feat(saas): public API + PAT tokens (slice 7, stacked on #219)#220
Merged
Conversation
Slice 7: B2B integration surface. Scripts/CI/Zapier can drive ScopeWeave. - server/db.mjs: api_tokens table (stores only a SHA-256 hash + display prefix). - server/auth.mjs: generateApiToken (swk_<random>, hash, prefix) + hashApiToken. - server/app.mjs: requireAuth now accepts a PAT (Authorization: Bearer swk_...) OR a session JWT — PATs look up by hash, act as their user, bump last_used. Endpoints: POST /api/tokens (returns the secret ONCE), GET /api/tokens (name/prefix/last_used — never the secret), DELETE /api/tokens/:id. - cloud-sync.js: 'API 토큰' section in the team modal (create shows the secret once, list by prefix, revoke). - docs/api.md: public API + PAT usage. - tests/api/smoke.mjs: create PAT → use it on /api/projects → list shows prefix not secret + lastUsed → revoke → PAT rejected 401 → double-revoke 404. Security: only the token hash is stored; the secret is shown once and never returned again; revocation deletes the hash. Verification: npm run test:api ✓ · npm run test:unit ✓ · app.js eval-safe ✓ · real browser: token 'CI 파이프라인' created, secret shown once, listed by prefix. Stacked on #219. No new deps. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018LMoqYsUY6usjNMBjvxCbU
This was referenced Jul 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SaaS pivot — slice 7 of N (stacked on #219)
B2B integration surface — scripts, CI, and integrations can drive ScopeWeave via Personal Access Tokens.
Server
api_tokenstable stores only a SHA-256 hash + a displayprefix(never the secret).requireAuthaccepts a PAT (Authorization: Bearer swk_…) or a session JWT — PATs resolve by hash, act as their user, bumplast_used.POST /api/tokens(returns the secret once),GET /api/tokens(name/prefix/last-used — never the secret),DELETE /api/tokens/:id(revoke).Client
API 토큰section in the team modal: create (secret shown once), list by prefix, revoke.Docs
docs/api.md— endpoints + PAT usage + curl examples.Verified
npm run test:api✓ — create PAT → authenticate/api/projects→ list shows prefix (not secret) +lastUsed→ revoke → 401 → double-revoke 404.npm run test:unit✓ · app.js eval-safe ✓.CI 파이프라인created, secret shown once, listed by prefixswk_….Security
Only the hash is stored; the secret is shown once and never retrievable; revocation deletes the hash. Constant-time not needed (lookup is by exact SHA-256 hash, not comparison).
🤖 Generated with Claude Code