Skip to content

Scoped API tokens with clearance group access #1766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lamppu wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Scoped API tokens with clearance group access #1766

lamppu wants to merge 8 commits into from

Conversation

@lamppu
Copy link
Member

@lamppu lamppu commented Jan 29, 2026
edited
Loading

Add API clients as a top-level entity to group API tokens, e.g. per customer or client instance. This hierarchy structure can later be used to aggregate and compare usage data per client and possibly limit requests per client. The tokens are added with support for two different scopes, to allow for separating access to scan data and clearance data. This PR also adds the basis for allowing access for a token to specific clearance groups in a ranked order. Applying this access in the package configurations endpoint will be added in a separate PR.

@lamppu lamppu temporarily deployed to unittest-environment January 29, 2026 07:38 — with GitHub Actions Inactive
@lamppu lamppu force-pushed the scoped-api-tokens-with-clearance-groups-access branch from fb39f4a to 94f14e5 Compare January 29, 2026 09:40
@lamppu lamppu temporarily deployed to test-environment January 29, 2026 09:40 — with GitHub Actions Inactive
@lamppu lamppu temporarily deployed to unittest-environment January 29, 2026 09:40 — with GitHub Actions Inactive
@lamppu lamppu force-pushed the scoped-api-tokens-with-clearance-groups-access branch from 94f14e5 to 391523b Compare January 29, 2026 10:21
@lamppu lamppu temporarily deployed to test-environment January 29, 2026 10:21 — with GitHub Actions Inactive
@lamppu lamppu temporarily deployed to unittest-environment January 29, 2026 10:21 — with GitHub Actions Inactive
@lamppu lamppu force-pushed the scoped-api-tokens-with-clearance-groups-access branch from 391523b to e845bf8 Compare January 29, 2026 10:22
@lamppu lamppu temporarily deployed to unittest-environment January 29, 2026 10:22 — with GitHub Actions Inactive
@lamppu lamppu temporarily deployed to test-environment January 29, 2026 10:22 — with GitHub Actions Inactive
@lamppu lamppu force-pushed the scoped-api-tokens-with-clearance-groups-access branch from e845bf8 to 2e68120 Compare January 29, 2026 10:34
@lamppu lamppu temporarily deployed to test-environment January 29, 2026 10:34 — with GitHub Actions Inactive
@lamppu lamppu temporarily deployed to unittest-environment January 29, 2026 10:34 — with GitHub Actions Inactive
lamppu added 8 commits January 29, 2026 12:49
@lamppu
feat(database): Add API client and scoped token management tables
d035970 
Introduce an API client as a top-level entity to group API tokens, e.g. per
customer or client instance (such as an ORT Server instance). This will
also later allow for aggregating usage data per client for comparison.

The API tokens are added with support for scoped access to the API, as well
as a ranked access to specific clearance groups. The ranking order will be
used to determine which clearance items to return in case there are
multiple clearance items for the same entity from different groups.

Signed-off-by: Johanna Lamppu <[email protected]>
@lamppu
feat(api): Add CRUD endpoints for handling API clients
f7218fc 
Signed-off-by: Johanna Lamppu <[email protected]>
@lamppu
feat(api): Add module for auth cache
f650372 
Export the cache from a module to use the same cache instance from several
places. This allows for invalidating a specific token in the cache for
example when revoking the token.

It should be noted though, that in the case of multiple server replicas,
the cache could be implemented for example as a shared Redis cache, as the
Node cache will exist within a single Node process. But in the context of
this PR, the cache will only be used for the frequently polled job state
endpoint, so invalidating the cache before the TTL has expired is not
critical.

Signed-off-by: Johanna Lamppu <[email protected]>
@lamppu
feat(api): Add CRUD endpoints for API tokens
3a66dc7 
Use an HMAC secret for hashing the API tokens. This prevents raw token
disclosure from the database but still allows a fast and deterministic
lookup during request authentication. It also allows for emergency
invalidation of all tokens by rotating the secret.

The ranking order of the clearance groups to allow a token access to is
based on the order of which they are given in the request body. Updating
the ranking or the clearance groups will be done by providing the whole
list in the patch request.

Adding or removing a scope from a token is performed similarly, with a
patch request for the token.

Signed-off-by: Johanna Lamppu <[email protected]>
@lamppu
chore(api): Make Express request augmentation explicitly global
11900f3 
Ensure Express Request type augmentation remains global even when the file
contains imports, by explicitly using `declare global`. Without imports
TypeScript treats the file as a global script, but when imports are added,
it treats it as a module instead. This is done in preparation of extending
the type in a way that requires an import.

Signed-off-by: Johanna Lamppu <[email protected]>
@lamppu
feat(api): Add middleware function for authenticating API token
27ec60c 
The function authenticates the token and saves the available scopes and
clearance groups (in the ranking order) in the request object. Also add a
function for authorizing requests only for a specific scope.

Signed-off-by: Johanna Lamppu <[email protected]>
@lamppu
test(api): Add fixture wrapper for scanner router tests
ae5b065 
Also use an API request context from the new fixture wrapper in the
existing scanner router tests and edit test descriptions slightly.

Signed-off-by: Johanna Lamppu <[email protected]>
@lamppu
refactor(api): Switch to the new middleware for authentication
6e2fb24 
Use the new middleware for authentication and the scoped authorization in
the scanner router.

Signed-off-by: Johanna Lamppu <[email protected]>
@lamppu lamppu force-pushed the scoped-api-tokens-with-clearance-groups-access branch from 2e68120 to 6e2fb24 Compare January 29, 2026 10:51
@lamppu lamppu deployed to test-environment January 29, 2026 10:51 — with GitHub Actions Active
@lamppu lamppu deployed to unittest-environment January 29, 2026 10:51 — with GitHub Actions Active
@lamppu lamppu marked this pull request as ready for review January 29, 2026 10:51
@lamppu lamppu requested a review from a team as a code owner January 29, 2026 10:51
@Etsija
Copy link
Member

Etsija commented Jan 29, 2026

A general question: will we be needing two separate tokens from now on / in future, one for the DOS Scanner and one for the PCP? If that happens at some point, it needs to be then clearly communicated to all customers (including us developers) and thought should be given to how to distribute these tokens.

@lamppu
Copy link
Member Author

lamppu commented Jan 29, 2026

A general question: will we be needing two separate tokens from now on / in future, one for the DOS Scanner and one for the PCP? If that happens at some point, it needs to be then clearly communicated to all customers (including us developers) and thought should be given to how to distribute these tokens.

The same token can (and in the current cases will) be provided access to both the scan data and the clearance data, so both scopes can be added to the same token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Etsija Etsija Etsija approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lamppu @Etsija