API Token CLI (#1271)

Adds a mechanism for generating API tokens from the CLI. Requires the default admin user to be present. From there the token can be used to create additional admins. In the future, we could allow specifying a user's email to generate the token for. Generate like so: ``` docker compose run --rm firezone bin/create-api-token ```
2026-01-27 10:18:54 +00:00 · 2023-01-09 14:59:18 -08:00
parent 19289165e0
commit b3ae440a36
3 changed files with 49 additions and 3 deletions
--- a/apps/fz_http/lib/fz_http/release.ex
+++ b/apps/fz_http/lib/fz_http/release.ex
@@ -3,7 +3,13 @@ defmodule FzHttp.Release do
  Adds common tasks to the production app because Mix is not available.
  """

-  alias FzHttp.{Repo, Users, Users.User}
+  alias FzHttp.{
+    ApiTokens,
+    Repo,
+    Users,
+    Users.User
+  }
+
  import Ecto.Query, only: [from: 2]
  require Logger

@@ -34,11 +40,16 @@ defmodule FzHttp.Release do
      end

    # Notify the user
-    IO.puts("Password reset! Check $HOME/.firezone/.env for sign in credentials.")
+    IO.puts("password reset to default credentials from env")

    reply
  end

+  def create_api_token(device \\ :stdio) do
+    device
+    |> IO.write(default_admin_user() |> mint_jwt())
+  end
+
  def change_password(email, password) do
    params = %{
      "password" => password,
@@ -63,6 +74,19 @@ defmodule FzHttp.Release do
    FzHttp.Config.fetch_env!(@app, :admin_email)
  end

+  defp default_admin_user do
+    Users.get_by_email(email())
+  end
+
+  defp mint_jwt(%User{} = user) do
+    {:ok, api_token} = ApiTokens.create_user_api_token(user, %{})
+
+    {:ok, secret, _claims} =
+      FzHttpWeb.Auth.JSON.Authentication.fz_encode_and_sign(api_token, user)
+
+    secret
+  end
+
  defp load_app do
    Application.load(@app)

--- a/apps/fz_http/test/fz_http/release_test.exs
+++ b/apps/fz_http/test/fz_http/release_test.exs
@@ -6,7 +6,13 @@ defmodule FzHttp.ReleaseTest do

  use FzHttp.DataCase, async: true

-  alias FzHttp.{Release, Users, Users.User}
+  alias FzHttp.{
+    ApiTokens,
+    Release,
+    Users,
+    UsersFixtures,
+    Users.User
+  }

  describe "migrate/0" do
    test "function runs without error" do
@@ -30,6 +36,19 @@ defmodule FzHttp.ReleaseTest do
    end
  end

+  describe "create_api_token/1" do
+    test "creates api_token_token for default admin user" do
+      admin_user =
+        UsersFixtures.user(%{
+          role: :admin,
+          email: FzHttp.Config.fetch_env!(:fz_http, :admin_email)
+        })
+
+      assert :ok = Release.create_api_token()
+      assert ApiTokens.count_by_user_id(admin_user.id) == 1
+    end
+  end
+
  describe "change_password/2" do
    setup [:create_user]

--- a/rel/overlays/bin/create-api-token
+++ b/rel/overlays/bin/create-api-token
@@ -0,0 +1,3 @@
+#!/bin/sh
+cd -P -- "$(dirname -- "$0")"
+exec ./firezone rpc FzHttp.Release.create_api_token