lib/api/personal_access_tokens.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

# frozen_string_literal: true

module API
  class PersonalAccessTokens < ::API::Base
    include ::API::PaginationParams

    feature_category :authentication_and_authorization

    before do
      authenticate!
      restrict_non_admins! unless current_user.can_admin_all_resources?
    end

    helpers ::API::Helpers::PersonalAccessTokensHelpers

    resources :personal_access_tokens do
      desc 'List personal access tokens' do
        detail 'Get all personal access tokens the authenticated user has access to.'
        is_array true
        success Entities::PersonalAccessToken
        tags %w[personal_access_tokens]
        failure [
          { code: 401, message: 'Unauthorized' }
        ]
      end
      params do
        optional :user_id, type: Integer, desc: 'Filter PATs by User ID', documentation: { example: 2 }
        optional :revoked, type: Boolean, desc: 'Filter PATs where revoked state matches parameter',
                           documentation: { example: false }
        optional :state, type: String, desc: 'Filter PATs which are either active or not',
                         values: %w[active inactive], documentation: { example: 'active' }
        optional :created_before, type: DateTime, desc: 'Filter PATs which were created before given datetime',
                                  documentation: { example: '2022-01-01' }
        optional :created_after, type: DateTime, desc: 'Filter PATs which were created after given datetime',
                                 documentation: { example: '2021-01-01' }
        optional :last_used_before, type: DateTime, desc: 'Filter PATs which were used before given datetime',
                                    documentation: { example: '2021-01-01' }
        optional :last_used_after, type: DateTime, desc: 'Filter PATs which were used after given datetime',
                                   documentation: { example: '2022-01-01' }
        optional :search, type: String, desc: 'Filters PATs by its name', documentation: { example: 'token' }

        use :pagination
      end
      get do
        tokens = PersonalAccessTokensFinder.new(finder_params(current_user), current_user).execute

        present paginate(tokens), with: Entities::PersonalAccessToken
      end

      desc 'Get single personal access token' do
        detail 'Get a personal access token by using the ID of the personal access token.'
        success Entities::PersonalAccessToken
        failure [
          { code: 401, message: 'Unauthorized' },
          { code: 404, message: 'Not found' }
        ]
      end
      get ':id' do
        token = PersonalAccessToken.find_by_id(params[:id])

        allowed = Ability.allowed?(current_user, :read_user_personal_access_tokens, token&.user)

        if allowed
          present token, with: Entities::PersonalAccessToken
        else
          # Only admins should be informed if the token doesn't exist
          current_user.can_admin_all_resources? ? not_found! : unauthorized!
        end
      end

      desc 'Revoke a personal access token' do
        detail 'Revoke a personal access token by using the ID of the personal access token.'
        success code: 204
        failure [
          { code: 400, message: 'Bad Request' }
        ]
      end
      delete ':id' do
        token = find_token(params[:id])

        revoke_token(token)
      end
    end
  end
end