feat(api): project and personal scoped access tokens

Author: n1ru4l

packages/libraries/cli/package.json

@@ -61,6 +61,7 @@
     "@oclif/plugin-help": "6.0.22",
     "@oclif/plugin-update": "4.2.13",
     "@theguild/federation-composition": "0.20.2",
+    "cli-table3": "0.6.5",
     "colors": "1.4.0",
     "env-ci": "7.3.0",
     "graphql": "^16.8.1",

packages/libraries/cli/src/commands/whoami.ts

@@ -1,3 +1,4 @@
+import Table from 'cli-table3';
 import { Flags } from '@oclif/core';
 import Command from '../base-command';
 import { graphql } from '../gql';
@@ -6,33 +7,28 @@ import {
   InvalidRegistryTokenError,
   MissingEndpointError,
   MissingRegistryTokenError,
-  UnexpectedError,
 } from '../helpers/errors';
 import { Texture } from '../helpers/texture/texture';
 
 const myTokenInfoQuery = graphql(/* GraphQL */ `
-  query myTokenInfo {
-    tokenInfo {
-      __typename
-      ... on TokenInfo {
-        token {
-          name
+  query myTokenInfo($showAll: Boolean!) {
+    whoAmI {
+      title
+      resolvedPermissions(includeAll: $showAll) {
+        level
+        resolvedResourceIds
+        title
+        groups {
+          title
+          permissions {
+            isGranted
+            permission {
+              id
+              title
+              description
+            }
+          }
         }
-        organization {
-          slug
-        }
-        project {
-          type
-          slug
-        }
-        target {
-          slug
-        }
-        canPublishSchema: hasTargetScope(scope: REGISTRY_WRITE)
-        canCheckSchema: hasTargetScope(scope: REGISTRY_READ)
-      }
-      ... on TokenNotFoundError {
-        message
       }
     }
   }
@@ -63,6 +59,10 @@ export default class WhoAmI extends Command<typeof WhoAmI> {
         version: '0.21.0',
       },
     }),
+    all: Flags.boolean({
+      description: 'Also show non-granted permissions.',
+      default: false,
+    }),
   };
 
   async run() {
@@ -95,43 +95,44 @@ export default class WhoAmI extends Command<typeof WhoAmI> {
 
     const result = await this.registryApi(registry, token).request({
       operation: myTokenInfoQuery,
+      variables: {
+        showAll: flags.all,
+      },
     });
 
-    if (result.tokenInfo.__typename === 'TokenInfo') {
-      const { tokenInfo } = result;
-      const { organization, project, target } = tokenInfo;
-
-      const organizationUrl = `https://app.graphql-hive.com/${organization.slug}`;
-      const projectUrl = `${organizationUrl}/${project.slug}`;
-      const targetUrl = `${projectUrl}/${target.slug}`;
-
-      const access = {
-        yes: Texture.colors.green('Yes'),
-        not: Texture.colors.red('No access'),
-      };
-
-      const print = createPrinter({
-        'Token name:': [Texture.colors.bold(tokenInfo.token.name)],
-        ' ': [''],
-        'Organization:': [
-          Texture.colors.bold(organization.slug),
-          Texture.colors.dim(organizationUrl),
-        ],
-        'Project:': [Texture.colors.bold(project.slug), Texture.colors.dim(projectUrl)],
-        'Target:': [Texture.colors.bold(target.slug), Texture.colors.dim(targetUrl)],
-        '  ': [''],
-        'Access to schema:publish': [tokenInfo.canPublishSchema ? access.yes : access.not],
-        'Access to schema:check': [tokenInfo.canCheckSchema ? access.yes : access.not],
+    if (result.whoAmI == null) {
+      throw new InvalidRegistryTokenError();
+    }
+
+    const data = result.whoAmI;
+
+    // Print header
+    this.log(`\n=== ${data.title} ===\n`);
+
+    // Iterate and display each permission group
+    for (const permLevel of data.resolvedPermissions) {
+      this.log(`Level: ${permLevel.level}`);
+      this.log(`Resources: ${permLevel.resolvedResourceIds?.join(', ') ?? '<none>'}`);
+
+      const table = new Table({
+        head: ['Group', 'Permission ID', 'Title', 'Granted', 'Description'],
+        wordWrap: true,
+        style: { head: ['cyan'] },
       });
 
-      this.log(print());
-    } else if (result.tokenInfo.__typename === 'TokenNotFoundError') {
-      this.debug(result.tokenInfo.message);
-      throw new InvalidRegistryTokenError();
-    } else {
-      throw new UnexpectedError(
-        `Token response got an unsupported type: ${(result.tokenInfo as any).__typename}`,
-      );
+      for (const group of permLevel.groups) {
+        for (const perm of group.permissions) {
+          table.push([
+            group.title,
+            perm.permission.id,
+            perm.permission.title,
+            perm.isGranted ? '✓' : '❌',
+            perm.permission.description,
+          ]);
+        }
+      }
+
+      this.log(table.toString());
     }
   }
 }

packages/migrations/src/actions/2025.10.17T00-00-00.project-access-tokens.ts

@@ -0,0 +1,37 @@
+import { type MigrationExecutor } from '../pg-migrator';
+
+export default {
+  name: '2025.10.17T00-00-00.organization-access-tokens-project-scope.ts',
+  noTransaction: true,
+  run: ({ sql }) => [
+    {
+      name: 'add new columns to "organization_access_tokens"',
+      query: sql`
+        ALTER TABLE "organization_access_tokens"
+          ADD COLUMN IF NOT EXISTS "project_id" UUID REFERENCES "projects" ("id") ON DELETE CASCADE
+          , ADD COLUMN IF NOT EXISTS "user_id" UUID REFERENCES "users" ("id") ON DELETE CASCADE
+          , ALTER COLUMN "permissions" DROP NOT NULL;
+      `,
+    },
+    {
+      name: 'add index "organization_access_tokens_pagination_target"',
+      query: sql`
+        CREATE INDEX CONCURRENTLY IF NOT EXISTS "organization_access_tokens_pagination_target" ON "organization_access_tokens" (
+          "project_id"
+          , "created_at" DESC
+          , "id" DESC
+        )
+      `,
+    },
+    {
+      name: 'add index "organization_access_tokens_pagination_user"',
+      query: sql`
+        CREATE INDEX CONCURRENTLY IF NOT EXISTS "organization_access_tokens_pagination_user" ON "organization_access_tokens" (
+          "user_id"
+          , "created_at" DESC
+          , "id" DESC
+        )
+      `,
+    },
+  ],
+} satisfies MigrationExecutor;

packages/migrations/src/run-pg-migrations.ts

@@ -168,5 +168,6 @@ export const runPGMigrations = async (args: { slonik: DatabasePool; runTo?: stri
       await import('./actions/2025.05.15T00-00-01.organization-member-pagination'),
       await import('./actions/2025.05.28T00-00-00.schema-log-by-ids'),
       await import('./actions/2025.10.16T00-00-00.schema-log-by-commit-ordered'),
+      await import('./actions/2025.10.17T00-00-00.project-access-tokens'),
     ],
   });

packages/services/api/src/modules/audit-logs/providers/audit-logs-types.ts

@@ -332,7 +332,7 @@ export const AuditLogModel = z.union([
     eventType: z.literal('ORGANIZATION_ACCESS_TOKEN_CREATED'),
     metadata: z.object({
       organizationAccessTokenId: z.string().uuid(),
-      permissions: z.array(z.string()),
+      permissions: z.array(z.string()).nullable(),
       assignedResources: ResourceAssignmentModel,
     }),
   }),

packages/services/api/src/modules/auth/lib/authz.ts

@@ -5,8 +5,9 @@ import type { User } from '../../../shared/entities';
 import { AccessError } from '../../../shared/errors';
 import { objectEntries, objectFromEntries } from '../../../shared/helpers';
 import { isUUID } from '../../../shared/is-uuid';
-import type { OrganizationAccessToken } from '../../organization/providers/organization-access-tokens';
+import { CachedAccessToken } from '../../organization/providers/organization-access-tokens-cache';
 import { Logger } from '../../shared/providers/logger';
+import { TargetAccessTokenStrategy } from './target-access-token-strategy';
 
 export type AuthorizationPolicyStatement = {
   effect: 'allow' | 'deny';
@@ -55,10 +56,14 @@ export type UserActor = {
 
 export type OrganizationAccessTokenActor = {
   type: 'organizationAccessToken';
-  organizationAccessToken: OrganizationAccessToken;
+  organizationAccessToken: CachedAccessToken;
 };
 
-type Actor = UserActor | OrganizationAccessTokenActor;
+export type LegacyTargetAccessTokenActor = {
+  type: 'legacyTargetAccessToken';
+};
+
+type Actor = UserActor | OrganizationAccessTokenActor | LegacyTargetAccessTokenActor;
 
 /**
  * Abstract session class that is implemented by various ways to identify a session.
@@ -393,6 +398,7 @@ const permissionsByLevel = {
     z.literal('schemaLinting:modifyOrganizationRules'),
     z.literal('auditLog:export'),
     z.literal('accessToken:modify'),
+    z.literal('personalAccessToken:modify'),
   ],
   project: [
     z.literal('project:describe'),
@@ -401,6 +407,7 @@ const permissionsByLevel = {
     z.literal('alert:modify'),
     z.literal('schemaLinting:modifyProjectRules'),
     z.literal('target:create'),
+    z.literal('projectAccessToken:modify'),
   ],
   target: [
     z.literal('targetAccessToken:modify'),

packages/services/api/src/modules/auth/lib/organization-access-token-strategy.ts

@@ -1,8 +1,10 @@
 import * as crypto from 'node:crypto';
 import { type FastifyReply, type FastifyRequest } from '@hive/service-common';
 import * as OrganizationAccessKey from '../../organization/lib/organization-access-key';
-import type { OrganizationAccessToken } from '../../organization/providers/organization-access-tokens';
-import { OrganizationAccessTokensCache } from '../../organization/providers/organization-access-tokens-cache';
+import {
+  CachedAccessToken,
+  OrganizationAccessTokensCache,
+} from '../../organization/providers/organization-access-tokens-cache';
 import { Logger } from '../../shared/providers/logger';
 import { OrganizationAccessTokenValidationCache } from '../providers/organization-access-token-validation-cache';
 import {
@@ -19,15 +21,15 @@ function hashToken(token: string) {
 export class OrganizationAccessTokenSession extends Session {
   public readonly organizationId: string;
   private policies: Array<AuthorizationPolicyStatement>;
-  private organizationAccessToken: OrganizationAccessToken;
+  private organizationAccessToken: CachedAccessToken;
   readonly id: string;
 
   constructor(
     args: {
       id: string;
       organizationId: string;
       policies: Array<AuthorizationPolicyStatement>;
-      organizationAccessToken: OrganizationAccessToken;
+      organizationAccessToken: CachedAccessToken;
     },
     deps: {
       logger: Logger;

packages/services/api/src/modules/auth/lib/target-access-token-strategy.ts

@@ -8,7 +8,7 @@ import {
   ProjectAccessScope,
   TargetAccessScope,
 } from '../providers/scopes';
-import { AuthNStrategy, Session, type AuthorizationPolicyStatement } from './authz';
+import { AuthNStrategy, Permission, Session, type AuthorizationPolicyStatement } from './authz';
 
 export class TargetAccessTokenSession extends Session {
   public readonly organizationId: string;
@@ -57,6 +57,11 @@ export class TargetAccessTokenSession extends Session {
     };
   }
 
+  get allowedPermissions(): Array<Permission> {
+    // Since the list is static and computed below, we can safely hard-cast it and treat all policy statements as "allow"
+    return this.policies.map(policy => policy.action) as Array<Permission>;
+  }
+
   public async getActor(): Promise<never> {
     throw new AccessError('Authorization token is missing', 'UNAUTHENTICATED');
   }

packages/services/api/src/modules/auth/resolvers/Permission.ts

@@ -25,7 +25,7 @@ export const Permission: PermissionResolvers = {
   },
 };
 
-function resourceLevelToResourceLevelType(resourceLevel: ResourceLevel) {
+export function resourceLevelToResourceLevelType(resourceLevel: ResourceLevel) {
   switch (resourceLevel) {
     case 'target':
       return 'TARGET' as const;

packages/services/api/src/modules/organization/lib/organization-access-token-permissions.ts

@@ -116,6 +116,11 @@ export const permissionGroups: Array<PermissionGroup> = [
     id: 'services',
     title: 'Schema Registry',
     permissions: [
+      {
+        id: 'schema:compose',
+        title: 'Compose schema',
+        description: 'Allow using "hive dev" command for local composition.',
+      },
       {
         id: 'schemaCheck:create',
         title: 'Check schema/service/subgraph',
@@ -147,6 +152,11 @@ export const permissionGroups: Array<PermissionGroup> = [
         title: 'Publish app deployment',
         description: 'Grant access to publishing app deployments.',
       },
+      {
+        id: 'appDeployment:retire',
+        title: 'Retire app deployment',
+        description: 'Grant access to retring app deployments.',
+      },
     ],
   },
 ];