Files
triggerdotdev--trigger.dev/apps/webapp/app/routes/api.v1.auth.user-actor-token.ts
T
2026-07-13 13:32:57 +08:00

83 lines
3.5 KiB
TypeScript

import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
import { signUserActorToken } from "@trigger.dev/rbac";
import { z } from "zod";
import { env } from "~/env.server";
import { logger } from "~/services/logger.server";
import { rbac } from "~/services/rbac.server";
// Callers pick the TTL (default 1h) up to a hard ceiling; renewal = mint again
// with the PAT. The default is short, but the ceiling allows long-lived tokens
// for callers that need them (e.g. a long-running integration).
const DEFAULT_UAT_TTL_SECONDS = 60 * 60; // 1 hour
const MAX_UAT_TTL_SECONDS = 365 * 24 * 60 * 60; // 365 days
// Mint a short-lived delegated user-actor token (`tr_uat_`) from a personal
// access token. A UAT is a strict downgrade of the PAT: same user identity,
// short-lived, optionally narrowed by `cap`. It lets a holder (an agent, the
// MCP server, an IDE) act as the user without carrying a long-lived PAT.
const RequestBodySchema = z
.object({
// Optional scope cap (e.g. ["read:runs"]) — ceilings the UAT below the
// user's role. Absent → identity-only, floored by the user's role at
// use-time.
cap: z.array(z.string()).optional(),
// Attribution label recorded in the token's `act.client` (e.g. the agent
// or tool that requested it).
client: z.string().min(1).max(255).optional(),
// Lifetime in seconds. Omitted → 1h. Over the ceiling → 400 (we don't
// silently clamp, so a caller never thinks it got longer than it did).
ttlSeconds: z.number().int().positive().max(MAX_UAT_TTL_SECONDS).optional(),
})
.optional();
export async function action({ request }: ActionFunctionArgs) {
try {
// Mint only from a real PAT. authenticatePat requires the `tr_pat_`
// prefix, so a UAT can't mint another UAT (no indefinite renewal) and an
// env API key / OAT can't mint one either.
const patAuth = await rbac.authenticatePat(request, {});
if (!patAuth.ok) {
return json({ error: patAuth.error }, { status: patAuth.status });
}
// A role-restricted PAT (one with a TokenRole cap) can't mint a UAT: the
// UAT is floored by the user's role at use-time and wouldn't carry the
// PAT's narrower ceiling, so minting would widen the grant. Reject rather
// than silently escalate. (The OSS fallback has no TokenRoles, so this
// only takes effect with the cloud RBAC plugin installed.)
const tokenRole = await rbac.getTokenRole(patAuth.tokenId);
if (tokenRole) {
return json(
{
error: "Cannot mint a user-actor token from a role-restricted personal access token",
},
{ status: 403 }
);
}
const parsedBody = RequestBodySchema.safeParse(await request.json().catch(() => ({})));
if (!parsedBody.success) {
return json(
{ error: "Invalid request body", issues: parsedBody.error.issues },
{ status: 400 }
);
}
const body = parsedBody.data ?? {};
const ttlSeconds = body.ttlSeconds ?? DEFAULT_UAT_TTL_SECONDS;
const token = await signUserActorToken(env.SESSION_SECRET, {
userId: patAuth.userId,
client: body.client ?? "personal-access-token",
cap: body.cap,
// Absolute exp (seconds since epoch). jose treats a number as absolute.
expirationTime: Math.floor(Date.now() / 1000) + ttlSeconds,
});
return json({ token, expiresInSeconds: ttlSeconds });
} catch (error) {
if (error instanceof Response) throw error;
logger.error("Failed to mint user-actor token", { error });
return json({ error: "Internal Server Error" }, { status: 500 });
}
}