Allow choosing API key scopes

SirEdvin · SirEdvin · commit 0e4984dc5574 · 2026-05-13T15:23:40.000Z
diff --git a/README.md b/README.md
@@ -331,7 +331,7 @@ Notes:
 Personal API keys for automation clients:
 
 - Create and manage keys from the authenticated account API: `GET /auth/api-keys`, `POST /auth/api-keys`, and `DELETE /auth/api-keys/:id`.
-- `POST /auth/api-keys` accepts `{ "name": "Obsidian" }` and returns the plaintext token once. Store it immediately; ExcaliDash stores only a hash and metadata.
+- `POST /auth/api-keys` accepts `{ "name": "Obsidian" }` and optional `scopes`, for example `{ "name": "Obsidian", "scopes": ["drawings:read", "drawings:write"] }`. If omitted, all API-key scopes are granted. Store the returned plaintext token immediately; ExcaliDash stores only a hash and metadata.
 - Automation clients such as the Obsidian plugin should call normal drawing and collection APIs with `Authorization: Bearer <key>`, for example `Authorization: Bearer exd_...`.
 - API keys are scoped automation credentials for `/drawings` and `/collections` only. They cannot manage account settings, create/revoke API keys, call admin endpoints, or use import/export APIs.
 - API-key Bearer requests without browser `Origin`/`Referer` headers do not require CSRF tokens. Cookie-authenticated browser requests keep the existing CSRF behavior.
diff --git a/backend/src/auth/accountRoutes.test.ts b/backend/src/auth/accountRoutes.test.ts
@@ -23,6 +23,8 @@ const buildApp = (options?: { impersonatorId?: string }) => {
     },
     apiKey: {
       findFirst: vi.fn(),
+      findMany: vi.fn(),
+      create: vi.fn(),
       update: vi.fn(),
     },
   } as any;
@@ -141,4 +143,82 @@ describe("accountRoutes local-password safeguards", () => {
     expect(prisma.apiKey.findFirst).not.toHaveBeenCalled();
     expect(prisma.apiKey.update).not.toHaveBeenCalled();
   });
+
+  it("creates API keys with sanitized custom scopes", async () => {
+    const { app, prisma } = buildApp();
+    prisma.apiKey.create.mockImplementation(async ({ data }: any) => ({
+      id: "key-1",
+      name: data.name,
+      prefix: data.prefix,
+      scopes: data.scopes,
+      lastUsedAt: null,
+      revokedAt: null,
+      createdAt: new Date("2026-05-01T12:00:00.000Z"),
+      updatedAt: new Date("2026-05-01T12:00:00.000Z"),
+    }));
+
+    const response = await request(app).post("/api-keys").send({
+      name: "Scoped Key",
+      scopes: [" drawings:read ", "drawings:read", "collections:write"],
+    });
+
+    expect(response.status).toBe(201);
+    expect(prisma.apiKey.create).toHaveBeenCalledWith(expect.objectContaining({
+      data: expect.objectContaining({
+        name: "Scoped Key",
+        scopes: "drawings:read,collections:write",
+      }),
+    }));
+    expect(response.body.apiKey.scopes).toEqual(["drawings:read", "collections:write"]);
+    expect(response.body.token).toMatch(/^exd_/);
+  });
+
+  it("keeps default API key scopes when scopes are omitted", async () => {
+    const { app, prisma } = buildApp();
+    prisma.apiKey.create.mockImplementation(async ({ data }: any) => ({
+      id: "key-1",
+      name: data.name,
+      prefix: data.prefix,
+      scopes: data.scopes,
+      lastUsedAt: null,
+      revokedAt: null,
+      createdAt: new Date("2026-05-01T12:00:00.000Z"),
+      updatedAt: new Date("2026-05-01T12:00:00.000Z"),
+    }));
+
+    const response = await request(app).post("/api-keys").send({ name: "Default Key" });
+
+    expect(response.status).toBe(201);
+    expect(prisma.apiKey.create).toHaveBeenCalledWith(expect.objectContaining({
+      data: expect.objectContaining({
+        scopes: "drawings:read,drawings:write,collections:read,collections:write",
+      }),
+    }));
+  });
+
+  it("rejects API key creation with no scopes", async () => {
+    const { app, prisma } = buildApp();
+
+    const response = await request(app).post("/api-keys").send({
+      name: "No Scopes",
+      scopes: [],
+    });
+
+    expect(response.status).toBe(400);
+    expect(response.body?.message).toContain("at least one");
+    expect(prisma.apiKey.create).not.toHaveBeenCalled();
+  });
+
+  it("rejects API key creation with invalid scopes", async () => {
+    const { app, prisma } = buildApp();
+
+    const response = await request(app).post("/api-keys").send({
+      name: "Bad Scope",
+      scopes: ["drawings:read", "admin:write"],
+    });
+
+    expect(response.status).toBe(400);
+    expect(response.body?.message).toContain("valid API key scope");
+    expect(prisma.apiKey.create).not.toHaveBeenCalled();
+  });
 });
diff --git a/backend/src/auth/accountRoutes.ts b/backend/src/auth/accountRoutes.ts
@@ -90,6 +90,16 @@ export const registerAccountRoutes = (deps: RegisterAccountRoutesDeps) => {
     updatedAt: apiKey.updatedAt,
   });
 
+  const normalizeApiKeyScopes = (scopes: string[] | undefined): string[] | null => {
+    if (!scopes) return [...DEFAULT_API_KEY_SCOPES];
+    const allowedScopes = new Set<string>(DEFAULT_API_KEY_SCOPES);
+    const normalized = Array.from(new Set(scopes.map((scope) => scope.trim()).filter(Boolean)));
+    if (normalized.length === 0 || normalized.some((scope) => !allowedScopes.has(scope))) {
+      return null;
+    }
+    return normalized;
+  };
+
   router.post("/password-reset-request", loginAttemptRateLimiter, async (req: Request, res: Response) => {
     if (!(await ensureAuthEnabled(res))) return;
     if (!config.enablePasswordReset) {
@@ -363,6 +373,14 @@ export const registerAccountRoutes = (deps: RegisterAccountRoutesDeps) => {
         });
       }
 
+      const scopes = normalizeApiKeyScopes(parsed.data.scopes);
+      if (!scopes) {
+        return res.status(400).json({
+          error: "Validation error",
+          message: "Select at least one valid API key scope",
+        });
+      }
+
       const generated = generateApiKey();
       const apiKey = await prisma.apiKey.create({
         data: {
@@ -371,7 +389,7 @@ export const registerAccountRoutes = (deps: RegisterAccountRoutesDeps) => {
           keyId: generated.keyId,
           tokenHash: generated.tokenHash,
           prefix: generated.prefix,
-          scopes: serializeApiKeyScopes(DEFAULT_API_KEY_SCOPES),
+          scopes: serializeApiKeyScopes(scopes),
         },
         select: {
           id: true,
diff --git a/backend/src/auth/schemas.ts b/backend/src/auth/schemas.ts
@@ -127,4 +127,5 @@ export const mustResetPasswordSchema = z.object({
 
 export const apiKeyCreateSchema = z.object({
   name: z.string().trim().min(1).max(100),
+  scopes: z.array(z.string()).optional(),
 });
diff --git a/frontend/src/api/index.ts b/frontend/src/api/index.ts
@@ -119,6 +119,13 @@ export interface CreateApiKeyResponse {
   token: string;
 }
 
+export const API_KEY_SCOPES = [
+  "drawings:read",
+  "drawings:write",
+  "collections:read",
+  "collections:write",
+] as const;
+
 export const authStatus = async (): Promise<AuthStatusResponse> => {
   const response = await axios.get<AuthStatusResponse>(
     `${API_URL}/auth/status`,
@@ -183,8 +190,8 @@ export const listApiKeys = async (): Promise<ApiKeyMetadata[]> => {
   return response.data.apiKeys;
 };
 
-export const createApiKey = async (name: string): Promise<CreateApiKeyResponse> => {
-  const response = await api.post<CreateApiKeyResponse>("/auth/api-keys", { name });
+export const createApiKey = async (name: string, scopes?: string[]): Promise<CreateApiKeyResponse> => {
+  const response = await api.post<CreateApiKeyResponse>("/auth/api-keys", { name, scopes });
   return response.data;
 };
 
diff --git a/frontend/src/pages/Profile.apiKeys.test.tsx b/frontend/src/pages/Profile.apiKeys.test.tsx
@@ -23,6 +23,7 @@ vi.mock("../components/Layout", () => ({
 }));
 
 vi.mock("../api", () => ({
+  API_KEY_SCOPES: ["drawings:read", "drawings:write", "collections:read", "collections:write"],
   api: {
     put: vi.fn(),
     post: vi.fn(),
@@ -54,15 +55,16 @@ describe("Profile API keys", () => {
     mockAuthUser.mockReturnValue({ id: "user-1", email: "user@example.com", name: "User One" });
     vi.mocked(api.getCollections).mockResolvedValue([]);
     vi.mocked(api.listApiKeys).mockResolvedValue([existingApiKey]);
-    vi.mocked(api.createApiKey).mockResolvedValue({
+    vi.mocked(api.createApiKey).mockImplementation(async (name, scopes) => ({
       apiKey: {
         ...existingApiKey,
         id: "key-2",
-        name: "CI Token",
+        name,
         prefix: "exd_key_new456",
+        scopes: scopes ?? ["drawings:read", "drawings:write", "collections:read", "collections:write"],
       },
       token: "exd_key_new456.secret-token-value",
-    });
+    }));
     vi.mocked(api.revokeApiKey).mockResolvedValue(undefined);
     Object.defineProperty(navigator, "clipboard", {
       configurable: true,
@@ -89,7 +91,12 @@ describe("Profile API keys", () => {
 
     expect(await screen.findByDisplayValue("exd_key_new456.secret-token-value")).toBeInTheDocument();
     expect(screen.getByText(/copy this token now/i)).toBeInTheDocument();
-    expect(api.createApiKey).toHaveBeenCalledWith("CI Token");
+    expect(api.createApiKey).toHaveBeenCalledWith("CI Token", [
+      "drawings:read",
+      "drawings:write",
+      "collections:read",
+      "collections:write",
+    ]);
 
     fireEvent.click(screen.getByRole("button", { name: /copy generated api token/i }));
     await waitFor(() => {
@@ -154,4 +161,48 @@ describe("Profile API keys", () => {
     resolveApiKeys([existingApiKey]);
     expect(await screen.findByText("Existing Key")).toBeInTheDocument();
   });
+
+  it("submits and displays custom API key scopes", async () => {
+    render(
+      <MemoryRouter>
+        <Profile />
+      </MemoryRouter>
+    );
+
+    await screen.findByText("Existing Key");
+
+    fireEvent.change(screen.getByLabelText(/api key name/i), {
+      target: { value: "Read Token" },
+    });
+    fireEvent.click(screen.getByLabelText(/write drawings/i));
+    fireEvent.click(screen.getByLabelText(/read collections/i));
+    fireEvent.click(screen.getByLabelText(/write collections/i));
+    fireEvent.click(screen.getByRole("button", { name: /create api key/i }));
+
+    expect(await screen.findByDisplayValue("exd_key_new456.secret-token-value")).toBeInTheDocument();
+    expect(api.createApiKey).toHaveBeenCalledWith("Read Token", ["drawings:read"]);
+    expect(screen.getAllByText("drawings:read").length).toBeGreaterThan(0);
+  });
+
+  it("disables API key creation and shows validation when no scopes are selected", async () => {
+    render(
+      <MemoryRouter>
+        <Profile />
+      </MemoryRouter>
+    );
+
+    await screen.findByText("Existing Key");
+
+    fireEvent.change(screen.getByLabelText(/api key name/i), {
+      target: { value: "No Scope Token" },
+    });
+    fireEvent.click(screen.getByLabelText(/read drawings/i));
+    fireEvent.click(screen.getByLabelText(/write drawings/i));
+    fireEvent.click(screen.getByLabelText(/read collections/i));
+    fireEvent.click(screen.getByLabelText(/write collections/i));
+
+    expect(screen.getByText(/select at least one api key scope/i)).toBeInTheDocument();
+    expect(screen.getByRole("button", { name: /create api key/i })).toBeDisabled();
+    expect(api.createApiKey).not.toHaveBeenCalled();
+  });
 });
diff --git a/frontend/src/pages/Profile.tsx b/frontend/src/pages/Profile.tsx
@@ -27,6 +27,13 @@ const formatApiKeyDate = (value: string | null) => {
     return new Date(value).toLocaleString();
 };
 
+const API_KEY_SCOPE_LABELS: Record<string, string> = {
+    'drawings:read': 'Read drawings',
+    'drawings:write': 'Write drawings',
+    'collections:read': 'Read collections',
+    'collections:write': 'Write collections',
+};
+
 export const Profile: React.FC = () => {
     const { user: authUser, logout, authEnabled } = useAuth();
     const navigate = useNavigate();
@@ -51,6 +58,7 @@ export const Profile: React.FC = () => {
     const [apiKeys, setApiKeys] = useState<api.ApiKeyMetadata[]>([]);
     const [apiKeysLoading, setApiKeysLoading] = useState(false);
     const [apiKeyName, setApiKeyName] = useState('');
+    const [selectedApiKeyScopes, setSelectedApiKeyScopes] = useState<string[]>([...api.API_KEY_SCOPES]);
     const [apiKeyActionLoading, setApiKeyActionLoading] = useState(false);
     const [apiKeyError, setApiKeyError] = useState('');
     const [generatedToken, setGeneratedToken] = useState('');
@@ -273,6 +281,10 @@ export const Profile: React.FC = () => {
             setApiKeyError('API key name is required');
             return;
         }
+        if (selectedApiKeyScopes.length === 0) {
+            setApiKeyError('Select at least one API key scope');
+            return;
+        }
 
         setApiKeyActionLoading(true);
         setApiKeyError('');
@@ -282,9 +294,10 @@ export const Profile: React.FC = () => {
         setCopiedToken(false);
 
         try {
-            const response = await api.createApiKey(trimmedName);
+            const response = await api.createApiKey(trimmedName, selectedApiKeyScopes);
             setApiKeys(prev => [response.apiKey, ...prev]);
             setApiKeyName('');
+            setSelectedApiKeyScopes([...api.API_KEY_SCOPES]);
             setGeneratedToken(response.token);
             setGeneratedTokenName(response.apiKey.name);
             setSuccess('API key created. Copy the token now; it will not be shown again.');
@@ -326,6 +339,14 @@ export const Profile: React.FC = () => {
         setCopiedToken(false);
     };
 
+    const handleApiKeyScopeChange = (scope: string, checked: boolean) => {
+        const next = checked
+            ? [...selectedApiKeyScopes, scope]
+            : selectedApiKeyScopes.filter(value => value !== scope);
+        setSelectedApiKeyScopes(api.API_KEY_SCOPES.filter(value => next.includes(value)));
+        setApiKeyError(next.length === 0 ? 'Select at least one API key scope' : '');
+    };
+
     const handleRevokeApiKey = async (id: string) => {
         setApiKeyActionLoading(true);
         setApiKeyError('');
@@ -556,7 +577,8 @@ export const Profile: React.FC = () => {
                         </div>
                     )}
 
-                    <div className="flex flex-col sm:flex-row gap-3 mb-6">
+                    <div className="space-y-4 mb-6">
+                        <div className="flex flex-col sm:flex-row gap-3">
                         <div className="flex-1">
                             <label htmlFor="apiKeyName" className="block text-sm font-bold text-slate-700 dark:text-neutral-300 mb-2">
                                 API Key Name
@@ -573,11 +595,31 @@ export const Profile: React.FC = () => {
                         </div>
                         <button
                             onClick={() => void handleCreateApiKey()}
-                            disabled={apiKeysLoading || apiKeyActionLoading || !apiKeyName.trim()}
+                            disabled={apiKeysLoading || apiKeyActionLoading || !apiKeyName.trim() || selectedApiKeyScopes.length === 0}
                             className="sm:self-end px-6 py-3 bg-emerald-600 dark:bg-emerald-500 text-white font-bold rounded-xl border-2 border-black dark:border-neutral-700 shadow-[2px_2px_0px_0px_rgba(0,0,0,1)] dark:shadow-[2px_2px_0px_0px_rgba(255,255,255,0.2)] hover:shadow-[4px_4px_0px_0px_rgba(0,0,0,1)] dark:hover:shadow-[4px_4px_0px_0px_rgba(255,255,255,0.2)] hover:-translate-y-0.5 transition-all duration-200 disabled:opacity-50 disabled:cursor-not-allowed disabled:hover:translate-y-0 disabled:hover:shadow-[2px_2px_0px_0px_rgba(0,0,0,1)] dark:disabled:hover:shadow-[2px_2px_0px_0px_rgba(255,255,255,0.2)]"
                         >
                             {apiKeyActionLoading ? 'Creating...' : 'Create API Key'}
                         </button>
+                        </div>
+                        <fieldset>
+                            <legend className="block text-sm font-bold text-slate-700 dark:text-neutral-300 mb-2">
+                                Scopes
+                            </legend>
+                            <div className="grid grid-cols-1 sm:grid-cols-2 gap-2">
+                                {api.API_KEY_SCOPES.map(scope => (
+                                    <label key={scope} className="flex items-center gap-2 px-3 py-2 bg-slate-50 dark:bg-neutral-800 border-2 border-slate-200 dark:border-neutral-700 rounded-xl text-sm font-medium text-slate-700 dark:text-neutral-300">
+                                        <input
+                                            type="checkbox"
+                                            checked={selectedApiKeyScopes.includes(scope)}
+                                            onChange={(event) => handleApiKeyScopeChange(scope, event.target.checked)}
+                                            className="h-4 w-4 accent-emerald-600"
+                                        />
+                                        <span>{API_KEY_SCOPE_LABELS[scope]}</span>
+                                        <span className="font-mono text-xs text-slate-500 dark:text-neutral-500">{scope}</span>
+                                    </label>
+                                ))}
+                            </div>
+                        </fieldset>
                     </div>
 
                     {apiKeysLoading ? (
