Feature/add mis endpoints in authentication (#705)

Author: bluepal-prasanthi-moparthi

v2/CHANGELOG.md

@@ -6,6 +6,7 @@
 - Add missing endpoints from administration to v2
 - Add missing endpoints from cluster to v2
 - Add missing endpoints from security to v2
+- Add missing endpoints from authentication to v2
 
 ## [2.1.5](https://github.com/arangodb/go-driver/tree/v2.1.5) (2025-08-31)
 - Add tasks endpoints to v2

v2/arangodb/client.go

@@ -38,4 +38,5 @@ type Client interface {
 	ClientFoxx
 	ClientTasks
 	ClientReplication
+	ClientAccessTokens
 }

v2/arangodb/client_access_tokens.go

@@ -0,0 +1,86 @@
+//
+// DISCLAIMER
+//
+// Copyright 2023-2024 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package arangodb
+
+import "context"
+
+// ClientAccessTokens defines access token API methods.
+type ClientAccessTokens interface {
+	// CreateAccessToken creates a new access token for the specified user.
+	// Permissions:
+	//   - You can always create an access token for yourself.
+	//   - To create a token for another user, you need admin access
+	//     to the _system database.
+	CreateAccessToken(ctx context.Context, user *string, req AccessTokenRequest) (CreateAccessTokenResponse, error)
+
+	// DeleteAccessToken deletes a specific access token for a given user.
+	DeleteAccessToken(ctx context.Context, user *string, tokenId *int) error
+
+	// GetAllAccessToken retrieves all access tokens for a given user.
+	GetAllAccessToken(ctx context.Context, user *string) (AccessTokenResponse, error)
+}
+
+// AccessTokenRequest represents the input required to create a new access token.
+type AccessTokenRequest struct {
+	// Name is a descriptive name for the access token (e.g., "Token for Service A").
+	// This helps identify the token later. Required field.
+	Name *string `json:"name,omitempty"`
+
+	// ValidUntil is the Unix timestamp (seconds since epoch) until which the token remains valid.
+	// Required field. After this time, the token will automatically expire.
+	ValidUntil *int64 `json:"valid_until,omitempty"`
+}
+
+// AccessTokenInfo contains metadata about an access token.
+// Embeds AccessTokenRequest to include the name and validity period in the response.
+type AccessTokenInfo struct {
+	// Id is the unique identifier for the access token.
+	Id *int `json:"id,omitempty"`
+
+	// Embed the AccessTokenRequest fields (Name and ValidUntil) for reference.
+	AccessTokenRequest
+
+	// CreatedAt is the Unix timestamp when the token was created.
+	CreatedAt *int64 `json:"created_at,omitempty"`
+
+	// Fingerprint is a unique string associated with the token,
+	// useful for tracking or verifying the token without revealing it.
+	Fingerprint *string `json:"fingerprint,omitempty"`
+
+	// Active indicates whether the token is currently active or has been revoked/expired.
+	Active *bool `json:"active,omitempty"`
+}
+
+// CreateAccessTokenResponse represents the response returned when creating a new access token.
+type CreateAccessTokenResponse struct {
+	// Embed the AccessTokenInfo metadata.
+	AccessTokenInfo
+
+	// Token is the actual access token string.
+	// It is only returned once at creation and should be stored securely.
+	Token *string `json:"token,omitempty"`
+}
+
+// AccessTokenResponse represents a list of access tokens for a user.
+type AccessTokenResponse struct {
+	// Tokens is a list of all access tokens associated with a user.
+	Tokens []AccessTokenInfo `json:"tokens,omitempty"`
+}

v2/arangodb/client_access_tokens_impl.go

@@ -0,0 +1,142 @@
+//
+// DISCLAIMER
+//
+// Copyright 2023-2024 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package arangodb
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+	"strconv"
+
+	"github.com/arangodb/go-driver/v2/arangodb/shared"
+	"github.com/arangodb/go-driver/v2/connection"
+	"github.com/pkg/errors"
+)
+
+type clientAccessTokens struct {
+	client *client
+}
+
+func newClientAccessTokens(client *client) *clientAccessTokens {
+	return &clientAccessTokens{
+		client: client,
+	}
+}
+
+var _ ClientAccessTokens = &clientAccessTokens{}
+
+func validateAccessTokenReqParams(req AccessTokenRequest) (map[string]interface{}, error) {
+	reqParams := make(map[string]interface{})
+	if req.Name == nil {
+		return nil, RequiredFieldError("name")
+	}
+	if req.ValidUntil == nil {
+		return nil, RequiredFieldError("valid_until")
+	}
+	reqParams["name"] = *req.Name
+	reqParams["valid_until"] = *req.ValidUntil
+	return reqParams, nil
+}
+
+// CreateAccessToken creates a new access token for the specified user.
+// Permissions:
+//   - You can always create an access token for yourself.
+//   - To create a token for another user, you need admin access
+//     to the _system database.
+func (c *clientAccessTokens) CreateAccessToken(ctx context.Context, user *string, req AccessTokenRequest) (CreateAccessTokenResponse, error) {
+	if user == nil {
+		return CreateAccessTokenResponse{}, RequiredFieldError("user")
+	}
+	// Build the URL for the access token endpoint, safely escaping the username
+	url := connection.NewUrl("_api", "token", url.PathEscape(*user))
+
+	var response struct {
+		shared.ResponseStruct     `json:",inline"`
+		CreateAccessTokenResponse `json:",inline"`
+	}
+
+	reqParams, err := validateAccessTokenReqParams(req)
+	if err != nil {
+		return CreateAccessTokenResponse{}, errors.WithStack(err)
+	}
+
+	resp, err := connection.CallPost(ctx, c.client.connection, url, &response, reqParams)
+	if err != nil {
+		return CreateAccessTokenResponse{}, errors.WithStack(err)
+	}
+
+	switch code := resp.Code(); code {
+	case http.StatusOK:
+		return response.CreateAccessTokenResponse, nil
+	default:
+		return CreateAccessTokenResponse{}, response.AsArangoErrorWithCode(code)
+	}
+}
+
+// DeleteAccessToken deletes a specific access token for a given user.
+func (c *clientAccessTokens) DeleteAccessToken(ctx context.Context, user *string, tokenId *int) error {
+	if user == nil {
+		return RequiredFieldError("user")
+	}
+	if tokenId == nil {
+		return RequiredFieldError("token-id")
+	}
+	// Build the URL for the access token endpoint, safely escaping the username
+	url := connection.NewUrl("_api", "token", url.PathEscape(*user), url.PathEscape(strconv.Itoa(*tokenId)))
+
+	resp, err := connection.CallDelete(ctx, c.client.connection, url, nil)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	switch code := resp.Code(); code {
+	case http.StatusOK:
+		return nil
+	default:
+		return (&shared.ResponseStruct{}).AsArangoErrorWithCode(resp.Code())
+	}
+}
+
+// GetAllAccessToken retrieves all access tokens for a given user.
+func (c *clientAccessTokens) GetAllAccessToken(ctx context.Context, user *string) (AccessTokenResponse, error) {
+	if user == nil {
+		return AccessTokenResponse{}, RequiredFieldError("user")
+	}
+	// Build the URL for the access token endpoint, safely escaping the username
+	url := connection.NewUrl("_api", "token", url.PathEscape(*user))
+
+	var response struct {
+		shared.ResponseStruct `json:",inline"`
+		AccessTokenResponse   `json:",inline"`
+	}
+
+	resp, err := connection.CallGet(ctx, c.client.connection, url, &response)
+	if err != nil {
+		return AccessTokenResponse{}, errors.WithStack(err)
+	}
+
+	switch code := resp.Code(); code {
+	case http.StatusOK:
+		return response.AccessTokenResponse, nil
+	default:
+		return AccessTokenResponse{}, response.AsArangoErrorWithCode(code)
+	}
+}

v2/arangodb/client_admin.go

@@ -85,6 +85,14 @@ type ClientAdmin interface {
 	// the --rocksdb.encryption-keyfolder and re-encrypts the internal encryption key.
 	// Requires superuser rights and is not available on Coordinators.
 	RotateEncryptionAtRestKey(ctx context.Context) ([]EncryptionKey, error)
+	// GetJWTSecrets retrieves information about the currently loaded JWT secrets
+	// for a given database.
+	// Requires a superuser JWT for authorization.
+	GetJWTSecrets(ctx context.Context, dbName string) (JWTSecretsResult, error)
+
+	// ReloadJWTSecrets forces the server to reload the JWT secrets from disk.
+	// Requires a superuser JWT for authorization.
+	ReloadJWTSecrets(ctx context.Context) (JWTSecretsResult, error)
 }
 
 type ClientAdminLog interface {
@@ -588,3 +596,14 @@ type EncryptionKey struct {
 	// This is used to uniquely identify which key is active/available.
 	SHA256 *string `json:"sha256,omitempty"`
 }
+
+// JWTSecretsResult contains the active and passive JWT secrets
+type JWTSecretsResult struct {
+	Active  *JWTSecret  `json:"active,omitempty"`  // The currently active JWT secret
+	Passive []JWTSecret `json:"passive,omitempty"` // List of passive JWT secrets (may be empty)
+}
+
+// JWTSecret represents a single JWT secret's SHA-256 hash
+type JWTSecret struct {
+	SHA256 *string `json:"sha256,omitempty"` // SHA-256 hash of the JWT secret
+}

v2/arangodb/client_admin_impl.go

@@ -436,3 +436,52 @@ func (c *clientAdmin) RotateEncryptionAtRestKey(ctx context.Context) ([]Encrypti
 		return nil, response.AsArangoErrorWithCode(code)
 	}
 }
+
+// GetJWTSecrets retrieves information about the currently loaded JWT secrets
+// for a given database.
+// Requires a superuser JWT for authorization.
+func (c *clientAdmin) GetJWTSecrets(ctx context.Context, dbName string) (JWTSecretsResult, error) {
+	// Build the URL for the JWT secrets endpoint, safely escaping the database name
+	url := connection.NewUrl("_db", url.PathEscape(dbName), "_admin", "server", "jwt")
+
+	var response struct {
+		shared.ResponseStruct `json:",inline"` // Common fields: error, code, etc.
+		Result                JWTSecretsResult `json:"result"` // Contains active and passive JWT secrets
+	}
+
+	resp, err := connection.CallGet(ctx, c.client.connection, url, &response)
+	if err != nil {
+		return JWTSecretsResult{}, errors.WithStack(err)
+	}
+
+	switch code := resp.Code(); code {
+	case http.StatusOK:
+		return response.Result, nil
+	default:
+		return JWTSecretsResult{}, response.AsArangoErrorWithCode(code)
+	}
+}
+
+// ReloadJWTSecrets forces the server to reload the JWT secrets from disk.
+// Requires a superuser JWT for authorization.
+func (c *clientAdmin) ReloadJWTSecrets(ctx context.Context) (JWTSecretsResult, error) {
+	// Build the URL for the JWT secrets endpoint, safely escaping the database name
+	url := connection.NewUrl("_admin", "server", "jwt")
+
+	var response struct {
+		shared.ResponseStruct `json:",inline"` // Common fields: error, code, etc.
+		Result                JWTSecretsResult `json:"result"` // Contains active and passive JWT secrets
+	}
+
+	resp, err := connection.CallPost(ctx, c.client.connection, url, &response, nil)
+	if err != nil {
+		return JWTSecretsResult{}, errors.WithStack(err)
+	}
+
+	switch code := resp.Code(); code {
+	case http.StatusOK:
+		return response.Result, nil
+	default:
+		return JWTSecretsResult{}, response.AsArangoErrorWithCode(code)
+	}
+}

v2/arangodb/client_impl.go

@@ -41,6 +41,7 @@ func newClient(connection connection.Connection) *client {
 	c.clientFoxx = newClientFoxx(c)
 	c.clientTask = newClientTask(c)
 	c.clientReplication = newClientReplication(c)
+	c.clientAccessTokens = newClientAccessTokens(c)
 
 	c.Requests = NewRequests(connection)
 
@@ -60,6 +61,7 @@ type client struct {
 	*clientFoxx
 	*clientTask
 	*clientReplication
+	*clientAccessTokens
 
 	Requests
 }

v2/arangodb/utils.go

@@ -26,6 +26,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"net/http"
 	"reflect"
 
 	"github.com/pkg/errors"
@@ -110,6 +111,18 @@ func CreateDocuments(ctx context.Context, col Collection, docCount int, generato
 	return err
 }
 
+type ClientError struct {
+	Code    int
+	Message string
+}
+
+func (e *ClientError) Error() string {
+	return e.Message
+}
+
 func RequiredFieldError(field string) error {
-	return fmt.Errorf("%s field must be set", field)
+	return &ClientError{
+		Code:    http.StatusBadRequest,
+		Message: fmt.Sprintf("%s field must be set", field),
+	}
 }