",
+    "ApiTokenWorkspace": "Workspace",
+    "ApiTokens": "API Tokens",
+    "ApiUsageDescription": "Use your API token with the built-in REST API to query and modify workspace data. Pass the token as a Bearer token in the Authorization header.",
+    "ApiUsageTitle": "Using the REST API",
+    "ApiWorkspaceId": "Your workspace ID (UUID) is included in the token. Pass it as :workspaceId in the URL.",
+    "BetaWarning": "Modules labeled as beta are available for experimental purposes and may not be fully functional. We do not recommend relying on beta features for critical work at this time.",
+    "CreateApiToken": "Create token",
+    "Created": "Created",
+    "Expires": "Expires",
+    "TokenStatus": "Status",
+    "ApiTokenStatusActive": "Active",
+    "ApiTokenStatusExpiring": "Expiring",
+    "ApiTokenStatusRevoked": "Revoked",
+    "ApiTokenStatusExpired": "Expired",
+    "ApiTokenExpiry7Days": "7 days",
+    "ApiTokenExpiry30Days": "30 days",
+    "ApiTokenExpiry90Days": "90 days",
+    "ApiTokenExpiry180Days": "180 days",
+    "ApiTokenExpiry365Days": "365 days",
+    "ApiTokenLoadError": "Failed to load API tokens",
+    "ApiTokenCreateError": "Failed to create token. Please try again.",
+    "ApiTokenPermissions": "Permissions",
+    "ApiTokenScopePreset": "Permissions",
+    "ApiTokenScopeReadOnly": "Read Only",
+    "ApiTokenScopeReadWrite": "Read & Write",
+    "ApiTokenScopeFullAccess": "Full Access"
   }
 }

plugins/setting-assets/lang/en.json

@@ -236,6 +236,45 @@
     "TwoFactorAuthEnabled": "Two-factor authentication is enabled",
     "TwoFactorAuthDisabled": "Two-factor authentication is disabled",
     "ShowQRCode": "Show QR code",
-    "EnterVerificationCode": "Enter verification code"
+    "EnterVerificationCode": "Enter verification code",
+    "ApiTokenStatusActive": "Active",
+    "ApiTokenStatusExpiring": "Expiring",
+    "ApiTokenStatusRevoked": "Revoked",
+    "ApiTokenStatusExpired": "Expired",
+    "ApiTokenExpiry7Days": "7 days",
+    "ApiTokenExpiry30Days": "30 days",
+    "ApiTokenExpiry90Days": "90 days",
+    "ApiTokenExpiry180Days": "180 days",
+    "ApiTokenExpiry365Days": "365 days",
+    "ApiTokenLoadError": "Failed to load API tokens",
+    "ApiTokenCreateError": "Failed to create token. Please try again.",
+    "ApiTokens": "API Tokens",
+    "CreateApiToken": "Create token",
+    "ApiTokenName": "Token name",
+    "ApiTokenExpiry": "Expiration",
+    "ApiTokenCreated": "Token created",
+    "ApiTokenRevoke": "Revoke token",
+    "ApiTokenRevokeConfirm": "Are you sure you want to revoke this token? It will no longer be usable for API access.",
+    "ApiTokenCopyWarning": "Copy this token now. You won't be able to see it again.",
+    "ApiTokenNoTokens": "No API tokens yet",
+    "ApiTokenWorkspace": "Workspace",
+    "ApiTokenPermissions": "Permissions",
+    "ApiTokenScopePreset": "Permissions",
+    "ApiTokenScopeReadOnly": "Read Only",
+    "ApiTokenScopeReadWrite": "Read & Write",
+    "ApiTokenScopeFullAccess": "Full Access",
+    "Created": "Created",
+    "Expires": "Expires",
+    "TokenStatus": "Status",
+    "ApiUsageTitle": "Using the REST API",
+    "ApiUsageDescription": "Use your API token with the built-in REST API to query and modify workspace data. Pass the token as a Bearer token in the Authorization header.",
+    "ApiEndpointPing": "Health check",
+    "ApiEndpointFindAll": "Query documents by class",
+    "ApiEndpointFindAllPost": "Query with filters (JSON body)",
+    "ApiEndpointTx": "Create or update documents",
+    "ApiEndpointLoadModel": "Load the data model",
+    "ApiEndpointAccount": "Get account info",
+    "ApiBaseUrl": "Base URL",
+    "ApiWorkspaceId": "Your workspace ID (UUID) is included in the token. Pass it as :workspaceId in the URL."
   }
 }

plugins/setting-assets/lang/es.json

@@ -227,6 +227,54 @@
     "TwoFactorAuthEnabled": "La autenticación de dos factores está habilitada",
     "TwoFactorAuthDisabled": "La autenticación de dos factores está deshabilitada",
     "ShowQRCode": "Mostrar código QR",
-    "EnterVerificationCode": "Introducir código de verificación"
+    "EnterVerificationCode": "Introducir código de verificación",
+    "ApiBaseUrl": "Base URL",
+    "ApiEndpointAccount": "Get account info",
+    "ApiEndpointFindAll": "Query documents by class",
+    "ApiEndpointFindAllPost": "Query with filters (JSON body)",
+    "ApiEndpointLoadModel": "Load the data model",
+    "ApiEndpointPing": "Health check",
+    "ApiEndpointTx": "Create or update documents",
+    "ApiTokenCopyWarning": "Copy this token now. You won't be able to see it again.",
+    "ApiTokenCreated": "Token created",
+    "ApiTokenExpiry": "Expiration",
+    "ApiTokenName": "Token name",
+    "ApiTokenNoTokens": "No API tokens yet",
+    "ApiTokenRevoke": "Revoke token",
+    "ApiTokenRevokeConfirm": "Are you sure you want to revoke this token? It will no longer be usable for API access.",
+    "ApiTokenWorkspace": "Workspace",
+    "ApiTokens": "API Tokens",
+    "ApiUsageDescription": "Use your API token with the built-in REST API to query and modify workspace data. Pass the token as a Bearer token in the Authorization header.",
+    "ApiUsageTitle": "Using the REST API",
+    "ApiWorkspaceId": "Your workspace ID (UUID) is included in the token. Pass it as :workspaceId in the URL.",
+    "CountSpaces": "{count, plural, =0 {No spaces} =1 {# space} other {# spaces}}",
+    "CreateApiToken": "Create token",
+    "Created": "Created",
+    "Description": "Description",
+    "Expires": "Expires",
+    "General": "General",
+    "NewSpaceType": "New space type",
+    "Permissions": "Permissions",
+    "RoleName": "Role name",
+    "Roles": "Roles",
+    "SpaceTypeTitle": "Space type title",
+    "SpaceTypes": "Space types",
+    "TokenStatus": "Status",
+    "ApiTokenStatusActive": "Active",
+    "ApiTokenStatusExpiring": "Expiring",
+    "ApiTokenStatusRevoked": "Revoked",
+    "ApiTokenStatusExpired": "Expired",
+    "ApiTokenExpiry7Days": "7 days",
+    "ApiTokenExpiry30Days": "30 days",
+    "ApiTokenExpiry90Days": "90 days",
+    "ApiTokenExpiry180Days": "180 days",
+    "ApiTokenExpiry365Days": "365 days",
+    "ApiTokenLoadError": "Failed to load API tokens",
+    "ApiTokenCreateError": "Failed to create token. Please try again.",
+    "ApiTokenPermissions": "Permissions",
+    "ApiTokenScopePreset": "Permissions",
+    "ApiTokenScopeReadOnly": "Read Only",
+    "ApiTokenScopeReadWrite": "Read & Write",
+    "ApiTokenScopeFullAccess": "Full Access"
   }
 }

plugins/setting-assets/lang/fr.json

@@ -236,6 +236,45 @@
     "TwoFactorAuthEnabled": "L'authentification à deux facteurs est activée",
     "TwoFactorAuthDisabled": "L'authentification à deux facteurs est désactivée",
     "ShowQRCode": "Afficher le code QR",
-    "EnterVerificationCode": "Entrer le code de vérification"
+    "EnterVerificationCode": "Entrer le code de vérification",
+    "ApiBaseUrl": "Base URL",
+    "ApiEndpointAccount": "Get account info",
+    "ApiEndpointFindAll": "Query documents by class",
+    "ApiEndpointFindAllPost": "Query with filters (JSON body)",
+    "ApiEndpointLoadModel": "Load the data model",
+    "ApiEndpointPing": "Health check",
+    "ApiEndpointTx": "Create or update documents",
+    "ApiTokenCopyWarning": "Copy this token now. You won't be able to see it again.",
+    "ApiTokenCreated": "Token created",
+    "ApiTokenExpiry": "Expiration",
+    "ApiTokenName": "Token name",
+    "ApiTokenNoTokens": "No API tokens yet",
+    "ApiTokenRevoke": "Revoke token",
+    "ApiTokenRevokeConfirm": "Are you sure you want to revoke this token? It will no longer be usable for API access.",
+    "ApiTokenWorkspace": "Workspace",
+    "ApiTokens": "API Tokens",
+    "ApiUsageDescription": "Use your API token with the built-in REST API to query and modify workspace data. Pass the token as a Bearer token in the Authorization header.",
+    "ApiUsageTitle": "Using the REST API",
+    "ApiWorkspaceId": "Your workspace ID (UUID) is included in the token. Pass it as :workspaceId in the URL.",
+    "CreateApiToken": "Create token",
+    "Created": "Created",
+    "Expires": "Expires",
+    "TokenStatus": "Status",
+    "ApiTokenStatusActive": "Active",
+    "ApiTokenStatusExpiring": "Expiring",
+    "ApiTokenStatusRevoked": "Revoked",
+    "ApiTokenStatusExpired": "Expired",
+    "ApiTokenExpiry7Days": "7 days",
+    "ApiTokenExpiry30Days": "30 days",
+    "ApiTokenExpiry90Days": "90 days",
+    "ApiTokenExpiry180Days": "180 days",
+    "ApiTokenExpiry365Days": "365 days",
+    "ApiTokenLoadError": "Failed to load API tokens",
+    "ApiTokenCreateError": "Failed to create token. Please try again.",
+    "ApiTokenPermissions": "Permissions",
+    "ApiTokenScopePreset": "Permissions",
+    "ApiTokenScopeReadOnly": "Read Only",
+    "ApiTokenScopeReadWrite": "Read & Write",
+    "ApiTokenScopeFullAccess": "Full Access"
   }
 }