Settings was missing self-service account security and any API-key UI:
- Account security (new Security tab): change password (POST /auth/change-password
— verifies current via Argon2, rejects unchanged), enable 2FA (wires the
existing /auth/2fa/setup QR + /auth/2fa/verify), and disable 2FA (new
POST /auth/2fa/disable, requires a current code so a hijacked session can't
strip the second factor).
- New API tab: create/list/revoke per-license API keys (the overnight backend
had no UI), plaintext shown once, plus an 'API docs' button to /api/docs (Swagger).
Root-cause RBAC fix — the system-default Owner role enumerated per-resource
wildcards (server.*, wipe.*, ...) and drifted: apikeys, webhooks, alerts,
analytics, chat, schedules, notifications, map, users and ALL plugin-config
modules (plus singular plugin.* vs granted plugins.*) were locked out for any
non-super-admin Owner. Owner = full control of its license:
- migration 025 sets the Owner role to {"*": true}
- PermissionsGuard honors '*' as allow-all
- frontend hasPermission honors '*' and resource.* wildcards (was exact-match
only, so wildcard-based roles silently failed)
Backend tsc + frontend build green. NOTE: migration 025 auto-applies on a fresh
DB (Saturday); the live DB needs the one-line UPDATE applied to unlock the API
tab for a non-super-admin owner.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Closes the 'Public REST API' last mile: external callers authenticate with a
per-license API key instead of a JWT. Additive and zero-regression:
- JwtAuthGuard: a corr_-prefixed bearer token (or X-API-Key header) is
validated via ApiKeysService.validateKey and sets request.user shaped like a
JWT user, scoped to the key's license. JWTs are eyJ... and never collide with
the corr_ prefix, so the existing JWT path is byte-for-byte unchanged.
- API-key calls act AS the license owner: validateKey now resolves
license.owner_user_id so sub is a real UUID — any @CurrentUser/created_by FK
insert works and attributes correctly. (ApiKeysModule gains the License repo.)
- PermissionsGuard: is_api_key principals get full access to their own license
(always tenant-scoped). Future: scoped/read-only keys.
Backend tsc green. Untested at runtime (no local DB) — needs a curl smoke test
on Saturday's fresh stack before the roadmap item flips to shipped.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
