Add Bearer token authentication for API access #3

New issue

Open

opened 2026-03-16 21:12:21 +00:00 by austin · 0 comments

austin commented 2026-03-16 21:12:21 +00:00

Owner

Copy link

The CLI needs a way to authenticate to the API without browser cookies. Currently only cookie-based sessions exist.

What needs to happen

Add a POST /auth/token endpoint (behind auth) that generates and returns a long-lived API token. The token is returned once at creation and never stored in plaintext.

New migration: api_tokens table with columns:

• id TEXT PRIMARY KEY
• user_id TEXT NOT NULL REFERENCES users(id)
• token_hash TEXT NOT NULL (SHA256 — tokens are high-entropy random strings, fast hash is fine)
• name TEXT NOT NULL
• created_at DATETIME DEFAULT CURRENT_TIMESTAMP
• expires_at DATETIME

Auth middleware change: Check for Authorization: Bearer <token> header in addition to session cookies. On Bearer auth, SHA256 hash the provided token and look it up in api_tokens.

Key files

• internal/db/migrations.go — new migration for api_tokens table
• internal/auth/ — middleware update to check Bearer header
• internal/api/server.go — new route for POST /auth/token

The CLI needs a way to authenticate to the API without browser cookies. Currently only cookie-based sessions exist. ## What needs to happen Add a `POST /auth/token` endpoint (behind auth) that generates and returns a long-lived API token. The token is returned once at creation and never stored in plaintext. **New migration:** `api_tokens` table with columns: - `id` TEXT PRIMARY KEY - `user_id` TEXT NOT NULL REFERENCES users(id) - `token_hash` TEXT NOT NULL (SHA256 — tokens are high-entropy random strings, fast hash is fine) - `name` TEXT NOT NULL - `created_at` DATETIME DEFAULT CURRENT_TIMESTAMP - `expires_at` DATETIME **Auth middleware change:** Check for `Authorization: Bearer <token>` header in addition to session cookies. On Bearer auth, SHA256 hash the provided token and look it up in `api_tokens`. ## Key files - `internal/db/migrations.go` — new migration for `api_tokens` table - `internal/auth/` — middleware update to check Bearer header - `internal/api/server.go` — new route for `POST /auth/token`

austin added this to the Fix Foundation milestone 2026-03-16 21:12:21 +00:00

austin added the

enhancement

label 2026-03-16 21:12:21 +00:00

austin self-assigned this 2026-03-16 21:12:21 +00:00

austin added this to the Vektor - CLI project 2026-03-16 21:12:21 +00:00

austin added a new dependency 2026-03-16 21:12:31 +00:00

#2 Sign session tokens with HMAC

austin added a new dependency 2026-03-16 21:14:09 +00:00

#4 Add CLI config file management

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

Fix Foundation

Projects

Clear projects

No items

No project

Vektor - CLI

Assignees

Clear assignees

No assignees

austin

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks

#4 Add CLI config file management

austin/vektor

Depends on

#2 Sign session tokens with HMAC

austin/vektor

Reference

austin/vektor#3

No description provided.