NET-2000: Api access tokens (#3418)

* feat: api access tokens * revoke all user tokens * redefine access token api routes, add auto egress option to enrollment keys * fix revoked tokens to be unauthorized * remove unused functions * convert access token to sql schema * switch access token to sql schema * revoke token generated by an user * add user token creation restriction by user role * add forbidden check for access token creation * revoke user token when group or role is changed * add default group to admin users on update * fix token removal on user update * fix token removal on user update
2025-10-05 16:57:51 +08:00 · 2025-04-23 20:21:42 +04:00
parent d5bdc723fc
commit ca95954fb5
28 changed files with 507 additions and 200 deletions
--- a/logic/auth.go
+++ b/logic/auth.go
@@ -169,6 +169,7 @@ func CreateUser(user *models.User) error {
 	if IsOauthUser(user) == nil {
 		user.AuthType = models.OAuth
 	}
+	AddGlobalNetRolesToAdmins(user)
 	_, err = CreateUserJWT(user.UserName, user.PlatformRoleID)
 	if err != nil {
 		logger.Log(0, "failed to generate token", err.Error())
@@ -186,7 +187,6 @@ func CreateUser(user *models.User) error {
 		logger.Log(0, "failed to insert user", err.Error())
 		return err
 	}
-	AddGlobalNetRolesToAdmins(*user)
 	return nil
 }

@@ -305,7 +305,7 @@ func UpdateUser(userchange, user *models.User) (*models.User, error) {
 	}
 	user.UserGroups = userchange.UserGroups
 	user.NetworkRoles = userchange.NetworkRoles
-	AddGlobalNetRolesToAdmins(*user)
+	AddGlobalNetRolesToAdmins(user)
 	err := ValidateUser(user)
 	if err != nil {
 		return &models.User{}, err
@@ -349,19 +349,18 @@ func ValidateUser(user *models.User) error {
 }

 // DeleteUser - deletes a given user
-func DeleteUser(user string) (bool, error) {
+func DeleteUser(user string) error {

 	if userRecord, err := database.FetchRecord(database.USERS_TABLE_NAME, user); err != nil || len(userRecord) == 0 {
-		return false, errors.New("user does not exist")
+		return errors.New("user does not exist")
 	}

 	err := database.DeleteRecord(database.USERS_TABLE_NAME, user)
 	if err != nil {
-		return false, err
+		return err
 	}
 	go RemoveUserFromAclPolicy(user)
-
-	return true, nil
+	return (&models.UserAccessToken{UserName: user}).DeleteAllUserTokens()
 }

 func SetAuthSecret(secret string) error {