openclaw/oikos
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Adding Rest API token with expiration and revocation options.

Browse Source
This commit is contained in:
Rafael Foster
2026-04-25 12:22:58 -03:00
parent bdd6e559d5
commit f43dee4cc0
22 changed files with 681 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
public/locales/ar.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "العملة",
"currencyHint": "تحدد العملة المستخدمة في منطقة الميزانية بأكملها.",
"currencySaved": "تم حفظ العملة.",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "اشتراكات ICS",
"add": "إضافة اشتراك",
public/locales/de.json
+22
View File
@@ -630,6 +630,28 @@
"currencyLabel": "Währung",
"currencyHint": "Legt die Währung für den gesamten Budget-Bereich fest.",
"currencySaved": "Währung gespeichert.",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "ICS-Abonnements",
"add": "Abonnement hinzufügen",
public/locales/el.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "Νόμισμα",
"currencyHint": "Ορίζει το νόμισμα για ολόκληρη την ενότητα προϋπολογισμού.",
"currencySaved": "Το νόμισμα αποθηκεύτηκε.",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "Συνδρομές ICS",
"add": "Προσθήκη συνδρομής",
public/locales/en.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "Currency",
"currencyHint": "Sets the currency used throughout the budget section.",
"currencySaved": "Currency saved.",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "ICS Subscriptions",
"add": "Add subscription",
public/locales/es.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "Moneda",
"currencyHint": "Establece la moneda para toda la sección de presupuesto.",
"currencySaved": "Moneda guardada.",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "Suscripciones ICS",
"add": "Añadir suscripción",
public/locales/fr.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "Devise",
"currencyHint": "Définit la devise utilisée dans toute la section budget.",
"currencySaved": "Devise enregistrée.",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "Abonnements ICS",
"add": "Ajouter un abonnement",
public/locales/hi.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "मुद्रा",
"currencyHint": "पूरे बजट अनुभाग में उपयोग की जाने वाली मुद्रा सेट करता है।",
"currencySaved": "मुद्रा सहेजी गई।",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "ICS सदस्यताएं",
"add": "सदस्यता जोड़ें",
public/locales/it.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "Valuta",
"currencyHint": "Imposta la valuta utilizzata in tutta la sezione budget.",
"currencySaved": "Valuta salvata.",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "Abbonamenti ICS",
"add": "Aggiungi abbonamento",
public/locales/ja.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "通貨",
"currencyHint": "家計全体で使用する通貨を設定します。",
"currencySaved": "通貨を保存しました。",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "ICSサブスクリプション",
"add": "サブスクリプションを追加",
public/locales/pt.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "Moeda",
"currencyHint": "Define a moeda usada em toda a área de orçamento.",
"currencySaved": "Moeda salva.",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "Assinaturas ICS",
"add": "Adicionar assinatura",
public/locales/ru.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "Валюта",
"currencyHint": "Устанавливает валюту для всего раздела бюджета.",
"currencySaved": "Валюта сохранена.",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "ICS-подписки",
"add": "Добавить подписку",
public/locales/sv.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "Valuta",
"currencyHint": "Ställer in valutan som används i hela budgetavsnittet.",
"currencySaved": "Valuta sparad.",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "ICS-prenumerationer",
"add": "Lägg till prenumeration",
public/locales/tr.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "Para birimi",
"currencyHint": "Bütçe bölümünde kullanılan para birimini belirler.",
"currencySaved": "Para birimi kaydedildi.",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "ICS Abonelikleri",
"add": "Abonelik ekle",
public/locales/uk.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "Валюта",
"currencyHint": "Встановлює валюту, що використовується в розділі бюджету.",
"currencySaved": "Валюту збережено.",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "ICS-підписки",
"add": "Додати підписку",
public/locales/zh.json
+22
View File
@@ -624,6 +624,28 @@
"currencyLabel": "货币",
"currencyHint": "设置整个预算区域使用的货币。",
"currencySaved": "货币已保存。",
"apiTokensTitle": "API Tokens",
"apiTokensCardTitle": "Access Tokens",
"apiTokensHint": "Create API tokens for external integrations. The full token is shown only once after creation.",
"apiTokenNameLabel": "Token name",
"apiTokenExpiresLabel": "Expiration date",
"apiTokenExpiresHint": "Leave empty to create a token without expiration.",
"apiTokenCreatedLabel": "New API token",
"apiTokenCreatedHint": "Store this token securely. It cannot be shown again.",
"apiTokenCreate": "Create token",
"apiTokenInvalidExpiration": "Please enter a valid expiration date.",
"apiTokenCreatedToast": "API token created.",
"apiTokenRevokedToast": "API token revoked.",
"apiTokenRevokeConfirm": "Revoke API token \"{{name}}\"?",
"apiTokenRevoke": "Revoke token",
"apiTokenRevoked": "Revoked",
"apiTokenExpired": "Expired",
"apiTokenActive": "Active",
"apiTokenPrefix": "Prefix",
"apiTokenExpires": "Expires",
"apiTokenNeverExpires": "No expiration",
"apiTokenLastUsed": "Last used",
"apiTokenNeverUsed": "Never used",
"ics": {
"title": "ICS 订阅",
"add": "添加订阅",
public/pages/settings.js
+139 -3
View File
@@ -59,15 +59,17 @@ export async function render(container, { user }) {
let prefs = { visible_meal_types: ['breakfast', 'lunch', 'dinner', 'snack'], currency: 'EUR' };
let categories = [];
let icsSubscriptions = [];
let apiTokens = [];
try {
const [usersRes, gStatus, aStatus, prefsRes, catsRes, icsRes] = await Promise.allSettled([
const [usersRes, gStatus, aStatus, prefsRes, catsRes, icsRes, apiTokensRes] = await Promise.allSettled([
user.role === 'admin' ? auth.getUsers() : Promise.resolve({ data: [] }),
api.get('/calendar/google/status'),
api.get('/calendar/apple/status'),
api.get('/preferences'),
api.get('/shopping/categories'),
api.get('/calendar/subscriptions'),
user.role === 'admin' ? api.get('/auth/api-tokens') : Promise.resolve({ data: [] }),
]);
if (usersRes.status === 'fulfilled') users = usersRes.value.data ?? [];
if (gStatus.status === 'fulfilled') googleStatus = gStatus.value;
@@ -75,6 +77,7 @@ export async function render(container, { user }) {
if (prefsRes.status === 'fulfilled') prefs = prefsRes.value.data ?? prefs;
if (catsRes.status === 'fulfilled') categories = catsRes.value.data ?? [];
if (icsRes.status === 'fulfilled') icsSubscriptions = icsRes.value.data ?? [];
if (apiTokensRes.status === 'fulfilled') apiTokens = apiTokensRes.value.data ?? [];
} catch (_) { /* non-critical */ }
const googleStatusText = googleStatus.connected
@@ -364,6 +367,35 @@ export async function render(container, { user }) {
</section>
${user?.role === 'admin' ? `
<section class="settings-section">
<h2 class="settings-section__title">${t('settings.apiTokensTitle')}</h2>
<div class="settings-card">
<h3 class="settings-card__title">${t('settings.apiTokensCardTitle')}</h3>
<p class="form-hint" style="margin-bottom:var(--space-3)">${t('settings.apiTokensHint')}</p>
<ul class="settings-members" id="api-token-list">
${apiTokens.map(apiTokenHtml).join('')}
</ul>
<form id="api-token-form" class="settings-form" autocomplete="off">
<div class="form-group">
<label class="form-label" for="api-token-name">${t('settings.apiTokenNameLabel')}</label>
<input class="form-input" type="text" id="api-token-name" maxlength="100" required />
</div>
<div class="form-group">
<label class="form-label" for="api-token-expires">${t('settings.apiTokenExpiresLabel')}</label>
<input class="form-input" type="datetime-local" id="api-token-expires" />
<p class="form-hint">${t('settings.apiTokenExpiresHint')}</p>
</div>
<div id="api-token-created" class="settings-token-output" hidden>
<label class="form-label" for="api-token-created-value">${t('settings.apiTokenCreatedLabel')}</label>
<input class="form-input" id="api-token-created-value" type="text" readonly />
<p class="form-hint">${t('settings.apiTokenCreatedHint')}</p>
</div>
<div id="api-token-error" class="form-error" hidden></div>
<button type="submit" class="btn btn--primary">${t('settings.apiTokenCreate')}</button>
</form>
</div>
</section>
<section class="settings-section">
<h2 class="settings-section__title">${t('settings.sectionFamily')}</h2>
<div class="settings-card" id="members-card">
@@ -424,17 +456,18 @@ export async function render(container, { user }) {
});
}
bindEvents(container, user, categories, icsSubscriptions);
bindEvents(container, user, categories, icsSubscriptions, apiTokens);
}
// --------------------------------------------------------
// Event-Binding
// --------------------------------------------------------
function bindEvents(container, user, categories, icsSubscriptions) {
function bindEvents(container, user, categories, icsSubscriptions, apiTokens) {
bindTabEvents(container);
bindCategoryEvents(container);
bindIcsEvents(container, user, icsSubscriptions);
bindApiTokenEvents(container, apiTokens);
// Theme-Toggle
const themeToggle = container.querySelector('#theme-toggle');
if (themeToggle) {
@@ -722,6 +755,109 @@ function bindDeleteButtons(container, user) {
});
}
function apiTokenHtml(token) {
const status = token.revoked_at
? t('settings.apiTokenRevoked')
: token.expires_at && new Date(token.expires_at).getTime() <= Date.now()
? t('settings.apiTokenExpired')
: t('settings.apiTokenActive');
const meta = [
`${t('settings.apiTokenPrefix')}: ${token.token_prefix}...`,
token.expires_at ? `${t('settings.apiTokenExpires')}: ${formatDateTime(token.expires_at)}` : t('settings.apiTokenNeverExpires'),
token.last_used_at ? `${t('settings.apiTokenLastUsed')}: ${formatDateTime(token.last_used_at)}` : t('settings.apiTokenNeverUsed'),
status,
].join(' · ');
return `
<li class="settings-member" data-api-token-id="${token.id}">
<div class="settings-member__info">
<span class="settings-member__name">${esc(token.name)}</span>
<span class="settings-member__meta">${esc(meta)}</span>
</div>
<button class="btn btn--icon btn--danger-outline" data-revoke-api-token="${token.id}" data-name="${esc(token.name)}" ${token.revoked_at ? 'disabled' : ''} aria-label="${t('settings.apiTokenRevoke')}">
<i data-lucide="ban" aria-hidden="true"></i>
</button>
</li>
`;
}
function renderApiTokenList(container, tokens) {
const list = container.querySelector('#api-token-list');
if (!list) return;
list.replaceChildren();
tokens.forEach((token) => {
const tmp = document.createElement('template');
tmp.innerHTML = apiTokenHtml(token);
list.appendChild(tmp.content.firstElementChild);
});
if (window.lucide) window.lucide.createIcons();
}
function datetimeLocalToIso(value) {
if (!value) return null;
const date = new Date(value);
return Number.isNaN(date.getTime()) ? null : date.toISOString();
}
function bindApiTokenEvents(container, initialTokens) {
const form = container.querySelector('#api-token-form');
const list = container.querySelector('#api-token-list');
if (!form || !list) return;
let tokens = [...initialTokens];
form.addEventListener('submit', async (e) => {
e.preventDefault();
const errorEl = container.querySelector('#api-token-error');
const output = container.querySelector('#api-token-created');
const outputValue = container.querySelector('#api-token-created-value');
errorEl.hidden = true;
output.hidden = true;
const name = container.querySelector('#api-token-name').value.trim();
const expiresValue = container.querySelector('#api-token-expires').value;
const expires_at = datetimeLocalToIso(expiresValue);
if (expiresValue && !expires_at) {
showError(errorEl, t('settings.apiTokenInvalidExpiration'));
return;
}
const btn = form.querySelector('[type=submit]');
btn.disabled = true;
try {
const res = await api.post('/auth/api-tokens', { name, expires_at });
tokens.unshift(res.data);
renderApiTokenList(container, tokens);
form.reset();
outputValue.value = res.token;
output.hidden = false;
outputValue.focus();
outputValue.select();
window.oikos?.showToast(t('settings.apiTokenCreatedToast'), 'success');
} catch (err) {
showError(errorEl, err.message);
} finally {
btn.disabled = false;
}
});
list.addEventListener('click', async (e) => {
const btn = e.target.closest('[data-revoke-api-token]');
if (!btn) return;
const id = Number(btn.dataset.revokeApiToken);
const name = btn.dataset.name;
if (!await confirmModal(t('settings.apiTokenRevokeConfirm', { name }), { danger: true, confirmLabel: t('settings.apiTokenRevoke') })) return;
try {
await api.delete(`/auth/api-tokens/${id}`);
tokens = tokens.map((token) => token.id === id ? { ...token, revoked_at: new Date().toISOString() } : token);
renderApiTokenList(container, tokens);
window.oikos?.showToast(t('settings.apiTokenRevokedToast'), 'default');
} catch (err) {
window.oikos?.showToast(err.message, 'danger');
}
});
}
// --------------------------------------------------------
// Kategorie-Verwaltung
public/styles/settings.css
+7
View File
@@ -321,6 +321,13 @@
width: 100%;
}
.settings-token-output {
padding: var(--space-3);
border: 1px solid var(--color-border);
border-radius: var(--radius-sm);
background: var(--color-surface-2);
}
/* --------------------------------------------------------
Theme-Toggle
-------------------------------------------------------- */
server/auth.js
+146
View File
@@ -8,12 +8,14 @@ import express from 'express';
import bcrypt from 'bcrypt';
import session from 'express-session';
import rateLimit from 'express-rate-limit';
import crypto from 'node:crypto';
import * as db from './db.js';
import { generateToken, csrfMiddleware } from './middleware/csrf.js';
import { createLogger } from './logger.js';
const log = createLogger('Auth');
const router = express.Router();
const API_TOKEN_PREFIX = 'oikos_';
// --------------------------------------------------------
// Session-Store (better-sqlite3, gleiche DB-Instanz wie App)
@@ -124,6 +126,60 @@ const loginLimiter = rateLimit({
message: { error: 'Zu viele Login-Versuche. Bitte warte kurz.', code: 429 },
});
function hashApiToken(token) {
return crypto.createHash('sha256').update(token, 'utf8').digest('hex');
}
function extractApiToken(req) {
const auth = req.headers.authorization || '';
if (auth.toLowerCase().startsWith('bearer ')) return auth.slice(7).trim();
return String(req.headers['x-api-key'] || '').trim();
}
function publicApiToken(row) {
return {
id: row.id,
name: row.name,
token_prefix: row.token_prefix,
created_by: row.created_by,
creator_name: row.creator_name,
expires_at: row.expires_at,
revoked_at: row.revoked_at,
last_used_at: row.last_used_at,
created_at: row.created_at,
};
}
function authenticateApiToken(req) {
const token = extractApiToken(req);
if (!token) return null;
const tokenHash = hashApiToken(token);
const row = db.get().prepare(`
SELECT t.*, u.role, u.username, u.display_name, u.avatar_color
FROM api_tokens t
JOIN users u ON u.id = t.created_by
WHERE t.token_hash = ?
AND t.revoked_at IS NULL
AND (t.expires_at IS NULL OR t.expires_at > strftime('%Y-%m-%dT%H:%M:%SZ', 'now'))
`).get(tokenHash);
if (!row) return null;
db.get().prepare(`
UPDATE api_tokens SET last_used_at = strftime('%Y-%m-%dT%H:%M:%SZ', 'now') WHERE id = ?
`).run(row.id);
req.apiToken = publicApiToken(row);
req.user = {
id: row.created_by,
username: row.username,
display_name: row.display_name,
avatar_color: row.avatar_color,
role: row.role,
};
return row;
}
// --------------------------------------------------------
// Auth-Guard Middleware
// --------------------------------------------------------
@@ -133,7 +189,18 @@ const loginLimiter = rateLimit({
* Schützt alle API-Routen außer /auth/login.
*/
function requireAuth(req, res, next) {
const apiToken = authenticateApiToken(req);
if (apiToken) {
req.authMethod = 'api_token';
req.session = {
userId: apiToken.created_by,
role: apiToken.role,
};
return next();
}
if (req.session && req.session.userId) {
req.authMethod = 'session';
return next();
}
res.status(401).json({ error: 'Not authenticated.', code: 401 });
@@ -225,6 +292,9 @@ router.post('/login', loginLimiter, async (req, res) => {
* Response: { ok: true }
*/
router.post('/logout', requireAuth, csrfMiddleware, (req, res) => {
if (req.authMethod === 'api_token') {
return res.json({ ok: true });
}
req.session.destroy((err) => {
if (err) {
log.error('Logout error:', err);
@@ -300,6 +370,10 @@ router.get('/me', requireAuth, (req, res) => {
return res.status(401).json({ error: 'User not found.', code: 401 });
}
if (req.authMethod === 'api_token') {
return res.json({ user });
}
// CSRF-Token erneuern falls vorhanden (wichtig fuer iOS-PWA-Resume:
// iOS kann den CSRF-Cookie verwerfen waehrend die Session-Cookie erhalten bleibt.
// /me ist der erste API-Call nach App-Resume, also hier den Cookie wiederherstellen.)
@@ -337,6 +411,78 @@ router.get('/users', requireAuth, requireAdmin, (req, res) => {
}
});
router.get('/api-tokens', requireAuth, requireAdmin, (req, res) => {
try {
const rows = db.get().prepare(`
SELECT t.*, u.display_name AS creator_name
FROM api_tokens t
LEFT JOIN users u ON u.id = t.created_by
ORDER BY t.created_at DESC
`).all();
res.json({ data: rows.map(publicApiToken) });
} catch (err) {
log.error('API token list error:', err);
res.status(500).json({ error: 'Internal server error.', code: 500 });
}
});
router.post('/api-tokens', requireAuth, requireAdmin, csrfMiddleware, (req, res) => {
try {
const name = String(req.body.name || '').trim();
const expiresAt = req.body.expires_at ? String(req.body.expires_at).trim() : null;
if (!name) return res.status(400).json({ error: 'Token name is required.', code: 400 });
if (name.length > 100) return res.status(400).json({ error: 'Token name may be at most 100 characters long.', code: 400 });
if (expiresAt && Number.isNaN(Date.parse(expiresAt))) {
return res.status(400).json({ error: 'expires_at must be a valid ISO date/time.', code: 400 });
}
if (expiresAt && new Date(expiresAt).getTime() <= Date.now()) {
return res.status(400).json({ error: 'Expiration date must be in the future.', code: 400 });
}
const token = API_TOKEN_PREFIX + crypto.randomBytes(32).toString('base64url');
const tokenHash = hashApiToken(token);
const tokenPrefix = token.slice(0, 12);
const normalizedExpiresAt = expiresAt ? new Date(expiresAt).toISOString() : null;
const result = db.get().prepare(`
INSERT INTO api_tokens (name, token_hash, token_prefix, created_by, expires_at)
VALUES (?, ?, ?, ?, ?)
`).run(name, tokenHash, tokenPrefix, req.session.userId, normalizedExpiresAt);
const row = db.get().prepare(`
SELECT t.*, u.display_name AS creator_name
FROM api_tokens t
LEFT JOIN users u ON u.id = t.created_by
WHERE t.id = ?
`).get(result.lastInsertRowid);
res.status(201).json({ data: publicApiToken(row), token });
} catch (err) {
log.error('API token creation error:', err);
res.status(500).json({ error: 'Internal server error.', code: 500 });
}
});
router.delete('/api-tokens/:id', requireAuth, requireAdmin, csrfMiddleware, (req, res) => {
try {
const id = parseInt(req.params.id, 10);
if (!Number.isFinite(id)) return res.status(400).json({ error: 'Invalid token ID.', code: 400 });
const result = db.get().prepare(`
UPDATE api_tokens
SET revoked_at = COALESCE(revoked_at, strftime('%Y-%m-%dT%H:%M:%SZ', 'now'))
WHERE id = ?
`).run(id);
if (result.changes === 0) return res.status(404).json({ error: 'API token not found.', code: 404 });
res.json({ ok: true });
} catch (err) {
log.error('API token revocation error:', err);
res.status(500).json({ error: 'Internal server error.', code: 500 });
}
});
/**
* POST /api/v1/auth/users
* Admin only. Erstellt neues Familienmitglied.
server/db-schema-test.js
+13
View File
@@ -144,6 +144,17 @@ const MIGRATIONS_SQL = {
created_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now')),
UNIQUE(category_key, name)
);
CREATE TABLE IF NOT EXISTS api_tokens (
id INTEGER PRIMARY KEY AUTOINCREMENT,
name TEXT NOT NULL,
token_hash TEXT NOT NULL UNIQUE,
token_prefix TEXT NOT NULL,
created_by INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
expires_at TEXT,
revoked_at TEXT,
last_used_at TEXT,
created_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now'))
);
CREATE TRIGGER IF NOT EXISTS trg_users_updated_at
AFTER UPDATE ON users FOR EACH ROW
BEGIN UPDATE users SET updated_at = strftime('%Y-%m-%dT%H:%M:%SZ', 'now') WHERE id = OLD.id; END;
@@ -185,6 +196,8 @@ const MIGRATIONS_SQL = {
CREATE INDEX IF NOT EXISTS idx_notes_pinned ON notes(pinned);
CREATE INDEX IF NOT EXISTS idx_budget_date ON budget_entries(date);
CREATE INDEX IF NOT EXISTS idx_budget_created_by ON budget_entries(created_by);
CREATE INDEX IF NOT EXISTS idx_api_tokens_hash ON api_tokens(token_hash);
CREATE INDEX IF NOT EXISTS idx_api_tokens_created_by ON api_tokens(created_by);
`,
2: `
CREATE TABLE IF NOT EXISTS sync_config (
server/db.js
+20
View File
@@ -671,6 +671,26 @@ const MIGRATIONS = [
GROUP BY category, subcategory;
`,
},
{
version: 17,
description: 'API tokens for non-interactive authentication',
up: `
CREATE TABLE IF NOT EXISTS api_tokens (
id INTEGER PRIMARY KEY AUTOINCREMENT,
name TEXT NOT NULL,
token_hash TEXT NOT NULL UNIQUE,
token_prefix TEXT NOT NULL,
created_by INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
expires_at TEXT,
revoked_at TEXT,
last_used_at TEXT,
created_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now'))
);
CREATE INDEX IF NOT EXISTS idx_api_tokens_hash ON api_tokens(token_hash);
CREATE INDEX IF NOT EXISTS idx_api_tokens_created_by ON api_tokens(created_by);
`,
},
];
/**
server/middleware/csrf.js
+2
View File
@@ -28,6 +28,8 @@ function generateToken() {
* Muss NACH requireAuth eingebunden werden.
*/
function csrfMiddleware(req, res, next) {
if (req.authMethod === 'api_token') return next();
// Token generieren falls noch nicht vorhanden (erste Request nach Login)
if (!req.session.csrfToken) {
req.session.csrfToken = generateToken();
test-db.js
+24 -3
View File
@@ -74,6 +74,7 @@ const EXPECTED_TABLES = [
'users', 'tasks', 'shopping_lists', 'shopping_items',
'meals', 'meal_ingredients', 'calendar_events',
'notes', 'contacts', 'budget_entries',
'budget_categories', 'budget_subcategories', 'api_tokens',
];
EXPECTED_TABLES.forEach((table) => {
@@ -88,9 +89,18 @@ EXPECTED_TABLES.forEach((table) => {
// --------------------------------------------------------
// Test 4: Alle updated_at-Triggers vorhanden
// --------------------------------------------------------
const EXPECTED_TRIGGERS = EXPECTED_TABLES.filter((t) => t !== 'schema_migrations').map(
(t) => `trg_${t}_updated_at`
);
const EXPECTED_TRIGGERS = [
'users',
'tasks',
'shopping_lists',
'shopping_items',
'meals',
'meal_ingredients',
'calendar_events',
'notes',
'contacts',
'budget_entries',
].map((t) => `trg_${t}_updated_at`);
EXPECTED_TRIGGERS.forEach((trigger) => {
test(`Trigger "${trigger}" existiert`, () => {
@@ -179,6 +189,17 @@ test('Idempotenz: Migration zweimal ausführen ändert nichts', () => {
assert(tables.n > 0, 'Tabellen sollten noch vorhanden sein');
});
test('API-Token anlegen und lesen', () => {
const result = db.prepare(`
INSERT INTO api_tokens (name, token_hash, token_prefix, created_by, expires_at)
VALUES ('MCP integration', 'hash-123', 'oikos_abc123', 1, '2026-12-31T23:59:59.000Z')
`).run();
const token = db.prepare('SELECT * FROM api_tokens WHERE id = ?').get(result.lastInsertRowid);
assert(token.name === 'MCP integration', 'Token name stimmt nicht');
assert(token.created_by === 1, 'Token creator stimmt nicht');
assert(token.revoked_at === null, 'Token sollte nicht widerrufen sein');
});
// --------------------------------------------------------
// Ergebnis
// --------------------------------------------------------