Apply review fixes to API token auth system

Fork: 0

root / navi-1

Browse code Apply review fixes to API token auth system Backend: - navi/auth/deps.py: replace 3 DB round-trips with single JOIN query for token resolution; update last_used_at still separate (best-effort) - navi/api/routes/api_tokens.py: replace asyncpg-specific "UPDATE 1" string check with RETURNING id fetchrow; increase token_prefix from 8 to 12 chars for better visual identification; add security notes - tests/unit/auth/test_api_tokens.py: update tests for JOIN query and RETURNING-based revoke Frontend: - webclient/src/components/settings/ShowTokenModal.vue: new modal that shows the plain token in a readonly field with copy button and explicit warning — replaces the transient toast notification - webclient/src/components/settings/ApiKeysPanel.vue: use ShowTokenModal - webclient/src/composables/useWebSocket.js: add security comment about localStorage XSS risk and query param log exposure Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> feature/navi-code master vmkdemo
1 parent 5de0d33 commit 95825164e3c03e6f276520cad5c7eeaafdf80dbe Eugene Sukhodolskiy authored on 24 May

Browse code

Backend:
- navi/auth/deps.py: replace 3 DB round-trips with single JOIN query for
  token resolution; update last_used_at still separate (best-effort)
- navi/api/routes/api_tokens.py: replace asyncpg-specific "UPDATE 1"
  string check with RETURNING id fetchrow; increase token_prefix from
  8 to 12 chars for better visual identification; add security notes
- tests/unit/auth/test_api_tokens.py: update tests for JOIN query and
  RETURNING-based revoke

Frontend:
- webclient/src/components/settings/ShowTokenModal.vue: new modal that
  shows the plain token in a readonly field with copy button and
  explicit warning — replaces the transient toast notification
- webclient/src/components/settings/ApiKeysPanel.vue: use ShowTokenModal
- webclient/src/composables/useWebSocket.js: add security comment about
  localStorage XSS risk and query param log exposure

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feature/navi-code master vmkdemo

1 parent 5de0d33 commit 95825164e3c03e6f276520cad5c7eeaafdf80dbe

Eugene Sukhodolskiy authored on 24 May

Patch

Unified Split

Showing 11 changed files

Ignore Space Show notes View navi/api/routes/api_tokens.py

Ignore Space Show notes View navi/auth/deps.py

Ignore Space Show notes View tests/unit/auth/test_api_tokens.py

Show notes View webclient/dist/assets/index-BLRp95NP.js 100644 → 0
Not supported

Ignore Space Show notes View webclient/dist/assets/index-CtFBUjo6.css 0 → 100644

Ignore Space Show notes View webclient/dist/assets/index-DqAFWU66.js 0 → 100644
Not supported

Show notes View webclient/dist/assets/index-Wyt5c1oU.css 100644 → 0

Ignore Space Show notes View webclient/dist/index.html

Ignore Space Show notes View webclient/src/components/settings/ApiKeysPanel.vue

Ignore Space Show notes View webclient/src/components/settings/ShowTokenModal.vue 0 → 100644

Ignore Space Show notes View webclient/src/composables/useWebSocket.js

Show line notes below