Add Internal v2 API Access Token Generation for Users#3597
Open
aaronskiba wants to merge 11 commits intoapi_v2_dmponlinefrom
Open
Add Internal v2 API Access Token Generation for Users#3597aaronskiba wants to merge 11 commits intoapi_v2_dmponlinefrom
aaronskiba wants to merge 11 commits intoapi_v2_dmponlinefrom
Conversation
Generated by 🚫 Danger |
momo3404
reviewed
Feb 11, 2026
| authorize current_user, :internal_user_v2_access_token? | ||
| @token = Api::V2::InternalUserAccessTokenService.rotate!(current_user) | ||
| respond_to do |format| | ||
| format.js { render 'users/refresh_token' } |
Collaborator
There was a problem hiding this comment.
Would it be possible for this endpoint to be hit without JS?
Contributor
Author
There was a problem hiding this comment.
Yes, it's technically possible via a direct POST (but that would fail without proper authentication).
Our UI only initiates this action through JS. This is consistent with the legacy token refresh pattern, where JS rendering is implicit. To reuse refresh_token.js.erb, we need to explicitly add format.js { render 'users/refresh_token' }.
| Doorkeeper::AccessToken.find_by(user_token_filter(user)) | ||
| end | ||
|
|
||
| def rotate!(user) |
Collaborator
There was a problem hiding this comment.
Would it be possible for this to fail in the creation stage? If so, I'm just wondering if we have ample error handling for that scenario.
Contributor
Author
There was a problem hiding this comment.
I will at least add some handling in case the internal OAuth application is not found.
Collaborator
|
There's two documentation related Rubocop errors
|
aaronskiba
force-pushed
the
aaron/feature/v2-api-token-for-internal-users
branch
3 times, most recently
from
a5c24c6 to
23a2230
Compare
- Creates a first-party Doorkeeper client for issuing internal v2 API tokens - Sets redirect_uri to OOB, scopes to 'read', and marks it as confidential - Ensures the internal application exists in all environments before token service is used
aaronskiba
force-pushed
the
aaron/feature/v2-api-token-for-internal-users
branch
2 times, most recently
from
ad94297 to
5c24cdf
Compare
This service manages user-scoped v2 API access tokens for internal app users. - Tokens are equivalent to first-party Personal Access Tokens (PATs) and are issued directly to authenticated users, bypassing the full OAuth 2.0 authorization_code flow. - Supports token creation, rotation, and revocation. - Uses Doorkeeper::AccessToken records for consistent scoping, expiry, and revocation handling. - Designed strictly for internal usage; third-party OAuth clients are not supported.
Adds `Api::V2::InternalUserAccessTokensController#create` with Pundit authorization and routing. Also reuses the existing `users/refresh_token.js.erb` response to update the UI via JS. `@success` is read by `app/views/users/refresh_token.js.erb` (similar approach as `UsersController#refresh_token`)
This change updates `app/views/devise/registrations/_api_token.html.erb` to include support for the v2 API access token. Existing v0/v1 token support is retained. - Introduce V2 token lookup via `Api::V2::InternalUserAccessTokenService` - Display a dedicated V2 API access token section with its own regeneration action
This change breaks refactors `_api_token.html.erb` into additional separate partials: 1) app/views/devise/registrations/_legacy_api_token.html.erb 2) app/views/devise/registrations/_v2_api_token.html.erb In addition to the refactor, the following changes have been made: - `<div id="api-token"` has been renamed to `<div id="legacy-api-token"` - A `<div id="api-tokens">` wrapper has been added in app/views/devise/registrations/_api_token.html.erb. - `app/views/users/refresh_token.js.erb` now references the '#api-tokens' wrapper.
The API Access tab is now visible to all users to support the new v2 API token, which is accessible to everyone. The existing v0/v1 legacy token remains restricted and continues to use the previous authorization and rendering logic within the tab.
Styling changes can be viewed at /users/edit#api-details
`InternalUserAccessTokenService`: add `application!` (lookup + raise) and `application_present?` (safe check with logging) `_v2_api_token.html.erb`: gate token UI on `application_present?` and show a warning when missing.
Add request specs for InternalUserAccessTokensController - Include both authenticated & unauthenticated user scenarios - Include both present & absent internal OAuth app scenarios Add service specs for InternalUserAccessTokenService - Test token retrieval, rotation, and OAuth app presence - Verify old token revocation when rotating Add view specs for API token partials - Test legacy partial rendering based on `user.can_use_api?` - Test OAuth application availability scenarios
Add `defaults: { format: :js }` to the internal_user_access_token route, allowing callers to omit the explicit format parameter.
aaronskiba
force-pushed
the
aaron/feature/v2-api-token-for-internal-users
branch
from
5c24cdf to
6a54ad5
Compare
aaronskiba
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
Summary
This PR introduces support for issuing internal, user-scoped v2 API access tokens, managed entirely within the application (first-party tokens) for internal users.
Key Changes
Create internal Doorkeeper app via rake task
bundle exec rake doorkeeper:ensure_internal_appCreate Api::V2::InternalUserAccessTokenService
Add "POST /api/v2/internal_user_access_token" action & route
Adds
Api::V2::InternalUserAccessTokensController#createwith Pundit authorization and routing. Also reuses the existingusers/refresh_token.js.erbresponse to update the UI via JS.@successis read byapp/views/users/refresh_token.js.erb(similar approach asUsersController#refresh_token)Add API v2 section to /users/edit#api-details
app/views/devise/registrations/_api_token.html.erbto include support for the v2 API access token. Existing v0/v1 token support is retained.Api::V2::InternalUserAccessTokenServiceExpose API Access tab to all users / restrict legacy token rendering
which is accessible to everyone.
Add test coverage for internal v2 token generation
Add request specs for InternalUserAccessTokensController
Add service specs for InternalUserAccessTokenService
Add view specs for API token partials
user.can_use_api?