Skip to content

Add device authorization flow for API token management#35

Merged
dimiro1 merged 3 commits intomainfrom
feature/device-auth-flow
Mar 22, 2026
Merged

Add device authorization flow for API token management#35
dimiro1 merged 3 commits intomainfrom
feature/device-auth-flow

Conversation

@dimiro1
Copy link
Copy Markdown
Owner

@dimiro1 dimiro1 commented Mar 15, 2026
edited
Loading

Summary

  • Implement OAuth 2.0-style device authorization flow enabling external tools to authenticate with Lunar
  • Add API token management (create via device approval, list, revoke) with secure hash-only storage
  • Add frontend views for device approval and connected clients management
  • Extend auth middleware to accept Bearer tokens alongside the admin API key

This is the foundation work to enable a CLI client that will come later.

What's included

Server-side:

  • api_tokens table (migration 000010) storing only SHA-256 hashes of tokens
  • In-memory DeviceAuthStore for short-lived pending auth requests (5 min TTL)
  • Four device auth endpoints: POST /api/auth/device-request, GET/POST /api/auth/device-approve, GET /api/auth/device-token
  • Token management endpoints: GET /api/tokens, POST /api/tokens/{id}/revoke
  • AuthMiddleware extended to validate Bearer tokens via hashed lookup
  • internal/token package for secure token generation and hashing

Frontend:

  • Device approval view (#!/device-approve/:code) with new CodeDisplay component
  • Connected clients view (#!/clients) matching existing table layout patterns
  • Functions and Clients links added to navbar and command palette
  • OpenAPI docs updated with all new endpoints and schemas
  • Full i18n support (en + pt-BR)

Screenshots:
Screenshot 2026-03-15 at 21 39 04

Screenshot 2026-03-15 at 21 32 53

dimiro1 added 3 commits March 15, 2026 21:31
@dimiro1
Add device authorization flow for API token management
9e361b6 
Implement OAuth 2.0-style device authorization flow to enable external
tools (e.g. a future CLI) to authenticate with Lunar. A device requests
a code, the user approves it in the browser, and the device receives an
API token for subsequent requests.

Server-side:
- Add api_tokens table (migration 000010) with token hash storage
- Implement DeviceAuthStore for in-memory pending auth requests
- Add endpoints: device-request, device-approve, device-token
- Add token management endpoints: list and revoke
- Extend AuthMiddleware to accept Bearer tokens (hashed lookup)
- Add token generation package (internal/token)

Frontend:
- Add device approval view with CodeDisplay component
- Add connected clients view with token table
- Add Functions and Clients links to navbar
- Add Clients entry to command palette
- Update OpenAPI docs, translations (en/pt-BR), routes

This is the foundation work to enable a CLI client that will come later.
@dimiro1
Simplify device approval layout
09a672b 
Remove page header, use CardHeader for the title instead. Card is
horizontally centered with max-width and margin auto. Remove unused
.centered-page CSS.
@dimiro1
Fix errcheck lint errors in device auth handler tests
e972bce 
Check json.Decode return values to satisfy golangci-lint errcheck rule.
@dimiro1
Copy link
Copy Markdown
Owner Author

dimiro1 commented Mar 15, 2026

Could you take a look @adamcrossland?

@dimiro1 dimiro1 merged commit 8a6ae06 into main Mar 22, 2026
2 checks passed
@adamcrossland
Copy link
Copy Markdown
Contributor

adamcrossland commented Mar 22, 2026

So sorry, but I missed this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dimiro1 @adamcrossland