add unique letter to access token based on type

n1ru4l · n1ru4l · commit 4e2d29efc3c4 · 2025-11-07T12:25:03.000+01:00
diff --git a/integration-tests/tests/api/access-tokens/organization.spec.ts b/integration-tests/tests/api/access-tokens/organization.spec.ts
@@ -238,6 +238,8 @@ test.concurrent('query GraphQL API on resources without access', async ({ expect
   expect(result.createOrganizationAccessToken.error).toEqual(null);
   const organizationAccessToken = result.createOrganizationAccessToken.ok!.privateAccessKey;
 
+  expect(organizationAccessToken).toMatch(/^hvo1\//);
+
   const projectQuery = await execute({
     document: OrganizationProjectTargetQuery,
     variables: {
diff --git a/integration-tests/tests/api/access-tokens/personal.spec.ts b/integration-tests/tests/api/access-tokens/personal.spec.ts
@@ -289,6 +289,8 @@ test.concurrent('query GraphQL API on resources with access', async ({ expect })
   assertNonNullish(result.createPersonalAccessToken.ok);
   const personalAccessToken = result.createPersonalAccessToken.ok.privateAccessKey;
 
+  expect(personalAccessToken).toMatch(/^hvu1\//);
+
   const projectQuery = await execute({
     document: OrganizationProjectTargetQuery1,
     variables: {
diff --git a/integration-tests/tests/api/access-tokens/project.spec.ts b/integration-tests/tests/api/access-tokens/project.spec.ts
@@ -251,6 +251,8 @@ test.concurrent('query GraphQL API on resources with access', async ({ expect })
   expect(result.createProjectAccessToken.error).toEqual(null);
   const organizationAccessToken = result.createProjectAccessToken.ok!.privateAccessKey;
 
+  expect(organizationAccessToken).toMatch(/^hvp1\//);
+
   expect(await fetchPermissions(organizationAccessToken)).toEqual([
     {
       level: 'PROJECT',
diff --git a/packages/services/api/src/modules/auth/lib/organization-access-token-strategy.ts b/packages/services/api/src/modules/auth/lib/organization-access-token-strategy.ts
@@ -108,10 +108,25 @@ export class OrganizationAccessTokenStrategy extends AuthNStrategy<OrganizationA
       result.accessKey.id,
       this.logger,
     );
+
     if (!organizationAccessToken) {
       return null;
     }
 
+    // access token uses wrong prefix
+    // e.g. hvo1/ -> but has userId or hvp1/ but has no projectId
+    if (
+      (result.accessKey.category === OrganizationAccessKey.AccessTokenCategory.personal &&
+        organizationAccessToken.userId == null) ||
+      (result.accessKey.category === OrganizationAccessKey.AccessTokenCategory.project &&
+        organizationAccessToken.projectId == null) ||
+      (result.accessKey.category === OrganizationAccessKey.AccessTokenCategory.organization &&
+        (organizationAccessToken.projectId || organizationAccessToken.userId))
+    ) {
+      this.logger.debug('Someone is trying an access token with the wrong prefix.');
+      return null;
+    }
+
     // let's hash it so we do not store the plain private key in memory
     const key = hashToken(accessToken);
     const isHashMatch = await this.organizationAccessTokenValidationCache.getOrSetForever({
diff --git a/packages/services/api/src/modules/organization/lib/organization-access-key.ts b/packages/services/api/src/modules/organization/lib/organization-access-key.ts
@@ -14,22 +14,33 @@ type DecodedAccessKey = {
   id: string;
   /** string to compare against the hash within the database ("organization_access_tokens"."hash") */
   privateKey: string;
+  /** The category of the access token */
+  category: AccessTokenCategory;
 };
 
+export const enum AccessTokenCategory {
+  organization = 'o',
+  project = 'p',
+  personal = 'u',
+}
+
+type KeyPrefix = `hv${AccessTokenCategory}1/`;
+
 /**
  * Prefix for the organization access key.
  * We use this prefix so we can quickly identify whether an organization access token.
  *
  * **hv** -> Hive
- * **o**  -> Organization
+ * **o** or **p** or **u** -> Organization or Project or User
  * **1**  -> Version 1
  */
-const keyPrefix = 'hvo1/';
+const keyPrefix = (category: AccessTokenCategory): KeyPrefix =>
+  `hv${category}1/` satisfies KeyPrefix;
 const decodeError = { type: 'error' as const, reason: 'Invalid access token.' };
 
-function encode(recordId: string, secret: string) {
+function encode(recordId: string, secret: string, category: AccessTokenCategory) {
   const keyContents = [recordId, secret].join(':');
-  return keyPrefix + btoa(keyContents);
+  return keyPrefix(category) + btoa(keyContents);
 }
 
 /**
@@ -38,11 +49,21 @@ function encode(recordId: string, secret: string) {
 export function decode(
   accessToken: string,
 ): { type: 'error'; reason: string } | { type: 'ok'; accessKey: DecodedAccessKey } {
-  if (!accessToken.startsWith(keyPrefix)) {
+  let category: null | AccessTokenCategory = null;
+
+  if (accessToken.startsWith(keyPrefix(AccessTokenCategory.organization))) {
+    category = AccessTokenCategory.organization;
+  } else if (accessToken.startsWith(keyPrefix(AccessTokenCategory.project))) {
+    category = AccessTokenCategory.organization;
+  } else if (accessToken.startsWith(keyPrefix(AccessTokenCategory.personal))) {
+    category = AccessTokenCategory.organization;
+  }
+
+  if (category === null) {
     return decodeError;
   }
 
-  accessToken = accessToken.slice(keyPrefix.length);
+  accessToken = accessToken.slice(keyPrefix(category).length);
 
   let str: string;
 
@@ -62,7 +83,7 @@ export function decode(
   const privateKey = parts.at(1);
 
   if (id && privateKey) {
-    return { type: 'ok', accessKey: { id, privateKey } } as const;
+    return { type: 'ok', accessKey: { id, privateKey, category } } as const;
   }
 
   return decodeError;
@@ -71,13 +92,13 @@ export function decode(
 /**
  * Creates a new organization access key/token for a provided UUID.
  */
-export async function create(id: string) {
+export async function create(id: string, category: AccessTokenCategory) {
   const secret = Crypto.createHash('sha256')
     .update(Crypto.randomBytes(20).toString())
     .digest('hex');
 
   const hash = await bcrypt.hash(secret, await bcrypt.genSalt());
-  const privateAccessToken = encode(id, secret);
+  const privateAccessToken = encode(id, secret, category);
   const firstCharacters = privateAccessToken.substr(0, 10);
 
   return {
diff --git a/packages/services/api/src/modules/organization/providers/organization-access-tokens.ts b/packages/services/api/src/modules/organization/providers/organization-access-tokens.ts
@@ -403,7 +403,14 @@ export class OrganizationAccessTokens {
     assignedResources: ResourceAssignmentGroup;
   }) {
     const id = crypto.randomUUID();
-    const accessKey = await OrganizationAccessKey.create(id);
+    const accessKey = await OrganizationAccessKey.create(
+      id,
+      args.userId
+        ? OrganizationAccessKey.AccessTokenCategory.personal
+        : args.projectId
+          ? OrganizationAccessKey.AccessTokenCategory.project
+          : OrganizationAccessKey.AccessTokenCategory.organization,
+    );
 
     const result = await this.pool.maybeOne<unknown>(sql`
       INSERT INTO "organization_access_tokens" (

Original file line number	Diff line number	Diff line change
`@@ -251,6 +251,8 @@ test.concurrent('query GraphQL API on resources with access', async ({ expect })`
`251`	`251`	`expect(result.createProjectAccessToken.error).toEqual(null);`
`252`	`252`	`const organizationAccessToken = result.createProjectAccessToken.ok!.privateAccessKey;`
`253`	`253`
	`254`	`+ expect(organizationAccessToken).toMatch(/^hvp1\//);`
	`255`	`+`
`254`	`256`	`expect(await fetchPermissions(organizationAccessToken)).toEqual([`
`255`	`257`	`{`
`256`	`258`	`level: 'PROJECT',`