Add helpers for creating and authenticating OATs

Author: myftija

apps/webapp/app/services/organizationAccessToken.server.ts

@@ -0,0 +1,205 @@
+import { type OrganizationAccessToken } from "@trigger.dev/database";
+import { customAlphabet } from "nanoid";
+import { z } from "zod";
+import { prisma } from "~/db.server";
+import { logger } from "./logger.server";
+import { decryptToken, encryptToken, hashToken } from "~/utils/tokens";
+
+const tokenValueLength = 40;
+//lowercase only, removed 0 and l to avoid confusion
+const tokenGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", tokenValueLength);
+
+type CreateOrganizationAccessTokenOptions = {
+  name: string;
+  organizationId: string;
+  expiresAt?: Date;
+};
+
+export async function getValidOrganizationAccessTokens(organizationId: string) {
+  const organizationAccessTokens = await prisma.organizationAccessToken.findMany({
+    select: {
+      id: true,
+      name: true,
+      obfuscatedToken: true,
+      createdAt: true,
+      lastAccessedAt: true,
+      expiresAt: true,
+    },
+    where: {
+      organizationId,
+      revokedAt: null,
+      OR: [{ expiresAt: null }, { expiresAt: { gte: new Date() } }],
+    },
+  });
+
+  return organizationAccessTokens.map((oat) => ({
+    id: oat.id,
+    name: oat.name,
+    obfuscatedToken: oat.obfuscatedToken,
+    createdAt: oat.createdAt,
+    lastAccessedAt: oat.lastAccessedAt,
+    expiresAt: oat.expiresAt,
+  }));
+}
+
+export type ObfuscatedOrganizationAccessToken = Awaited<
+  ReturnType<typeof getValidOrganizationAccessTokens>
+>[number];
+
+export async function revokeOrganizationAccessToken(tokenId: string) {
+  await prisma.organizationAccessToken.update({
+    where: {
+      id: tokenId,
+    },
+    data: {
+      revokedAt: new Date(),
+    },
+  });
+}
+
+export type OrganizationAccessTokenAuthenticationResult = {
+  organizationId: string;
+};
+
+const EncryptedSecretValueSchema = z.object({
+  nonce: z.string(),
+  ciphertext: z.string(),
+  tag: z.string(),
+});
+
+const AuthorizationHeaderSchema = z.string().regex(/^Bearer .+$/);
+
+export async function authenticateApiRequestWithOrganizationAccessToken(
+  request: Request
+): Promise<OrganizationAccessTokenAuthenticationResult | undefined> {
+  const token = getOrganizationAccessTokenFromRequest(request);
+  if (!token) {
+    return;
+  }
+
+  return authenticateOrganizationAccessToken(token);
+}
+
+function getOrganizationAccessTokenFromRequest(request: Request) {
+  const rawAuthorization = request.headers.get("Authorization");
+
+  const authorization = AuthorizationHeaderSchema.safeParse(rawAuthorization);
+  if (!authorization.success) {
+    return;
+  }
+
+  const organizationAccessToken = authorization.data.replace(/^Bearer /, "");
+  return organizationAccessToken;
+}
+
+export async function authenticateOrganizationAccessToken(
+  token: string
+): Promise<OrganizationAccessTokenAuthenticationResult | undefined> {
+  if (!token.startsWith(tokenPrefix)) {
+    logger.warn(`OAT doesn't start with ${tokenPrefix}`);
+    return;
+  }
+
+  const hashedToken = hashToken(token);
+
+  const organizationAccessToken = await prisma.organizationAccessToken.findFirst({
+    where: {
+      hashedToken,
+      revokedAt: null,
+      OR: [{ expiresAt: null }, { expiresAt: { gte: new Date() } }],
+    },
+  });
+
+  if (!organizationAccessToken) {
+    return;
+  }
+
+  await prisma.organizationAccessToken.update({
+    where: {
+      id: organizationAccessToken.id,
+    },
+    data: {
+      lastAccessedAt: new Date(),
+    },
+  });
+
+  const decryptedToken = decryptOrganizationAccessToken(organizationAccessToken);
+
+  if (decryptedToken !== token) {
+    logger.error(
+      `OrganizationAccessToken with id: ${organizationAccessToken.id} was found in the database with hash ${hashedToken}, but the decrypted token did not match the provided token.`
+    );
+    return;
+  }
+
+  return {
+    organizationId: organizationAccessToken.organizationId,
+  };
+}
+
+export function isOrganizationAccessToken(token: string) {
+  return token.startsWith(tokenPrefix);
+}
+
+export async function createOrganizationAccessToken({
+  name,
+  organizationId,
+  expiresAt,
+}: CreateOrganizationAccessTokenOptions) {
+  const token = createToken();
+  const encryptedToken = encryptToken(token);
+
+  const organizationAccessToken = await prisma.organizationAccessToken.create({
+    data: {
+      name,
+      organizationId,
+      encryptedToken,
+      obfuscatedToken: obfuscateToken(token),
+      hashedToken: hashToken(token),
+      expiresAt,
+    },
+  });
+
+  return {
+    id: organizationAccessToken.id,
+    name,
+    organizationId,
+    token,
+    obfuscatedToken: organizationAccessToken.obfuscatedToken,
+    expiresAt: organizationAccessToken.expiresAt,
+  };
+}
+
+export type CreatedOrganizationAccessToken = Awaited<
+  ReturnType<typeof createOrganizationAccessToken>
+>;
+
+const tokenPrefix = "tr_oat_";
+
+function createToken() {
+  return `${tokenPrefix}${tokenGenerator()}`;
+}
+
+function obfuscateToken(token: string) {
+  const withoutPrefix = token.replace(tokenPrefix, "");
+  const obfuscated = `${withoutPrefix.slice(0, 4)}${"•".repeat(18)}${withoutPrefix.slice(-4)}`;
+  return `${tokenPrefix}${obfuscated}`;
+}
+
+function decryptOrganizationAccessToken(organizationAccessToken: OrganizationAccessToken) {
+  const encryptedData = EncryptedSecretValueSchema.safeParse(
+    organizationAccessToken.encryptedToken
+  );
+  if (!encryptedData.success) {
+    throw new Error(
+      `Unable to parse encrypted OrganizationAccessToken with id: ${organizationAccessToken.id}: ${encryptedData.error.message}`
+    );
+  }
+
+  const decryptedToken = decryptToken(
+    encryptedData.data.nonce,
+    encryptedData.data.ciphertext,
+    encryptedData.data.tag
+  );
+  return decryptedToken;
+}

apps/webapp/app/services/personalAccessToken.server.ts

@@ -1,10 +1,9 @@
-import { PersonalAccessToken } from "@trigger.dev/database";
+import { type PersonalAccessToken } from "@trigger.dev/database";
 import { customAlphabet, nanoid } from "nanoid";
-import nodeCrypto from "node:crypto";
 import { z } from "zod";
 import { prisma } from "~/db.server";
-import { env } from "~/env.server";
 import { logger } from "./logger.server";
+import { decryptToken, encryptToken, hashToken } from "~/utils/tokens";
 
 const tokenValueLength = 40;
 //lowercase only, removed 0 and l to avoid confusion
@@ -303,22 +302,6 @@ function obfuscateToken(token: string) {
   return `${tokenPrefix}${obfuscated}`;
 }
 
-function encryptToken(value: string) {
-  const nonce = nodeCrypto.randomBytes(12);
-  const cipher = nodeCrypto.createCipheriv("aes-256-gcm", env.ENCRYPTION_KEY, nonce);
-
-  let encrypted = cipher.update(value, "utf8", "hex");
-  encrypted += cipher.final("hex");
-
-  const tag = cipher.getAuthTag().toString("hex");
-
-  return {
-    nonce: nonce.toString("hex"),
-    ciphertext: encrypted,
-    tag,
-  };
-}
-
 function decryptPersonalAccessToken(personalAccessToken: PersonalAccessToken) {
   const encryptedData = EncryptedSecretValueSchema.safeParse(personalAccessToken.encryptedToken);
   if (!encryptedData.success) {
@@ -334,24 +317,3 @@ function decryptPersonalAccessToken(personalAccessToken: PersonalAccessToken) {
   );
   return decryptedToken;
 }
-
-function decryptToken(nonce: string, ciphertext: string, tag: string): string {
-  const decipher = nodeCrypto.createDecipheriv(
-    "aes-256-gcm",
-    env.ENCRYPTION_KEY,
-    Buffer.from(nonce, "hex")
-  );
-
-  decipher.setAuthTag(Buffer.from(tag, "hex"));
-
-  let decrypted = decipher.update(ciphertext, "hex", "utf8");
-  decrypted += decipher.final("utf8");
-
-  return decrypted;
-}
-
-function hashToken(token: string): string {
-  const hash = nodeCrypto.createHash("sha256");
-  hash.update(token);
-  return hash.digest("hex");
-}

apps/webapp/app/utils/tokens.ts

@@ -0,0 +1,39 @@
+import nodeCrypto from "node:crypto";
+import { env } from "~/env.server";
+
+export function encryptToken(value: string) {
+  const nonce = nodeCrypto.randomBytes(12);
+  const cipher = nodeCrypto.createCipheriv("aes-256-gcm", env.ENCRYPTION_KEY, nonce);
+
+  let encrypted = cipher.update(value, "utf8", "hex");
+  encrypted += cipher.final("hex");
+
+  const tag = cipher.getAuthTag().toString("hex");
+
+  return {
+    nonce: nonce.toString("hex"),
+    ciphertext: encrypted,
+    tag,
+  };
+}
+
+export function decryptToken(nonce: string, ciphertext: string, tag: string): string {
+  const decipher = nodeCrypto.createDecipheriv(
+    "aes-256-gcm",
+    env.ENCRYPTION_KEY,
+    Buffer.from(nonce, "hex")
+  );
+
+  decipher.setAuthTag(Buffer.from(tag, "hex"));
+
+  let decrypted = decipher.update(ciphertext, "hex", "utf8");
+  decrypted += decipher.final("utf8");
+
+  return decrypted;
+}
+
+export function hashToken(token: string): string {
+  const hash = nodeCrypto.createHash("sha256");
+  hash.update(token);
+  return hash.digest("hex");
+}

packages/cli-v3/src/utilities/isPersonalAccessToken.ts

@@ -1,7 +1,26 @@
-const tokenPrefix = "tr_pat_";
+const personalTokenPrefix = "tr_pat_";
+const organizationTokenPrefix = "tr_oat_";
 
 export function isPersonalAccessToken(token: string) {
-  return token.startsWith(tokenPrefix);
+  return token.startsWith(personalTokenPrefix);
+}
+
+export function isOrganizationAccessToken(token: string) {
+  return token.startsWith(organizationTokenPrefix);
+}
+
+export function validateAccessToken(
+  token: string
+): { success: true; type: "personal" | "organization" } | { success: false } {
+  if (isPersonalAccessToken(token)) {
+    return { success: true, type: "personal" };
+  }
+
+  if (isOrganizationAccessToken(token)) {
+    return { success: true, type: "organization" };
+  }
+
+  return { success: false };
 }
 
 export class NotPersonalAccessTokenError extends Error {
@@ -10,3 +29,10 @@ export class NotPersonalAccessTokenError extends Error {
     this.name = "NotPersonalAccessTokenError";
   }
 }
+
+export class NotAccessTokenError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "NotAccessTokenError";
+  }
+}