lucasacchi/openrouter-watcher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(tokens): T41-T43 implement API token management endpoints

Browse Source 
- Add max_api_tokens_per_user config (default 5)
- Implement POST /api/tokens (T41): generate token with limit check
- Implement GET /api/tokens (T42): list active tokens, no values exposed
- Implement DELETE /api/tokens/{id} (T43): soft delete with ownership check
- Security: plaintext token shown ONLY at creation
- Security: SHA-256 hash stored in DB, never the plaintext
- Security: revoked tokens return 401 on public API
- 24 tests with 100% coverage on tokens router

Closes T41, T42, T43
This commit is contained in:
Luca Sacchi Ricciardi
2026-04-07 16:58:57 +02:00
parent 5f39460510
commit 5e89674b94
6 changed files with 847 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
export/progress.md
View File

@@ -8,10 +8,10 @@
| Metrica | Valore |
|---------|--------|
| **Stato** | 🟢 Public API Completati |
| **Progresso** | 48% |
| **Stato** | 🟢 Gestione Token API Completata |
| **Progresso** | 52% |
| **Task Totali** | 74 |
| **Task Completati** | 35 |
| **Task Completati** | 38 |
| **Task In Progress** | 0 |
---
@@ -128,9 +128,24 @@
- [x] T40: Scrivere test per public API endpoints - ✅ Completato (2026-04-07)
- 27 test endpoint + 18 test rate limit + 25 test schemas = 70 test totali
- Coverage: public_api.py 100%, rate_limit.py 98%
- [ ] T41: Implementare POST /api/tokens (generate)
- [ ] T42: Implementare GET /api/tokens (list)
- [ ] T43: Implementare DELETE /api/tokens/{id})
- [x] T41: Implementare POST /api/tokens (generate) - ✅ Completato (2026-04-07)
- Endpoint: POST /api/tokens con auth JWT
- Limite: MAX_API_TOKENS_PER_USER (default 5)
- Token plaintext mostrato SOLO in risposta creazione
- Hash SHA-256 salvato nel DB
- Test: 8 test passanti, 100% coverage
- [x] T42: Implementare GET /api/tokens (list) - ✅ Completato (2026-04-07)
- Endpoint: GET /api/tokens con auth JWT
- NO token values in risposta (sicurezza)
- Ordinamento: created_at DESC
- Solo token attivi (is_active=True)
- Test: 7 test passanti
- [x] T43: Implementare DELETE /api/tokens/{id} - ✅ Completato (2026-04-07)
- Endpoint: DELETE /api/tokens/{id} con auth JWT
- Soft delete: is_active=False
- Verifica ownership (403 se non proprio)
- Token revocato non funziona su API pubblica
- Test: 9 test passanti
### 🎨 Frontend Web (T44-T54) - 0/11 completati
- [ ] T44: Setup Jinja2 templates e static files