Merge pull request #778 from TaloDev/migrate-api-key-routes

Migrate api key routes to new router

Author: tudddorrr

CLAUDE.md

@@ -282,7 +282,7 @@ Three route helpers provide type safety for route configurations:
 
 Route configurations support:
 - `method`: HTTP method ('get', 'post', 'put', 'patch', 'delete')
-- `path`: Route path (relative to router basePath)
+- `path`: Route path (relative to router basePath, can be omitted for root routes)
 - `handler`: Async function receiving typed context
 - `middleware`: Optional middleware array (use `withMiddleware()` wrapper)
 - `validation`: Optional Zod schema for request body validation

src/config/protected-routes.ts

@@ -7,7 +7,7 @@ import GameStatService from '../services/game-stat.service'
 import { gameActivityRouter } from '../routes/protected/game-activity'
 import LeaderboardService from '../services/leaderboard.service'
 import DataExportService from '../services/data-export.service'
-import APIKeyService from '../services/api-key.service'
+import { apiKeyRouter } from '../routes/protected/api-key'
 import EventService from '../services/event.service'
 import { headlineRouter } from '../routes/protected/headline'
 import PlayerService from '../services/player.service'
@@ -54,7 +54,6 @@ export default function protectedRoutes(app: Koa) {
   app.use(service('/games/:gameId/game-stats', new GameStatService(), serviceOpts))
   app.use(service('/games/:gameId/leaderboards', new LeaderboardService(), serviceOpts))
   app.use(service('/games/:gameId/data-exports', new DataExportService(), serviceOpts))
-  app.use(service('/games/:gameId/api-keys', new APIKeyService(), serviceOpts))
   app.use(service('/games/:gameId/events', new EventService(), serviceOpts))
   app.use(service('/games/:gameId/players', new PlayerService(), serviceOpts))
   app.use(service('/games/:gameId/integrations', new IntegrationService(), serviceOpts))
@@ -63,6 +62,7 @@ export default function protectedRoutes(app: Koa) {
   app.use(service('/games/:gameId/game-channels', new GameChannelService(), serviceOpts))
 
   // new router-based routes
+  app.use(apiKeyRouter().routes())
   app.use(billingRouter().routes())
   app.use(gameActivityRouter().routes())
   app.use(gameRouter().routes())

src/middleware/game-middleware.ts

@@ -2,7 +2,8 @@ import { Next } from 'koa'
 import Game from '../entities/game'
 import { ProtectedRouteContext } from '../lib/routing/context'
 
-type GameRouteContext = ProtectedRouteContext<{ game: Game }>
+export type GameRouteState = { game: Game }
+type GameRouteContext = ProtectedRouteContext<GameRouteState>
 
 export const loadGame = async (ctx: GameRouteContext, next: Next) => {
   const { gameId } = ctx.params as { gameId: string }

src/policies/api-key.policy.ts

@@ -0,0 +1,38 @@
+import { Next } from 'koa'
+import { EntityManager } from '@mikro-orm/mysql'
+import APIKey from '../../../entities/api-key'
+import { ProtectedRouteContext } from '../../../lib/routing/context'
+import { GameRouteState } from '../../../middleware/game-middleware'
+import { sign } from '../../../lib/auth/jwt'
+
+type APIKeyRouteContext = ProtectedRouteContext<GameRouteState & { apiKey: APIKey }>
+
+export const loadAPIKey = async (ctx: APIKeyRouteContext, next: Next) => {
+  const { id } = ctx.params as { id: string }
+  const em = ctx.em
+
+  const apiKey = await em.repo(APIKey).findOne({
+    id: Number(id),
+    game: ctx.state.game
+  })
+
+  if (!apiKey) {
+    ctx.throw(404, 'API key not found')
+  }
+
+  ctx.state.apiKey = apiKey
+  await next()
+}
+
+export async function createToken(em: EntityManager, apiKey: APIKey): Promise<string> {
+  await em.populate(apiKey, ['game.apiSecret'])
+
+  const payload = {
+    sub: apiKey.id,
+    api: true,
+    iat: Math.floor(new Date(apiKey.createdAt).getTime() / 1000)
+  }
+
+  const token = await sign(payload, apiKey.game.apiSecret.getPlainSecret()!)
+  return token
+}

src/routes/protected/api-key/common.ts

@@ -0,0 +1,53 @@
+import { protectedRoute, withMiddleware } from '../../../lib/routing/router'
+import { loadGame } from '../../../middleware/game-middleware'
+import { userTypeGate, requireEmailConfirmed } from '../../../middleware/policy-middleware'
+import { UserType } from '../../../entities/user'
+import APIKey, { APIKeyScope } from '../../../entities/api-key'
+import { GameActivityType } from '../../../entities/game-activity'
+import createGameActivity from '../../../lib/logging/createGameActivity'
+import { createToken } from './common'
+
+export const createRoute = protectedRoute({
+  method: 'post',
+  schema: (z) => ({
+    body: z.object({
+      scopes: z.array(z.nativeEnum(APIKeyScope))
+    })
+  }),
+  middleware: withMiddleware(
+    userTypeGate([UserType.ADMIN], 'create API keys'),
+    requireEmailConfirmed('create API keys'),
+    loadGame
+  ),
+  handler: async (ctx) => {
+    const { scopes } = ctx.state.validated.body
+    const em = ctx.em
+
+    const apiKey = new APIKey(ctx.state.game, ctx.state.authenticatedUser)
+    apiKey.scopes = scopes
+
+    createGameActivity(em, {
+      user: ctx.state.authenticatedUser,
+      game: ctx.state.game,
+      type: GameActivityType.API_KEY_CREATED,
+      extra: {
+        keyId: apiKey.id,
+        display: {
+          'Scopes': scopes.join(', ')
+        }
+      }
+    })
+
+    await em.persist(apiKey).flush()
+
+    const token = await createToken(em, apiKey)
+
+    return {
+      status: 200,
+      body: {
+        token,
+        apiKey
+      }
+    }
+  }
+})

src/routes/protected/api-key/create.ts

@@ -0,0 +1,16 @@
+import { protectedRouter } from '../../../lib/routing/router'
+import { createRoute } from './create'
+import { listRoute } from './list'
+import { scopesRoute } from './scopes'
+import { revokeRoute } from './revoke'
+import { updateRoute } from './update'
+
+export function apiKeyRouter() {
+  return protectedRouter('/games/:gameId/api-keys', ({ route }) => {
+    route(createRoute)
+    route(listRoute)
+    route(scopesRoute)
+    route(revokeRoute)
+    route(updateRoute)
+  })
+}

src/routes/protected/api-key/index.ts

@@ -0,0 +1,22 @@
+import { protectedRoute, withMiddleware } from '../../../lib/routing/router'
+import { loadGame } from '../../../middleware/game-middleware'
+import APIKey from '../../../entities/api-key'
+
+export const listRoute = protectedRoute({
+  method: 'get',
+  middleware: withMiddleware(loadGame),
+  handler: async (ctx) => {
+    const em = ctx.em
+    const apiKeys = await em.repo(APIKey).find(
+      { game: ctx.state.game, revokedAt: null },
+      { populate: ['createdByUser'] }
+    )
+
+    return {
+      status: 200,
+      body: {
+        apiKeys
+      }
+    }
+  }
+})

src/routes/protected/api-key/list.ts

@@ -0,0 +1,50 @@
+import { protectedRoute, withMiddleware } from '../../../lib/routing/router'
+import { loadGame } from '../../../middleware/game-middleware'
+import { userTypeGate, requireEmailConfirmed } from '../../../middleware/policy-middleware'
+import { UserType } from '../../../entities/user'
+import { GameActivityType } from '../../../entities/game-activity'
+import createGameActivity from '../../../lib/logging/createGameActivity'
+import { getTokenCacheKey } from '../../../lib/auth/getAPIKeyFromToken'
+import { loadAPIKey, createToken } from './common'
+
+export const revokeRoute = protectedRoute({
+  method: 'delete',
+  path: '/:id',
+  middleware: withMiddleware(
+    userTypeGate([UserType.ADMIN], 'revoke API keys'),
+    requireEmailConfirmed('revoke API keys'),
+    loadGame,
+    loadAPIKey
+  ),
+  handler: async (ctx) => {
+    const em = ctx.em
+    const apiKey = ctx.state.apiKey
+
+    apiKey.revokedAt = new Date()
+    await em.clearCache(getTokenCacheKey(apiKey.id))
+
+    const token = await createToken(em, apiKey)
+
+    createGameActivity(em, {
+      user: ctx.state.authenticatedUser,
+      game: ctx.state.game,
+      type: GameActivityType.API_KEY_REVOKED,
+      extra: {
+        keyId: apiKey.id,
+        display: {
+          'Key ending in': token.substring(token.length - 5, token.length)
+        }
+      }
+    })
+
+    const socket = ctx.wss
+    const conns = socket.findConnections((conn) => conn.getAPIKeyId() === apiKey.id)
+    await Promise.all(conns.map((conn) => socket.closeConnection(conn.getSocket())))
+
+    await em.flush()
+
+    return {
+      status: 204
+    }
+  }
+})

src/routes/protected/api-key/revoke.ts

@@ -0,0 +1,22 @@
+import { protectedRoute } from '../../../lib/routing/router'
+import { APIKeyScope } from '../../../entities/api-key'
+import { groupBy } from 'lodash'
+
+type ScopeKey = keyof typeof APIKeyScope
+
+export const scopesRoute = protectedRoute({
+  method: 'get',
+  path: '/scopes',
+  handler: () => {
+    const scopes = Object.keys(APIKeyScope)
+      .filter((key) => APIKeyScope[key as ScopeKey] !== APIKeyScope.FULL_ACCESS)
+      .map((key) => APIKeyScope[key as ScopeKey])
+
+    return {
+      status: 200,
+      body: {
+        scopes: groupBy(scopes, (scope) => scope.split(':')[1])
+      }
+    }
+  }
+})