fix: add pat endpoints

2025-12-07 07:16:54 +00:00 · 2024-09-27 11:47:01 +02:00
parent 1afd9bc198
commit ee5de6563a
9 changed files with 1306 additions and 10 deletions
--- a/proto/zitadel/resources/user/v3alpha/authenticator.proto
+++ b/proto/zitadel/resources/user/v3alpha/authenticator.proto
@@ -29,6 +29,8 @@ message Authenticators {
  repeated PublicKey public_keys = 7;
  // A list of the user's linked identity providers (IDPs).
  repeated IdentityProvider identity_providers = 8;
+  // A list of the user's personal access tokens.
+  repeated PersonalAccessToken personal_access_tokens = 9;
 }

 message Username {
@@ -236,10 +238,27 @@ message IdentityProvider {
  ];
 }

+message PersonalAccessToken {
+  // ID is the read-only unique identifier of the personal access token.
+  string personal_access_token_id = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"69629023906488334\"";
+    }
+  ];
+  zitadel.resources.object.v3alpha.Details details = 2;
+  // After the expiration date, the key will no longer be usable for authentication.
+  google.protobuf.Timestamp expiration_date = 3 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"3019-04-01T08:45:00.000000Z\"";
+    }
+  ];
+}
+
 message SetAuthenticators {
  repeated SetUsername usernames = 1;
  SetPassword password = 2;
-  SetPublicKey public_key = 3;
+  repeated SetPublicKey public_key = 3;
+  repeated SetPersonalAccessToken personal_access_token = 4;
 }

 message SetUsername {
@@ -347,6 +366,14 @@ message ProvidedPublicKey {
  ];
 }

+message SetPersonalAccessToken {
+  // After the expiration date, the key will no longer be usable for authentication.
+  optional google.protobuf.Timestamp expiration_date = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"3019-04-01T08:45:00.000000Z\"";
+    }
+  ];
+}

 message SendPasswordResetEmail {
  // Optionally set a url_template, which will be used in the password reset mail
--- a/proto/zitadel/resources/user/v3alpha/user_service.proto
+++ b/proto/zitadel/resources/user/v3alpha/user_service.proto
@@ -642,15 +642,13 @@ service ZITADELUsers {
    };
  }

-
-
  // Add a public key
  //
  // Add a new public key to a user. The public key will be used to identify the user on authentication.
  rpc AddPublicKey (AddPublicKeyRequest) returns (AddPublicKeyResponse) {
    option (google.api.http) = {
-      post: "/resources/v3alpha/users/{id}/publickey"
-      body: "publickey"
+      post: "/resources/v3alpha/users/{id}/public_key"
+      body: "public_key"
    };

    option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -674,7 +672,56 @@ service ZITADELUsers {
  // Remove an existing public key of a user, so it cannot be used for authentication anymore.
  rpc RemovePublicKey (RemovePublicKeyRequest) returns (RemovePublicKeyResponse) {
    option (google.api.http) = {
-      delete: "/resources/v3alpha/users/{id}/publickey/{publickey_id}"
+      delete: "/resources/v3alpha/users/{id}/public_key/{public_key_id}"
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "authenticated"
+      }
+    };
+
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      responses: {
+        key: "200"
+        value: {
+          description: "Username successfully removed";
+        }
+      };
+    };
+  }
+
+  // Add a personal access token
+  //
+  // Add a new personal access token to a user. The personal access token will be used to identify the user on authentication.
+  rpc AddPersonalAccessToken (AddPersonalAccessTokenRequest) returns (AddPersonalAccessTokenResponse) {
+    option (google.api.http) = {
+      post: "/resources/v3alpha/users/{id}/personal_access_token"
+      body: "personal_access_token"
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "authenticated"
+      }
+    };
+
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      responses: {
+        key: "200"
+        value: {
+          description: "Username successfully added";
+        }
+      };
+    };
+  }
+
+  // Remove a personal access token
+  //
+  // Remove an existing personal access token of a user, so it cannot be used for authentication anymore.
+  rpc RemovePersonalAccessToken (RemovePersonalAccessTokenRequest) returns (RemovePersonalAccessTokenResponse) {
+    option (google.api.http) = {
+      delete: "/resources/v3alpha/users/{id}/personal_access_token/{personal_access_token_id}"
    };

    option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -1696,7 +1743,6 @@ message RemovePasswordResponse {
  zitadel.resources.object.v3alpha.Details details = 1;
 }

-
 message AddPublicKeyRequest {
  optional zitadel.object.v3alpha.Instance instance = 1 [
    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1764,6 +1810,73 @@ message RemovePublicKeyResponse {
  zitadel.resources.object.v3alpha.Details details = 1;
 }

+message AddPersonalAccessTokenRequest {
+  optional zitadel.object.v3alpha.Instance instance = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      default: "\"domain from HOST or :authority header\""
+    }
+  ];
+  // Optionally expect the user to be in this organization.
+  optional zitadel.object.v3alpha.Organization organization = 2;
+  // unique identifier of the user.
+  string id = 3 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1,
+      max_length: 200,
+      example: "\"69629026806489455\"";
+    }
+  ];
+  // Set the user's new personal access token.
+  SetPersonalAccessToken personal_access_token = 4;
+}
+
+message AddPersonalAccessTokenResponse {
+  zitadel.resources.object.v3alpha.Details details = 1;
+  // unique identifier of the public key.
+  string personal_access_token_id = 2 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"69629023906488334\"";
+    }
+  ];
+  string personal_access_token = 3;
+}
+
+message RemovePersonalAccessTokenRequest {
+  optional zitadel.object.v3alpha.Instance instance = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      default: "\"domain from HOST or :authority header\""
+    }
+  ];
+  // Optionally expect the user to be in this organization.
+  optional zitadel.object.v3alpha.Organization organization = 2;
+  // unique identifier of the user.
+  string id = 3 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1,
+      max_length: 200,
+      example: "\"69629026806489455\"";
+    }
+  ];
+  // unique identifier of the personal access token.
+  string personal_access_token_id = 4 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1,
+      max_length: 200,
+      example: "\"69629023906488334\"";
+    }
+  ];
+}
+
+message RemovePersonalAccessTokenResponse {
+  zitadel.resources.object.v3alpha.Details details = 1;
+}
+
 message StartWebAuthNRegistrationRequest {
  optional zitadel.object.v3alpha.Instance instance = 1 [
    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {