refactor: add server side validation schema for apiKeys (#4859)

* refactor: add tests for apiKey api routes

* refactor: move files to subfolder

* refactor: schema for apiKeys.create and apiKeys.delete

server/routes/api/apiKeys/apiKeys.test.ts

@@ -0,0 +1,75 @@
+import { buildApiKey, buildUser } from "@server/test/factories";
+import { getTestServer } from "@server/test/support";
+
+const server = getTestServer();
+
+describe("#apiKeys.create", () => {
+  it("should allow creating an api key", async () => {
+    const user = await buildUser();
+
+    const res = await server.post("/api/apiKeys.create", {
+      body: {
+        token: user.getJwtToken(),
+        name: "My API Key",
+      },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.name).toEqual("My API Key");
+  });
+
+  it("should require authentication", async () => {
+    const res = await server.post("/api/apiKeys.create");
+    expect(res.status).toEqual(401);
+  });
+});
+
+describe("#apiKeys.list", () => {
+  it("should return api keys of a user", async () => {
+    const user = await buildUser();
+    await buildApiKey({
+      name: "My API Key",
+      userId: user.id,
+    });
+
+    const res = await server.post("/api/apiKeys.list", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data[0].name).toEqual("My API Key");
+  });
+
+  it("should require authentication", async () => {
+    const res = await server.post("/api/apiKeys.list");
+    expect(res.status).toEqual(401);
+  });
+});
+
+describe("#apiKeys.delete", () => {
+  it("should delete users api key", async () => {
+    const user = await buildUser();
+    const apiKey = await buildApiKey({
+      name: "My API Key",
+      userId: user.id,
+    });
+
+    const res = await server.post("/api/apiKeys.delete", {
+      body: {
+        token: user.getJwtToken(),
+        id: apiKey.id,
+      },
+    });
+
+    expect(res.status).toEqual(200);
+  });
+
+  it("should require authentication", async () => {
+    const res = await server.post("/api/apiKeys.delete");
+    expect(res.status).toEqual(401);
+  });
+});

server/routes/api/apiKeys/apiKeys.ts

@@ -0,0 +1,95 @@
+import Router from "koa-router";
+import auth from "@server/middlewares/authentication";
+import validate from "@server/middlewares/validate";
+import { ApiKey, Event } from "@server/models";
+import { authorize } from "@server/policies";
+import { presentApiKey } from "@server/presenters";
+import { APIContext } from "@server/types";
+import pagination from "../middlewares/pagination";
+import * as T from "./schema";
+
+const router = new Router();
+
+router.post(
+  "apiKeys.create",
+  auth({ member: true }),
+  validate(T.APIKeysCreateSchema),
+  async (ctx: APIContext<T.APIKeysCreateReq>) => {
+    const { name } = ctx.request.body;
+    const { user } = ctx.state.auth;
+
+    authorize(user, "createApiKey", user.team);
+    const key = await ApiKey.create({
+      name,
+      userId: user.id,
+    });
+
+    await Event.create({
+      name: "api_keys.create",
+      modelId: key.id,
+      teamId: user.teamId,
+      actorId: user.id,
+      data: {
+        name,
+      },
+      ip: ctx.request.ip,
+    });
+
+    ctx.body = {
+      data: presentApiKey(key),
+    };
+  }
+);
+
+router.post(
+  "apiKeys.list",
+  auth({ member: true }),
+  pagination(),
+  async (ctx: APIContext) => {
+    const { user } = ctx.state.auth;
+    const keys = await ApiKey.findAll({
+      where: {
+        userId: user.id,
+      },
+      order: [["createdAt", "DESC"]],
+      offset: ctx.state.pagination.offset,
+      limit: ctx.state.pagination.limit,
+    });
+
+    ctx.body = {
+      pagination: ctx.state.pagination,
+      data: keys.map(presentApiKey),
+    };
+  }
+);
+
+router.post(
+  "apiKeys.delete",
+  auth({ member: true }),
+  validate(T.APIKeysDeleteSchema),
+  async (ctx: APIContext<T.APIKeysDeleteReq>) => {
+    const { id } = ctx.request.body;
+    const { user } = ctx.state.auth;
+
+    const key = await ApiKey.findByPk(id);
+    authorize(user, "delete", key);
+
+    await key.destroy();
+    await Event.create({
+      name: "api_keys.delete",
+      modelId: key.id,
+      teamId: user.teamId,
+      actorId: user.id,
+      data: {
+        name: key.name,
+      },
+      ip: ctx.request.ip,
+    });
+
+    ctx.body = {
+      success: true,
+    };
+  }
+);
+
+export default router;

server/routes/api/apiKeys/index.ts

@@ -0,0 +1 @@
+export { default } from "./apiKeys";

server/routes/api/apiKeys/schema.ts

@@ -0,0 +1,20 @@
+import { z } from "zod";
+import BaseSchema from "@server/routes/api/BaseSchema";
+
+export const APIKeysCreateSchema = BaseSchema.extend({
+  body: z.object({
+    /** API Key name */
+    name: z.string(),
+  }),
+});
+
+export type APIKeysCreateReq = z.infer<typeof APIKeysCreateSchema>;
+
+export const APIKeysDeleteSchema = BaseSchema.extend({
+  body: z.object({
+    /** API Key Id */
+    id: z.string().uuid(),
+  }),
+});
+
+export type APIKeysDeleteReq = z.infer<typeof APIKeysDeleteSchema>;