feat(api-token): Add org_name to token payload (#1095)

Signed-off-by: Javier Rodriguez <[email protected]>

Author: javirln

app/controlplane/api/controlplane/v1/api_token.pb.go

@@ -71,6 +71,7 @@ message APITokenItem {
   string name = 7;
   string description = 2;
   string organization_id = 3;
+  string organization_name = 8;
   google.protobuf.Timestamp created_at = 4;
   google.protobuf.Timestamp revoked_at = 5;
   google.protobuf.Timestamp expires_at = 6;

app/controlplane/api/controlplane/v1/api_token.proto

@@ -102,10 +102,12 @@ func (s *APITokenService) Revoke(ctx context.Context, req *pb.APITokenServiceRev
 
 func apiTokenBizToPb(in *biz.APIToken) *pb.APITokenItem {
 	res := &pb.APITokenItem{
-		Id:          in.ID.String(),
-		Name:        in.Name,
-		Description: in.Description, OrganizationId: in.OrganizationID.String(),
-		CreatedAt: timestamppb.New(*in.CreatedAt),
+		Id:               in.ID.String(),
+		Name:             in.Name,
+		OrganizationId:   in.OrganizationID.String(),
+		OrganizationName: in.OrganizationName,
+		Description:      in.Description,
+		CreatedAt:        timestamppb.New(*in.CreatedAt),
 	}
 
 	if in.ExpiresAt != nil {

app/controlplane/api/gen/frontend/controlplane/v1/api_token.ts

@@ -99,7 +99,7 @@ func TestWithCurrentAPITokenAndOrgMiddleware(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			apiTokenRepo := bizMocks.NewAPITokenRepo(t)
 			orgRepo := bizMocks.NewOrganizationRepo(t)
-			apiTokenUC, err := biz.NewAPITokenUseCase(apiTokenRepo, &conf.Auth{GeneratedJwsHmacSecret: "test"}, nil, nil)
+			apiTokenUC, err := biz.NewAPITokenUseCase(apiTokenRepo, &conf.Auth{GeneratedJwsHmacSecret: "test"}, nil, nil, nil)
 			require.NoError(t, err)
 			orgUC := biz.NewOrganizationUseCase(orgRepo, nil, nil, nil, nil, nil)
 			require.NoError(t, err)

app/controlplane/cmd/wire_gen.go

@@ -38,8 +38,9 @@ type APIToken struct {
 	// This is the JWT value returned only during creation
 	JWT string
 	// Tokens are scoped to organizations
-	OrganizationID uuid.UUID
-	CreatedAt      *time.Time
+	OrganizationID   uuid.UUID
+	OrganizationName string
+	CreatedAt        *time.Time
 	// When the token expires
 	ExpiresAt *time.Time
 	// When the token was manually revoked
@@ -61,15 +62,18 @@ type APITokenUseCase struct {
 	jwtBuilder           *apitoken.Builder
 	enforcer             *authz.Enforcer
 	DefaultAuthzPolicies []*authz.Policy
+	// Use Cases
+	orgUseCase *OrganizationUseCase
 }
 
 type APITokenSyncerUseCase struct {
 	base *APITokenUseCase
 }
 
-func NewAPITokenUseCase(apiTokenRepo APITokenRepo, conf *conf.Auth, authzE *authz.Enforcer, logger log.Logger) (*APITokenUseCase, error) {
+func NewAPITokenUseCase(apiTokenRepo APITokenRepo, conf *conf.Auth, authzE *authz.Enforcer, orgUseCase *OrganizationUseCase, logger log.Logger) (*APITokenUseCase, error) {
 	uc := &APITokenUseCase{
 		apiTokenRepo: apiTokenRepo,
+		orgUseCase:   orgUseCase,
 		logger:       servicelogger.ScopedHelper(logger, "biz/APITokenUseCase"),
 		enforcer:     authzE,
 		DefaultAuthzPolicies: []*authz.Policy{
@@ -125,6 +129,12 @@ func (uc *APITokenUseCase) Create(ctx context.Context, name string, description
 		*expiresAt = time.Now().Add(*expiresIn)
 	}
 
+	// Retrieve the organization
+	org, err := uc.orgUseCase.FindByID(ctx, orgID)
+	if err != nil {
+		return nil, fmt.Errorf("finding organization: %w", err)
+	}
+
 	// NOTE: the expiration time is stored just for reference, it's also encoded in the JWT
 	// We store it since Chainloop will not have access to the JWT to check the expiration once created
 	token, err := uc.apiTokenRepo.Create(ctx, name, description, expiresAt, orgUUID)
@@ -136,7 +146,7 @@ func (uc *APITokenUseCase) Create(ctx context.Context, name string, description
 	}
 
 	// generate the JWT
-	token.JWT, err = uc.jwtBuilder.GenerateJWT(token.OrganizationID.String(), token.ID.String(), expiresAt)
+	token.JWT, err = uc.jwtBuilder.GenerateJWT(token.OrganizationID.String(), org.Name, token.ID.String(), expiresAt)
 	if err != nil {
 		return nil, fmt.Errorf("generating jwt: %w", err)
 	}

app/controlplane/internal/service/apitoken.go

@@ -66,12 +66,13 @@ func NewBuilder(opts ...NewOpt) (*Builder, error) {
 	return b, nil
 }
 
-// it can both expire and being revoked, revocation is performed by checking the keyID against our revocation list
-func (ra *Builder) GenerateJWT(orgID, keyID string, expiresAt *time.Time) (string, error) {
+// GenerateJWT creates a new JWT token for the given organization and keyID
+func (ra *Builder) GenerateJWT(orgID, orgName, keyID string, expiresAt *time.Time) (string, error) {
 	claims := CustomClaims{
 		orgID,
+		orgName,
 		jwt.RegisteredClaims{
-			// Key identifier so we can check it's revocation status
+			// Key identifier so we can check its revocation status
 			ID:       keyID,
 			Issuer:   ra.issuer,
 			Audience: jwt.ClaimStrings{Audience},
@@ -88,6 +89,7 @@ func (ra *Builder) GenerateJWT(orgID, keyID string, expiresAt *time.Time) (strin
 }
 
 type CustomClaims struct {
-	OrgID string `json:"org_id"`
+	OrgID   string `json:"org_id"`
+	OrgName string `json:"org_name"`
 	jwt.RegisteredClaims
 }

app/controlplane/internal/usercontext/apitoken_middleware_test.go

@@ -73,7 +73,7 @@ func TestGenerateJWT(t *testing.T) {
 	b, err := NewBuilder(WithIssuer("my-issuer"), WithKeySecret(hmacSecret))
 	require.NoError(t, err)
 
-	token, err := b.GenerateJWT("org-id", "key-id", toPtrTime(time.Now().Add(1*time.Hour)))
+	token, err := b.GenerateJWT("org-id", "org-name", "key-id", toPtrTime(time.Now().Add(1*time.Hour)))
 	assert.NoError(t, err)
 	assert.NotEmpty(t, token)
 
@@ -86,6 +86,7 @@ func TestGenerateJWT(t *testing.T) {
 	require.NoError(t, err)
 	assert.True(t, tokenInfo.Valid)
 	assert.Equal(t, "org-id", claims.OrgID)
+	assert.Equal(t, "org-name", claims.OrgName)
 	assert.Equal(t, "key-id", claims.ID)
 	assert.Equal(t, "my-issuer", claims.Issuer)
 	assert.Contains(t, claims.Audience, Audience)