Add api keys

Author: max-lt

package.json

@@ -1,6 +1,6 @@
 {
   "name": "openworkers-api",
-  "version": "1.1.7",
+  "version": "1.1.8",
   "license": "MIT",
   "module": "src/index.ts",
   "type": "module",

src/index.ts

@@ -12,6 +12,7 @@ import databases from './routes/databases';
 import kv from './routes/kv';
 import storage from './routes/storage';
 import ai from './routes/ai';
+import apiKeys from './routes/api-keys';
 import pkg from '../package.json';
 import { sql } from './services/db/client';
 
@@ -67,6 +68,7 @@ v1.route('/databases', databases);
 v1.route('/kv', kv);
 v1.route('/storage', storage);
 v1.route('/ai', ai);
+v1.route('/api-keys', apiKeys);
 v1.route('/', users);
 
 api.route('/v1', v1);

src/middlewares/auth.ts

@@ -1,26 +1,60 @@
 import { jwt } from 'hono/jwt';
+import type { Context, Next } from 'hono';
 import type { JWTPayload } from '../types';
 import { jwt as jwtConfig } from '../config';
 import { HTTPException } from 'hono/http-exception';
+import { findApiKeyByToken, updateApiKeyLastUsed } from '../services/db/api-keys';
 
 declare module 'hono' {
   interface ContextVariableMap {
     userId: string;
     username: string;
     jwtPayload: JWTPayload;
+    authMethod: 'jwt' | 'api_key';
   }
 }
 
 // Create JWT middleware with secret from config
-export function createAuthMiddleware() {
+export function createJwtMiddleware() {
   return jwt({
     secret: jwtConfig.access.secret,
     cookie: 'access_token' // Also check cookie for token
   });
 }
 
+// Combined auth middleware: API key first, then JWT
+export function createAuthMiddleware() {
+  const jwtMiddleware = createJwtMiddleware();
+
+  return async (c: Context, next: Next) => {
+    const authHeader = c.req.header('Authorization');
+
+    // Check for API key (Bearer ow_...)
+    if (authHeader?.startsWith('Bearer ow_')) {
+      const token = authHeader.substring(7);
+      const apiKey = await findApiKeyByToken(token);
+
+      if (!apiKey) {
+        return c.json({ error: 'Invalid API key' }, 401);
+      }
+
+      // Set user context
+      c.set('userId', apiKey.userId);
+      c.set('authMethod', 'api_key');
+
+      // Update last used (fire and forget)
+      updateApiKeyLastUsed(apiKey.id).catch(() => {});
+
+      return next();
+    }
+
+    // Fall back to JWT
+    return jwtMiddleware(c, next);
+  };
+}
+
 // Error handler for JWT errors - returns JSON instead of text
-export async function errorHandler(err: Error, c: any) {
+export async function errorHandler(err: Error, c: Context) {
   if (err instanceof HTTPException && err.status === 401) {
     return c.json({ error: 'Unauthorized', message: err.message }, 401);
   } else if (err instanceof HTTPException) {
@@ -30,14 +64,21 @@ export async function errorHandler(err: Error, c: any) {
   throw err;
 }
 
-// Middleware to extract userId from JWT payload
-export async function extractUser(c: any, next: any) {
+// Middleware to extract userId from JWT payload (only needed for JWT auth)
+export async function extractUser(c: Context, next: Next) {
+  // Skip if already authenticated via API key
+  if (c.get('authMethod') === 'api_key') {
+    return next();
+  }
+
   const payload = c.get('jwtPayload') as JWTPayload;
+
   if (!payload) {
     return c.json({ error: 'Unauthorized' }, 401);
   }
 
   c.set('userId', payload.sub);
+  c.set('authMethod', 'jwt');
 
   await next();
 }

src/routes/api-keys.ts

@@ -0,0 +1,81 @@
+import { Hono } from 'hono';
+import { z, ZodError } from 'zod';
+import { createApiKey, listApiKeys, deleteApiKey } from '../services/db/api-keys';
+
+const apiKeys = new Hono();
+
+// Schema for creating an API key
+const CreateApiKeySchema = z.object({
+  name: z.string().min(1).max(100),
+  expiresAt: z.string().datetime().optional()
+});
+
+// POST /api-keys - Create a new API key
+apiKeys.post('/', async (c) => {
+  try {
+    const userId = c.get('userId');
+    const body = await c.req.json();
+    const input = CreateApiKeySchema.parse(body);
+
+    const expiresAt = input.expiresAt ? new Date(input.expiresAt) : undefined;
+    const { apiKey, token } = await createApiKey(userId, input.name, expiresAt);
+
+    // Return the full token - this is the ONLY time it's available
+    return c.json({
+      id: apiKey.id,
+      name: apiKey.name,
+      tokenPrefix: apiKey.tokenPrefix,
+      token, // Full token - user must save this!
+      expiresAt: apiKey.expiresAt?.toISOString() ?? null,
+      createdAt: apiKey.createdAt.toISOString()
+    }, 201);
+  } catch (error) {
+    if (error instanceof ZodError) {
+      return c.json({ error: 'Invalid input', details: error.issues }, 400);
+    }
+
+    console.error('Failed to create API key:', error);
+    return c.json({ error: 'Failed to create API key' }, 500);
+  }
+});
+
+// GET /api-keys - List user's API keys
+apiKeys.get('/', async (c) => {
+  try {
+    const userId = c.get('userId');
+    const keys = await listApiKeys(userId);
+
+    return c.json(keys.map(key => ({
+      id: key.id,
+      name: key.name,
+      tokenPrefix: key.tokenPrefix,
+      lastUsedAt: key.lastUsedAt?.toISOString() ?? null,
+      expiresAt: key.expiresAt?.toISOString() ?? null,
+      createdAt: key.createdAt.toISOString()
+    })));
+  } catch (error) {
+    console.error('Failed to list API keys:', error);
+    return c.json({ error: 'Failed to list API keys' }, 500);
+  }
+});
+
+// DELETE /api-keys/:id - Delete an API key
+apiKeys.delete('/:id', async (c) => {
+  try {
+    const userId = c.get('userId');
+    const keyId = c.req.param('id');
+
+    const deleted = await deleteApiKey(userId, keyId);
+
+    if (!deleted) {
+      return c.json({ error: 'API key not found' }, 404);
+    }
+
+    return c.json({ message: 'API key deleted' });
+  } catch (error) {
+    console.error('Failed to delete API key:', error);
+    return c.json({ error: 'Failed to delete API key' }, 500);
+  }
+});
+
+export default apiKeys;

src/services/db/api-keys.ts

@@ -0,0 +1,121 @@
+import { sql } from './client';
+
+export interface ApiKey {
+  id: string;
+  userId: string;
+  name: string;
+  tokenPrefix: string;
+  lastUsedAt: Date | null;
+  expiresAt: Date | null;
+  createdAt: Date;
+}
+
+interface ApiKeyRow {
+  id: string;
+  user_id: string;
+  name: string;
+  token_prefix: string;
+  last_used_at: string | null;
+  expires_at: string | null;
+  created_at: string;
+}
+
+function rowToApiKey(row: ApiKeyRow): ApiKey {
+  return {
+    id: row.id,
+    userId: row.user_id,
+    name: row.name,
+    tokenPrefix: row.token_prefix,
+    lastUsedAt: row.last_used_at ? new Date(row.last_used_at) : null,
+    expiresAt: row.expires_at ? new Date(row.expires_at) : null,
+    createdAt: new Date(row.created_at)
+  };
+}
+
+// Generate a random API key token
+function generateToken(): string {
+  const bytes = new Uint8Array(24);
+  crypto.getRandomValues(bytes);
+  const random = Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
+  return `ow_${random}`;
+}
+
+// Hash token using SHA-256
+async function hashToken(token: string): Promise<string> {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(token);
+  const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+}
+
+// Create a new API key - returns the full token (only time it's available)
+export async function createApiKey(
+  userId: string,
+  name: string,
+  expiresAt?: Date
+): Promise<{ apiKey: ApiKey; token: string }> {
+  const token = generateToken();
+  const tokenPrefix = token.substring(0, 12);
+  const tokenHash = await hashToken(token);
+
+  const rows = await sql<ApiKeyRow>(
+    `INSERT INTO api_keys (user_id, name, token_prefix, token_hash, expires_at)
+     VALUES ($1::uuid, $2, $3, $4, $5::timestamptz)
+     RETURNING id, user_id, name, token_prefix, last_used_at, expires_at, created_at`,
+    [userId, name, tokenPrefix, tokenHash, expiresAt?.toISOString() ?? null]
+  );
+
+  return {
+    apiKey: rowToApiKey(rows[0]!),
+    token
+  };
+}
+
+// Find API key by token (for authentication)
+export async function findApiKeyByToken(token: string): Promise<ApiKey | null> {
+  const tokenHash = await hashToken(token);
+
+  const rows = await sql<ApiKeyRow>(
+    `SELECT id, user_id, name, token_prefix, last_used_at, expires_at, created_at
+     FROM api_keys
+     WHERE token_hash = $1 AND (expires_at IS NULL OR expires_at > NOW())`,
+    [tokenHash]
+  );
+
+  return rows[0] ? rowToApiKey(rows[0]) : null;
+}
+
+// List user's API keys
+export async function listApiKeys(userId: string): Promise<ApiKey[]> {
+  const rows = await sql<ApiKeyRow>(
+    `SELECT id, user_id, name, token_prefix, last_used_at, expires_at, created_at
+     FROM api_keys
+     WHERE user_id = $1::uuid
+     ORDER BY created_at DESC`,
+    [userId]
+  );
+
+  return rows.map(rowToApiKey);
+}
+
+// Delete an API key
+export async function deleteApiKey(userId: string, keyId: string): Promise<boolean> {
+  const result = await sql<{ count: string }>(
+    `WITH deleted AS (
+       DELETE FROM api_keys WHERE id = $1::uuid AND user_id = $2::uuid RETURNING *
+     )
+     SELECT COUNT(*) as count FROM deleted`,
+    [keyId, userId]
+  );
+
+  return parseInt(result[0]?.count ?? '0', 10) > 0;
+}
+
+// Update last used timestamp
+export async function updateApiKeyLastUsed(keyId: string): Promise<void> {
+  await sql(
+    `UPDATE api_keys SET last_used_at = NOW() WHERE id = $1::uuid`,
+    [keyId]
+  );
+}