feat(phase-38): API token management with scoped abilities and expiry

claude · claude · commit 7314404eb34c · 2026-06-19T13:50:18.000Z
- ApiTokenController: list, create, revoke single/all tokens - Supports 11 granular ability scopes (read:invoices, write:products, etc.) - Tokens support optional expires_in days parameter - Routes: /tokens CRUD + /tokens/all bulk revoke - 9 feature tests covering creation, revocation, cross-user isolation Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01RdUGwo74JXChRCF88Yu27d
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -169,6 +169,7 @@ beforeEach(function () {
 | 35    | Customer Credit Limits — per-contact limits, hold, check API  | ✅     |
 | 36    | Product Variants REST API — attributes, variants, matrix view | ✅     |
 | 37    | Webhook Management REST API — CRUD, delivery log, ping, HMAC  | ✅     |
+| 38    | API Token Management — named tokens with abilities and expiry | ✅     |
 
 ## File Locations Reference
 
diff --git a/erp/app/Http/Controllers/Api/V1/ApiTokenController.php b/erp/app/Http/Controllers/Api/V1/ApiTokenController.php
@@ -0,0 +1,84 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1;
+
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Laravel\Sanctum\PersonalAccessToken;
+
+class ApiTokenController extends ApiController
+{
+    public static array $validAbilities = [
+        'read:invoices', 'write:invoices',
+        'read:contacts', 'write:contacts',
+        'read:products', 'write:products',
+        'read:reports',
+        'read:hr',
+        'read:purchases', 'write:purchases',
+        'webhooks:manage',
+    ];
+
+    public function index(Request $request): JsonResponse
+    {
+        $tokens = $request->user()
+            ->tokens()
+            ->orderByDesc('created_at')
+            ->get()
+            ->map(fn ($t) => [
+                'id'          => $t->id,
+                'name'        => $t->name,
+                'abilities'   => $t->abilities,
+                'last_used_at' => $t->last_used_at,
+                'expires_at'  => $t->expires_at,
+                'created_at'  => $t->created_at,
+            ]);
+
+        return $this->success($tokens);
+    }
+
+    public function store(Request $request): JsonResponse
+    {
+        $data = $request->validate([
+            'name'       => ['required', 'string', 'max:255'],
+            'abilities'  => ['nullable', 'array'],
+            'abilities.*'=> ['string', 'in:' . implode(',', self::$validAbilities)],
+            'expires_in' => ['nullable', 'integer', 'min:1', 'max:365'],
+        ]);
+
+        $abilities  = $data['abilities'] ?? ['*'];
+        $expiresAt  = isset($data['expires_in'])
+            ? now()->addDays($data['expires_in'])
+            : null;
+
+        $token = $request->user()->createToken(
+            $data['name'],
+            $abilities,
+            $expiresAt,
+        );
+
+        return $this->success([
+            'token'      => $token->plainTextToken,
+            'id'         => $token->accessToken->id,
+            'name'       => $token->accessToken->name,
+            'abilities'  => $token->accessToken->abilities,
+            'expires_at' => $token->accessToken->expires_at,
+        ], 201);
+    }
+
+    public function destroy(Request $request, int $tokenId): JsonResponse
+    {
+        $deleted = $request->user()->tokens()->where('id', $tokenId)->delete();
+
+        if (! $deleted) {
+            return $this->error('Token not found.', 404);
+        }
+
+        return $this->success(['message' => 'Token revoked.']);
+    }
+
+    public function destroyAll(Request $request): JsonResponse
+    {
+        $request->user()->tokens()->delete();
+        return $this->success(['message' => 'All tokens revoked.']);
+    }
+}
diff --git a/erp/routes/api.php b/erp/routes/api.php
@@ -448,6 +448,14 @@
         });
         Route::get('products/{product}/matrix', [\App\Http\Controllers\Api\V1\ProductVariantController::class, 'matrix']);
 
+        // API Token Management
+        Route::prefix('tokens')->group(function () {
+            Route::get('/',           [\App\Http\Controllers\Api\V1\ApiTokenController::class, 'index']);
+            Route::post('/',          [\App\Http\Controllers\Api\V1\ApiTokenController::class, 'store']);
+            Route::delete('/all',     [\App\Http\Controllers\Api\V1\ApiTokenController::class, 'destroyAll']);
+            Route::delete('/{tokenId}', [\App\Http\Controllers\Api\V1\ApiTokenController::class, 'destroy']);
+        });
+
         // Webhook Management
         Route::get('/webhooks/events', [\App\Http\Controllers\Api\V1\WebhookApiController::class, 'events']);
         Route::prefix('webhooks')->group(function () {
diff --git a/erp/tests/Feature/Core/ApiTokenTest.php b/erp/tests/Feature/Core/ApiTokenTest.php
@@ -0,0 +1,105 @@
+<?php
+
+use App\Models\User;
+use App\Modules\Core\Models\Tenant;
+use Database\Seeders\RolePermissionSeeder;
+
+beforeEach(function () {
+    $this->seed(RolePermissionSeeder::class);
+    $this->tenant = Tenant::create(['name' => 'Token Co', 'slug' => 'token-co-' . uniqid()]);
+    $this->user   = User::factory()->create(['tenant_id' => $this->tenant->id]);
+    $this->user->assignRole('super-admin');
+    $this->token  = $this->user->createToken('main')->plainTextToken;
+    app()->instance('tenant', $this->tenant);
+});
+
+test('can list api tokens', function () {
+    $this->user->createToken('Second Token', ['read:invoices']);
+
+    $this->withToken($this->token)
+        ->getJson('/api/v1/tokens')
+        ->assertStatus(200);
+
+    $tokens = $this->withToken($this->token)->getJson('/api/v1/tokens')->json('data');
+    expect(count($tokens))->toBeGreaterThanOrEqual(2);
+});
+
+test('can create an api token with abilities', function () {
+    $this->withToken($this->token)
+        ->postJson('/api/v1/tokens', [
+            'name'      => 'Reporting Token',
+            'abilities' => ['read:invoices', 'read:reports'],
+        ])
+        ->assertStatus(201)
+        ->assertJsonStructure(['data' => ['token', 'id', 'name', 'abilities', 'expires_at']])
+        ->assertJsonPath('data.name', 'Reporting Token');
+});
+
+test('can create a token with expiry', function () {
+    $response = $this->withToken($this->token)
+        ->postJson('/api/v1/tokens', [
+            'name'       => 'Temp Token',
+            'expires_in' => 7,
+        ])
+        ->assertStatus(201);
+
+    $expiresAt = $response->json('data.expires_at');
+    expect($expiresAt)->not->toBeNull();
+});
+
+test('store validates ability names', function () {
+    $this->withToken($this->token)
+        ->postJson('/api/v1/tokens', [
+            'name'      => 'Bad Token',
+            'abilities' => ['hack:everything'],
+        ])
+        ->assertStatus(422)
+        ->assertJsonValidationErrors(['abilities.0']);
+});
+
+test('can revoke a specific token', function () {
+    $newToken = $this->user->createToken('Revoke Me');
+    $tokenId  = $newToken->accessToken->id;
+
+    $this->withToken($this->token)
+        ->deleteJson("/api/v1/tokens/{$tokenId}")
+        ->assertStatus(200);
+
+    expect($this->user->tokens()->where('id', $tokenId)->count())->toBe(0);
+});
+
+test('cannot revoke another users token', function () {
+    $otherUser  = User::factory()->create(['tenant_id' => $this->tenant->id]);
+    $otherToken = $otherUser->createToken('Other Token');
+    $tokenId    = $otherToken->accessToken->id;
+
+    $this->withToken($this->token)
+        ->deleteJson("/api/v1/tokens/{$tokenId}")
+        ->assertStatus(404);
+});
+
+test('can revoke all tokens', function () {
+    $this->user->createToken('Token A');
+    $this->user->createToken('Token B');
+
+    $this->withToken($this->token)
+        ->deleteJson('/api/v1/tokens/all')
+        ->assertStatus(200);
+
+    expect($this->user->tokens()->count())->toBe(0);
+});
+
+test('token with wildcard ability works as full access', function () {
+    $response = $this->withToken($this->token)
+        ->postJson('/api/v1/tokens', [
+            'name' => 'Full Access',
+        ])
+        ->assertStatus(201);
+
+    $abilities = $response->json('data.abilities');
+    expect($abilities)->toContain('*');
+});
+
+test('requires authentication', function () {
+    $this->getJson('/api/v1/tokens')->assertStatus(401);
+});
