graphql-hive · n1ru4l · Feb 10, 2025 · Feb 10, 2025 · Feb 10, 2025 · Feb 10, 2025
diff --git a/integration-tests/tests/api/organization-access-tokens.spec.ts b/integration-tests/tests/api/organization-access-tokens.spec.ts
@@ -0,0 +1,273 @@
+import { graphql } from '../../testkit/gql';
+import * as GraphQLSchema from '../../testkit/gql/graphql';
+import { execute } from '../../testkit/graphql';
+import { initSeed } from '../../testkit/seed';
+
+const CreateOrganizationAccessTokenMutation = graphql(`
+  mutation CreateOrganizationAccessToken($input: CreateOrganizationAccessTokenInput!) {
+    createOrganizationAccessToken(input: $input) {
+      ok {
+        privateAccessKey
+        createdOrganizationAccessToken {
+          id
+          title
+          description
+          permissions
+          createdAt
+        }
+      }
+      error {
+        message
+        details {
+          title
+          description
+        }
+      }
+    }
+  }
+`);
+
+const OrganizationProjectTargetQuery = graphql(`
+  query OrganizationProjectTargetQuery(
+    $organizationSlug: String!
+    $projectSlug: String!
+    $targetSlug: String!
+  ) {
+    organization: organizationBySlug(organizationSlug: $organizationSlug) {
+      id
+      slug
+      project: projectBySlug(projectSlug: $projectSlug) {
+        id
+        slug
+        targetBySlug(targetSlug: $targetSlug) {
+          id
+          slug
+        }
+      }
+    }
+  }
+`);
+
+test.concurrent('create: success', async () => {
+  const { createOrg, ownerToken } = await initSeed().createOwner();
+  const org = await createOrg();
+
+  const result = await execute({
+    document: CreateOrganizationAccessTokenMutation,
+    variables: {
+      input: {
+        organization: {
+          byId: org.organization.id,
+        },
+        title: 'a access token',
+        description: 'Some description',
+        resources: { mode: GraphQLSchema.ResourceAssignmentMode.All },
+        permissions: [],
+      },
+    },
+    authToken: ownerToken,
+  }).then(e => e.expectNoGraphQLErrors());
+  expect(result.createOrganizationAccessToken.error).toEqual(null);
+  expect(result.createOrganizationAccessToken.ok).toEqual({
+    privateAccessKey: expect.any(String),
+    createdOrganizationAccessToken: {
+      id: expect.any(String),
+      title: 'a access token',
+      description: 'Some description',
+      permissions: [],
+      createdAt: expect.any(String),
+    },
+  });
+});
+
+test.concurrent('create: failure invalid title', async ({ expect }) => {
+  const { createOrg, ownerToken } = await initSeed().createOwner();
+  const org = await createOrg();
+
+  const result = await execute({
+    document: CreateOrganizationAccessTokenMutation,
+    variables: {
+      input: {
+        organization: {
+          byId: org.organization.id,
+        },
+        title: '   ',
+        description: 'Some description',
+        resources: { mode: GraphQLSchema.ResourceAssignmentMode.All },
+        permissions: [],
+      },
+    },
+    authToken: ownerToken,
+  }).then(e => e.expectNoGraphQLErrors());
+  expect(result.createOrganizationAccessToken.ok).toEqual(null);
+  expect(result.createOrganizationAccessToken.error).toMatchInlineSnapshot(`
+    {
+      details: {
+        description: null,
+        title: Can only contain letters, numbers, " ", '_', and '-'.,
+      },
+      message: Invalid input provided.,
+    }
+  `);
+});
+
+test.concurrent('create: failure invalid description', async ({ expect }) => {
+  const { createOrg, ownerToken } = await initSeed().createOwner();
+  const org = await createOrg();
+
+  const result = await execute({
+    document: CreateOrganizationAccessTokenMutation,
+    variables: {
+      input: {
+        organization: {
+          byId: org.organization.id,
+        },
+        title: 'a access token',
+        description: new Array(300).fill('A').join(''),
+        resources: { mode: GraphQLSchema.ResourceAssignmentMode.All },
+        permissions: [],
+      },
+    },
+    authToken: ownerToken,
+  }).then(e => e.expectNoGraphQLErrors());
+  expect(result.createOrganizationAccessToken.ok).toEqual(null);
+  expect(result.createOrganizationAccessToken.error).toMatchInlineSnapshot(`
+    {
+      details: {
+        description: Maximum length is 248 characters.,
+        title: null,
+      },
+      message: Invalid input provided.,
+    }
+  `);
+});
+
+test.concurrent('create: failure because no access to organization', async ({ expect }) => {
+  const actor1 = await initSeed().createOwner();
+  const actor2 = await initSeed().createOwner();
+  const org = await actor1.createOrg();
+
+  const errors = await execute({
+    document: CreateOrganizationAccessTokenMutation,
+    variables: {
+      input: {
+        organization: {
+          byId: org.organization.id,
+        },
+        title: 'a access token',
+        description: 'Some description',
+        resources: { mode: GraphQLSchema.ResourceAssignmentMode.All },
+        permissions: [],
+      },
+    },
+    authToken: actor2.ownerToken,
+  }).then(e => e.expectGraphQLErrors());
+  expect(errors).toMatchObject([
+    {
+      extensions: {
+        code: 'UNAUTHORISED',
+      },
+
+      message: `No access (reason: "Missing permission for performing 'accessToken:modify' on resource")`,
+      path: ['createOrganizationAccessToken'],
+    },
+  ]);
+});
+
+test.concurrent('query GraphQL API on resources with access', async ({ expect }) => {
+  const { createOrg, ownerToken } = await initSeed().createOwner();
+  const org = await createOrg();
+  const project = await org.createProject(GraphQLSchema.ProjectType.Federation);
+
+  const result = await execute({
+    document: CreateOrganizationAccessTokenMutation,
+    variables: {
+      input: {
+        organization: {
+          byId: org.organization.id,
+        },
+        title: 'a access token',
+        description: 'a description',
+        resources: { mode: GraphQLSchema.ResourceAssignmentMode.All },
+        permissions: ['organization:describe', 'project:describe'],
+      },
+    },
+    authToken: ownerToken,
+  }).then(e => e.expectNoGraphQLErrors());
+  expect(result.createOrganizationAccessToken.error).toEqual(null);
+  const organizationAccessToken = result.createOrganizationAccessToken.ok!.privateAccessKey;
+
+  const projectQuery = await execute({
+    document: OrganizationProjectTargetQuery,
+    variables: {
+      organizationSlug: org.organization.slug,
+      projectSlug: project.project.slug,
+      targetSlug: project.target.slug,
+    },
+    authToken: organizationAccessToken,
+  }).then(e => e.expectNoGraphQLErrors());
+  expect(projectQuery).toEqual({
+    organization: {
+      id: expect.any(String),
+      slug: org.organization.slug,
+      project: {
+        id: expect.any(String),
+        slug: project.project.slug,
+        targetBySlug: {
+          id: expect.any(String),
+          slug: project.target.slug,
+        },
+      },
+    },
+  });
+});
+
+test.concurrent('query GraphQL API on resources without access', async ({ expect }) => {
+  const { createOrg, ownerToken } = await initSeed().createOwner();
+  const org = await createOrg();
+  const project1 = await org.createProject(GraphQLSchema.ProjectType.Federation);
+  const project2 = await org.createProject(GraphQLSchema.ProjectType.Federation);
+
+  const result = await execute({
+    document: CreateOrganizationAccessTokenMutation,
+    variables: {
+      input: {
+        organization: {
+          byId: org.organization.id,
+        },
+        title: 'a access token',
+        description: 'a description',
+        resources: {
+          mode: GraphQLSchema.ResourceAssignmentMode.Granular,
+          projects: [
+            {
+              projectId: project1.project.id,
+              targets: { mode: GraphQLSchema.ResourceAssignmentMode.All },
+            },
+          ],
+        },
+        permissions: ['organization:describe', 'project:describe'],
+      },
+    },
+    authToken: ownerToken,
+  }).then(e => e.expectNoGraphQLErrors());
+  expect(result.createOrganizationAccessToken.error).toEqual(null);
+  const organizationAccessToken = result.createOrganizationAccessToken.ok!.privateAccessKey;
+
+  const projectQuery = await execute({
+    document: OrganizationProjectTargetQuery,
+    variables: {
+      organizationSlug: org.organization.slug,
+      projectSlug: project2.project.slug,
+      targetSlug: project2.target.slug,
+    },
+    authToken: organizationAccessToken,
+  }).then(e => e.expectNoGraphQLErrors());
+  expect(projectQuery).toEqual({
+    organization: {
+      id: expect.any(String),
+      project: null,
+      slug: org.organization.slug,
+    },
+  });
+});
diff --git a/package.json b/package.json
@@ -130,7 +130,8 @@
       "countup.js": "patches/countup.js.patch",
       "@oclif/core@4.0.6": "patches/@oclif__core@4.0.6.patch",
       "@fastify/vite": "patches/@fastify__vite.patch",
-      "p-cancelable@4.0.1": "patches/p-cancelable@4.0.1.patch"
+      "p-cancelable@4.0.1": "patches/p-cancelable@4.0.1.patch",
+      "bentocache": "patches/bentocache.patch"
     }
   }
 }
diff --git a/packages/migrations/src/actions/2025.01.30T00-02-03.organization-access-tokens.ts b/packages/migrations/src/actions/2025.01.30T00-02-03.organization-access-tokens.ts
@@ -0,0 +1,24 @@
+import { type MigrationExecutor } from '../pg-migrator';
+
+export default {
+  name: '2025.01.30T00-02-03.organization-access-tokens.ts',
+  run: ({ sql }) => sql`
+    CREATE TABLE IF NOT EXISTS "organization_access_tokens" (
+      "id" UUID PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4()
+      , "organization_id" UUID NOT NULL REFERENCES "organizations" ("id") ON DELETE CASCADE
+      , "created_at" timestamptz NOT NULL DEFAULT now()
+      , "title" text NOT NULL
+      , "description" text NOT NULL
+      , "permissions" text[] NOT NULL
+      , "assigned_resources" jsonb
+      , "hash" text
+      , "first_characters" text
+    );
+
+    CREATE INDEX IF NOT EXISTS "organization_access_tokens_organization_id" ON "organization_access_tokens" (
+      "organization_id"
+      , "created_at" DESC
+      , "id" DESC
+    );
+  `,
+} satisfies MigrationExecutor;
diff --git a/packages/migrations/src/run-pg-migrations.ts b/packages/migrations/src/run-pg-migrations.ts
@@ -158,5 +158,6 @@ export const runPGMigrations = async (args: { slonik: DatabasePool; runTo?: stri
       await import('./actions/2025.01.17T10-08-00.drop-activities'),
       await import('./actions/2025.01.20T00-00-00.legacy-registry-model-removal'),
       await import('./actions/2025.01.30T00-00-00.granular-member-role-permissions'),
+      await import('./actions/2025.01.30T00-02-03.organization-access-tokens'),
     ],
   });
diff --git a/packages/services/api/package.json b/packages/services/api/package.json
@@ -44,6 +44,7 @@
     "@types/object-hash": "3.0.6",
     "agentkeepalive": "4.6.0",
     "bcryptjs": "2.4.3",
+    "bentocache": "1.1.0",
     "csv-stringify": "6.5.2",
     "dataloader": "2.2.3",
     "date-fns": "4.1.0",

diff --git a/packages/services/api/src/modules/auth/lib/authz.ts b/packages/services/api/src/modules/auth/lib/authz.ts
@@ -349,6 +349,7 @@ const permissionsByLevel = {
     z.literal('project:create'),
     z.literal('schemaLinting:modifyOrganizationRules'),
     z.literal('auditLog:export'),
+    z.literal('accessToken:modify'),
   ],
   project: [
     z.literal('project:describe'),
@@ -366,8 +367,8 @@ const permissionsByLevel = {
     z.literal('laboratory:describe'),
     z.literal('laboratory:modify'),
     z.literal('laboratory:modifyPreflightScript'),
-    z.literal('schema:loadFromRegistry'),
     z.literal('schema:compose'),
+    z.literal('usage:report'),
   ],
   service: [
     z.literal('schemaCheck:create'),