fix: Fix api_keys path, cleanup unused fields (#29)

saucam · web-flow · commit e663da867e5a · 2026-03-25T16:38:29.000+08:00
* fix: Fix api_keys path, cleanup unused fields

* fix: Review comment
diff --git a/domain/apikey.go b/domain/apikey.go
@@ -36,6 +36,7 @@ type APIKey struct {
 	IdentityID         string          `bun:"identity_id,type:uuid"    json:"identity_id"`
 	CreatedBy          string          `bun:"created_by"               json:"created_by"`
 	Scopes             []string        `bun:"scopes,array"             json:"scopes"`
+	Product            string          `bun:"product"                  json:"product"`
 	Environment        string          `bun:"environment"              json:"environment"`
 	ExpiresAt          *time.Time      `bun:"expires_at"               json:"expires_at,omitempty"`
 	State              string          `bun:"state"                    json:"state"`
diff --git a/domain/token.go b/domain/token.go
@@ -79,9 +79,6 @@ type OAuthClient struct {
 	GrantTypes   []string  `bun:"grant_types,array" json:"grant_types"`
 	RedirectURIs []string  `bun:"redirect_uris,array" json:"redirect_uris"`
 	Scopes       []string  `bun:"scopes,array"      json:"scopes"`
-	// IsMCP marks MCP clients — they receive short-lived (1h) access tokens
-	// plus a rotating refresh token instead of the 90-day CLI token.
-	IsMCP        bool      `bun:"is_mcp"            json:"is_mcp"`
 	IsActive     bool      `bun:"is_active"         json:"is_active"`
 	CreatedAt    time.Time `bun:"created_at"        json:"created_at"`
 	UpdatedAt    time.Time `bun:"updated_at"        json:"updated_at"`
diff --git a/internal/handler/apikey.go b/internal/handler/apikey.go
@@ -20,6 +20,7 @@ type CreateAPIKeyInput struct {
 		Name          string          `json:"name" required:"true" minLength:"1" doc:"Human-readable key name"`
 		Description   string          `json:"description,omitempty" doc:"Key description"`
 		IdentityID    string          `json:"identity_id,omitempty" doc:"Optional identity link"`
+		Product       string          `json:"product,omitempty" doc:"Product namespace for key scoping"`
 		Scopes        []string        `json:"scopes,omitempty" doc:"Allowed scopes"`
 		Environment   string          `json:"environment,omitempty" enum:"live,test" doc:"Environment (default: live)"`
 		ExpiresInDays *int            `json:"expires_in_days,omitempty" doc:"Expiry in days (nil = never)"`
@@ -40,8 +41,11 @@ type APIKeyOutput struct {
 }
 
 type APIKeyListInput struct {
-	Page  int `query:"page" default:"1" doc:"Page number"`
-	Limit int `query:"limit" default:"20" doc:"Items per page (max 100)"`
+	Product       string `query:"product" doc:"Filter by product namespace"`
+	ApplicationID string `query:"application_id" doc:"Filter by application identity ID"`
+	Label         string `query:"label" doc:"Filter by identity label (key:value, e.g. env:production)"`
+	Page          int    `query:"page" default:"1" doc:"Page number"`
+	Limit         int    `query:"limit" default:"20" doc:"Items per page (max 100)"`
 }
 
 type APIKeyListOutput struct {
@@ -118,6 +122,7 @@ func (a *API) createAPIKeyOp(ctx context.Context, input *CreateAPIKeyInput) (*Cr
 		Name:          input.Body.Name,
 		Description:   input.Body.Description,
 		IdentityID:    input.Body.IdentityID,
+		Product:       input.Body.Product,
 		Scopes:        input.Body.Scopes,
 		Environment:   input.Body.Environment,
 		ExpiresInDays: input.Body.ExpiresInDays,
@@ -150,7 +155,7 @@ func (a *API) listAPIKeysOp(ctx context.Context, input *APIKeyListInput) (*APIKe
 		return nil, huma.Error401Unauthorized("missing tenant context")
 	}
 
-	keys, total, err := a.apiKeySvc.ListKeys(ctx, tenant.AccountID, tenant.ProjectID, "", "", input.Page, input.Limit)
+	keys, total, err := a.apiKeySvc.ListKeys(ctx, tenant.AccountID, tenant.ProjectID, input.ApplicationID, input.Product, input.Label, input.Page, input.Limit)
 	if err != nil {
 		log.Error().Err(err).Msg("failed to list API keys")
 		return nil, huma.Error500InternalServerError("failed to list API keys")
@@ -159,6 +164,7 @@ func (a *API) listAPIKeysOp(ctx context.Context, input *APIKeyListInput) (*APIKe
 	if keys == nil {
 		keys = []*domain.APIKey{}
 	}
+
 	out := &APIKeyListOutput{}
 	out.Body.Keys = keys
 	out.Body.Total = total
diff --git a/internal/service/apikey.go b/internal/service/apikey.go
@@ -42,6 +42,7 @@ type CreateAPIKeyRequest struct {
 	Description        string
 	IdentityID         string
 	CredentialPolicyID string // Optional — if empty, the tenant's default policy is assigned.
+	Product            string
 	Scopes             []string
 	Environment        string
 	ExpiresInDays      *int
@@ -63,9 +64,20 @@ type CreateAPIKeyResponse struct {
 
 // CreateKey generates a new API key, hashes it, stores the hash, and returns the full key once.
 // Every key is linked to an identity and assigned a credential policy.
-// If IdentityID is empty, no identity link is set.
+// If IdentityID is empty and Product is set, a service identity is auto-provisioned
+// (or reused if one already exists for this account+project+product).
 // If CredentialPolicyID is empty, the tenant's default policy is auto-created and assigned.
 func (s *APIKeyService) CreateKey(ctx context.Context, req CreateAPIKeyRequest) (*CreateAPIKeyResponse, error) {
+	// Ensure every key has an identity link.
+	// When no identity is provided, auto-provision a service identity for the product.
+	if req.IdentityID == "" && req.Product != "" {
+		identity, err := s.identitySvc.EnsureServiceIdentity(ctx, req.AccountID, req.ProjectID, req.Product, req.CreatedBy)
+		if err != nil {
+			return nil, fmt.Errorf("failed to ensure service identity for product %s: %w", req.Product, err)
+		}
+		req.IdentityID = identity.ID
+	}
+
 	// Ensure the key has a credential policy.
 	policyID := req.CredentialPolicyID
 	if policyID == "" {
@@ -114,6 +126,7 @@ func (s *APIKeyService) CreateKey(ctx context.Context, req CreateAPIKeyRequest)
 		IdentityID:         req.IdentityID,
 		CreatedBy:          req.CreatedBy,
 		CredentialPolicyID: policyID,
+		Product:            req.Product,
 		Scopes:             scopes,
 		Environment:        env,
 		ExpiresAt:          expiresAt,
@@ -145,7 +158,7 @@ func (s *APIKeyService) CreateKey(ctx context.Context, req CreateAPIKeyRequest)
 }
 
 // ListKeys returns paginated API keys for an account/project.
-func (s *APIKeyService) ListKeys(ctx context.Context, accountID, projectID, applicationID, product string, page, limit int) ([]*domain.APIKey, int, error) {
+func (s *APIKeyService) ListKeys(ctx context.Context, accountID, projectID, applicationID, product, label string, page, limit int) ([]*domain.APIKey, int, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -154,7 +167,7 @@ func (s *APIKeyService) ListKeys(ctx context.Context, accountID, projectID, appl
 	}
 	offset := (page - 1) * limit
 
-	return s.repo.ListByAccountProject(ctx, accountID, projectID, applicationID, product, limit, offset)
+	return s.repo.ListByAccountProject(ctx, accountID, projectID, applicationID, product, label, limit, offset)
 }
 
 // GetKey returns an API key by ID.
diff --git a/internal/store/postgres/apikey.go b/internal/store/postgres/apikey.go
@@ -2,7 +2,9 @@ package postgres
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/uptrace/bun"
@@ -68,25 +70,36 @@ func (r *APIKeyRepository) GetByID(ctx context.Context, id string) (*domain.APIK
 }
 
 // ListByAccountProject returns paginated API keys for an account/project,
-// optionally filtered by application ID.
-func (r *APIKeyRepository) ListByAccountProject(ctx context.Context, accountID, projectID, applicationID, product string, limit, offset int) ([]*domain.APIKey, int, error) {
+// optionally filtered by application ID, product, or identity label.
+// The label parameter accepts "key:value" format (e.g. "env:production")
+// and filters by joining on the identities table using JSONB containment.
+func (r *APIKeyRepository) ListByAccountProject(ctx context.Context, accountID, projectID, applicationID, product, label string, limit, offset int) ([]*domain.APIKey, int, error) {
 	var keys []*domain.APIKey
 
 	q := r.db.NewSelect().
 		Model(&keys).
-		Where("account_id = ?", accountID).
-		OrderExpr("created_at DESC").
+		Where("sk.account_id = ?", accountID).
+		OrderExpr("sk.created_at DESC").
 		Limit(limit).
 		Offset(offset)
 
 	if projectID != "" {
-		q = q.Where("project_id = ?", projectID)
+		q = q.Where("sk.project_id = ?", projectID)
 	}
 	if applicationID != "" {
-		q = q.Where("identity_id = ?", applicationID)
+		q = q.Where("sk.identity_id = ?", applicationID)
 	}
 	if product != "" {
-		q = q.Where("product = ?", product)
+		q = q.Where("sk.product = ?", product)
+	}
+	if label != "" {
+		parts := strings.SplitN(label, ":", 2)
+		if len(parts) == 2 && parts[0] != "" {
+			labelJSON, _ := json.Marshal(map[string]string{parts[0]: parts[1]})
+
+			q = q.Join("JOIN identities AS i ON i.id = sk.identity_id").
+				Where("i.labels @> ?::jsonb", string(labelJSON))
+		}
 	}
 
 	count, err := q.ScanAndCount(ctx)
diff --git a/internal/store/postgres/identity.go b/internal/store/postgres/identity.go
@@ -2,6 +2,7 @@ package postgres
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"strings"
 
@@ -91,7 +92,8 @@ func (r *IdentityRepository) List(ctx context.Context, accountID, projectID stri
 		if len(parts) != 2 || parts[0] == "" {
 			return nil, fmt.Errorf("invalid label format: expected non-empty-key:value, got %q", label)
 		}
-		q = q.Where("labels @> ?::jsonb", fmt.Sprintf(`{"%s": "%s"}`, parts[0], parts[1]))
+		labelJSON, _ := json.Marshal(map[string]string{parts[0]: parts[1]})
+		q = q.Where("labels @> ?::jsonb", string(labelJSON))
 	}
 
 	if err := q.Scan(ctx); err != nil {
diff --git a/migrations/001_init_schema.up.sql b/migrations/001_init_schema.up.sql
@@ -145,7 +145,6 @@ CREATE TABLE IF NOT EXISTS refresh_tokens (
     token_hash  TEXT NOT NULL UNIQUE,
     client_id   TEXT NOT NULL,
     account_id  VARCHAR(255) NOT NULL,
-    gateway_id  TEXT DEFAULT '',
     project_id  VARCHAR(255) DEFAULT '',
     user_id     TEXT NOT NULL,
     identity_id UUID REFERENCES identities(id) ON DELETE SET NULL,
diff --git a/migrations/006_service_keys.up.sql b/migrations/006_service_keys.up.sql
@@ -25,9 +25,6 @@ CREATE TABLE IF NOT EXISTS service_keys (
     last_used_at    TIMESTAMPTZ,
     last_used_ip    TEXT DEFAULT '',
     usage_count     BIGINT NOT NULL DEFAULT 0,
-    gateway_id      TEXT DEFAULT '',
-    user_email      TEXT DEFAULT '',
-    user_name       TEXT DEFAULT '',
     metadata        JSONB DEFAULT '{}',
     ip_allowlist    TEXT[] DEFAULT '{}',
     credential_policy_id UUID REFERENCES credential_policies(id),
diff --git a/migrations/007_oauth_clients_is_mcp.down.sql b/migrations/007_oauth_clients_is_mcp.down.sql
diff --git a/migrations/007_oauth_clients_is_mcp.up.sql b/migrations/007_oauth_clients_is_mcp.up.sql
diff --git a/tests/integration/apikey_test.go b/tests/integration/apikey_test.go
@@ -0,0 +1,66 @@
+package integration_test
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAPIKeyProductFilter(t *testing.T) {
+	// Create keys with different products — no identity_id needed.
+	// EnsureServiceIdentity auto-provisions a service identity per product.
+	headers := adminHeaders()
+	headers["X-User-ID"] = "test-user"
+
+	respA := post(t, "/api/v1/api-keys", map[string]any{
+		"name":    "analytics-key",
+		"product": "analytics",
+	}, headers)
+	require.Equal(t, http.StatusCreated, respA.StatusCode)
+
+	respB := post(t, "/api/v1/api-keys", map[string]any{
+		"name":    "monitoring-key",
+		"product": "monitoring",
+	}, headers)
+	require.Equal(t, http.StatusCreated, respB.StatusCode)
+
+	// Second analytics key — should reuse the same service identity.
+	respC := post(t, "/api/v1/api-keys", map[string]any{
+		"name":    "analytics-key-2",
+		"product": "analytics",
+	}, headers)
+	require.Equal(t, http.StatusCreated, respC.StatusCode)
+
+	// Filter by product=analytics — should return 2 keys sharing the same identity.
+	resp := get(t, "/api/v1/api-keys?product=analytics", adminHeaders())
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+	body := decode(t, resp)
+	keys := body["keys"].([]any)
+	assert.Equal(t, 2, len(keys), "should return exactly 2 analytics keys")
+
+	for _, k := range keys {
+		m := k.(map[string]any)
+		assert.Equal(t, "analytics", m["product"], "should only return analytics keys")
+	}
+
+	id1 := keys[0].(map[string]any)["identity_id"].(string)
+	id2 := keys[1].(map[string]any)["identity_id"].(string)
+	assert.Equal(t, id1, id2, "both analytics keys should share the same service identity")
+
+	// Filter by product=monitoring — should return 1 key.
+	resp = get(t, "/api/v1/api-keys?product=monitoring", adminHeaders())
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+	body = decode(t, resp)
+	keys = body["keys"].([]any)
+	assert.Equal(t, 1, len(keys), "should return exactly 1 monitoring key")
+	assert.Equal(t, "monitoring", keys[0].(map[string]any)["product"])
+
+	// No filter — returns all keys (at least 3 from this test + any from other tests).
+	resp = get(t, "/api/v1/api-keys", adminHeaders())
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+	body = decode(t, resp)
+	allKeys := body["keys"].([]any)
+	assert.GreaterOrEqual(t, len(allKeys), 3, "should return at least all three created keys")
+}

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ package postgres`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
	`5`	`+ "encoding/json"`
`5`	`6`	`"fmt"`
`6`	`7`	`"strings"`
`7`	`8`
`@@ -91,7 +92,8 @@ func (r *IdentityRepository) List(ctx context.Context, accountID, projectID stri`
`91`	`92`	`if len(parts) != 2 \|\| parts[0] == "" {`
`92`	`93`	`return nil, fmt.Errorf("invalid label format: expected non-empty-key:value, got %q", label)`
`93`	`94`	`}`
`94`		- q = q.Where("labels @> ?::jsonb", fmt.Sprintf(`{"%s": "%s"}`, parts[0], parts[1]))
	`95`	`+ labelJSON, _ := json.Marshal(map[string]string{parts[0]: parts[1]})`
	`96`	`+ q = q.Where("labels @> ?::jsonb", string(labelJSON))`
`95`	`97`	`}`
`96`	`98`
`97`	`99`	`if err := q.Scan(ctx); err != nil {`