feat: CreateCurrentUserPersonalToken RPC implementation

[AmanGIT07]

Title: feat: add CreateCurrentUserPersonalToken RPC

Summary

• Implements the CreateCurrentUserPersonalToken RPC — the first endpoint for Personal Access Tokens (PATs), allowing users to create org-scoped tokens with configurable prefix, expiry, and metadata.
• Adds full vertical slice: proto codegen, domain model, config, Postgres repository + migration, service layer with token generation (SHA-256 hashed, base64url-encoded), ConnectRPC handler, and authorization interceptor
  wiring.
• Includes service-level audit logging
• Adds SpiceDB constants in preparation for future policy integration.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Feb 20, 2026 0:48am

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• New Features
  • Create and manage personal access tokens for fine-grained API access control
  • Configure token expiration policies, per-user limits per organization, and token naming conventions
  • Automatic audit logging for token creation events

Walkthrough

Introduces comprehensive Personal Access Token (PAT) functionality to Frontier. Adds domain models, service layer with token creation and validation, PostgreSQL repository implementation, API endpoints via ConnectRPC, database schema and migrations, configuration support, authorization rules, and extensive test coverage.

Changes

Cohort / File(s)	Summary
Core PAT Domain core/userpat/userpat.go, core/userpat/config.go, core/userpat/errors.go, core/userpat/service.go	Introduces PersonalAccessToken entity, Repository interface, Config struct for feature flags and token constraints, service for token creation with validation of expiry, token limits, and conflict detection, and error constants for consistent error handling.
PAT Service Testing core/userpat/service_test.go	Comprehensive table-driven test suite validating token creation flow, disabled feature handling, token limit enforcement, conflict handling, unique token generation, hash verification, and config parsing.
Repository Interfaces & Mocks core/userpat/mocks/repository.go, core/userpat/mocks/audit_record_repository.go, core/userpat/mocks/organization_service.go	Auto-generated mock implementations for Repository, AuditRecordRepository, and OrganizationService interfaces supporting flexible test expectations and error handling.
PostgreSQL Repository internal/store/postgres/userpat_repository.go, internal/store/postgres/userpat_repository_test.go, internal/store/postgres/userpat.go	PostgreSQL-backed repository for PAT persistence, including Create and CountActive methods, token conflict detection, soft-delete semantics, and comprehensive test suite covering creation, metadata storage, conflict handling, and active token counting.
Database Schema internal/store/postgres/migrations/20260218100000_create_user_tokens.up.sql, internal/store/postgres/migrations/20260218100000_create_user_tokens.down.sql, internal/store/postgres/postgres.go	Database migration creating user_tokens table with soft-delete support, unique constraints on active tokens, indexes for performance, auto-update trigger for timestamps, and table constant declaration.
API Layer Integration cmd/serve.go, internal/api/api.go, internal/api/v1beta1connect/v1beta1connect.go, internal/api/v1beta1connect/interfaces.go, pkg/server/server.go	Wires UserPATService into API dependencies, updates ConnectHandler constructor to accept PAT configuration, and exposes UserPATService interface for API contract.
ConnectRPC Handler internal/api/v1beta1connect/user_pat.go, internal/api/v1beta1connect/user_pat_test.go, internal/api/v1beta1connect/mocks/user_pat_service.go	Implements CreateCurrentUserPersonalToken RPC handler with request validation, service invocation, error mapping, and response transformation; includes test suite and generated mock for testing.
Configuration & Bootstrap pkg/server/config.go, internal/bootstrap/schema/schema.go, pkg/server/connect_interceptors/authorization.go	Adds PAT configuration field to server config, introduces PAT principal and grant relation constants to schema, and wires authorization rule for token creation endpoint.
Protobuf Definitions & Validation proto/v1beta1/frontier.pb.validate.go, proto/v1beta1/models.pb.validate.go, proto/v1beta1/frontierv1beta1connect/frontier.connect.go, proto/apidocs.swagger.yaml	Auto-generated validation methods for proto messages, new CreateCurrentUserPersonalToken RPC with client/server/routing support, PersonalAccessToken type definition, and Swagger documentation.
Build Configuration Makefile	Updates Proton commit hash for protobuf code generation.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• refactor(test): migrate E2E tests from gRPC to ConnectRPC clients #1389 — Modifies the ConnectRPC client/server surface and test infrastructure integration, related to the new Connect RPC method and handler changes in this PR.

Suggested reviewers

• rohilsurana
• rsbh

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 10

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/bootstrap/schema/schema.go (1)

255-260: ⚠️ Potential issue | 🟡 Minor

Include PATPrincipal in IsSystemNamespace() for consistency with other principals.

All other principals—UserPrincipal, ServiceUserPrincipal, SuperUserPrincipal, GroupPrincipal—are included in the check, but PATPrincipal (defined at line 75) is omitted. Since PATPrincipal is recognized as a valid namespace alias in ParseNamespaceAliasIfRequired(), it should be treated the same way as other principals to maintain consistent behavior.

🧹 Nitpick comments (9)

pkg/auditrecord/consts.go (1)

57-58: Consider adding a PATDeletedEvent / PATRevokedEvent constant for completeness.

Every other audited resource with a lifecycle (service users, sessions, billing entities) has at minimum a deletion/revocation event alongside the creation event. If PAT revocation or deletion is planned, pre-declaring the constant here keeps the audit vocabulary consistent and avoids a follow-up PR solely to add "pat.deleted" or "pat.revoked".

♻️ Proposed addition

 	// PAT Events
 	PATCreatedEvent Event = "pat.created"
+	PATDeletedEvent Event = "pat.deleted"

core/userpat/errors.go (1)

1-14: LGTM — clean, idiomatic sentinel error set.

The var block with errors.New is the canonical Go pattern for package-level sentinel errors. All eight values are exported, clearly named with the Err prefix, and carry descriptive messages that unambiguously attribute them to the PAT domain. The distinction between ErrExpiryInPast (creation-time validation) and ErrExpiryExceeded (lifetime cap) is a nice touch.

One optional consideration: adding a short package prefix such as "userpat: personal access token not found" to each message can improve discoverability when these errors are wrapped and appear deep in a multi-layer error chain or log stream. Since "personal access token" already appears in every string, the attribution is already clear—this is purely a style preference.

cmd/serve.go (1)

391-436: userPATRepo declaration is separated from userPATService creation by ~45 unrelated lines.

Every other repo/service pair in this function is declared back-to-back (e.g., prospectRepository/prospectService at lines 388-389). Moving userPATRepo immediately before userPATService would keep the locality consistent.

♻️ Suggested repositioning

-	userPATRepo := postgres.NewUserPATRepository(dbc)
-
 	svUserRepo := postgres.NewServiceUserRepository(dbc)
 	// ... (lines 393-435 unchanged) ...
 
 	organizationService := organization.NewService(...)
+
+	userPATRepo := postgres.NewUserPATRepository(dbc)
 	userPATService := userpat.NewService(userPATRepo, cfg.App.PAT, organizationService, auditRecordRepository)

core/userpat/config.go (1)

10-10: DefaultTokenLifetime has no DefaultExpiry() helper to match MaxExpiry().

Any code that needs the parsed default lifetime must replicate the time.ParseDuration + fallback logic inline, risking divergence. Adding a symmetric helper ensures consistent parsing behaviour.

♻️ Proposed addition

+func (c Config) DefaultExpiry() time.Duration {
+	d, err := time.ParseDuration(c.DefaultTokenLifetime)
+	if err != nil {
+		return 90 * 24 * time.Hour // matches the "2160h" default
+	}
+	return d
+}

internal/api/v1beta1connect/user_pat.go (1)

84-89: Silently swallowed metadata conversion error may hide data loss.

If ToStructPB() fails (e.g., due to unsupported value types in metadata), the error is ignored and metadata is silently omitted from the response. Consider logging the error so operators can diagnose missing metadata.

🔧 Proposed fix

 	if pat.Metadata != nil {
 		metaPB, err := pat.Metadata.ToStructPB()
 		if err == nil {
 			pbPAT.Metadata = metaPB
+		} else {
+			// Log metadata conversion failure so it's diagnosable
+			zap.L().Warn("failed to convert PAT metadata to protobuf", zap.String("pat_id", pat.ID), zap.Error(err))
 		}
 	}

core/userpat/service.go (2)

88-88: Roles and ProjectIDs are silently discarded

Both fields flow through CreateRequest, are passed into the audit metadata, but the TODO means no policies are created. Any caller relying on the returned token having the scoped access they requested will get an over-privileged (or under-privileged) token with no error surfaced.

Would you like me to open a tracking issue or scaffold the policy-creation step once the role/project model is available?

---

107-108: maps.Copy silently overwrites "user_id" if targetMetadata contains that key

maps.Copy copies all key/value pairs from src into dst; when a key in src is already present in dst, the value in dst is overwritten. If any future caller of createAuditRecord passes "user_id" inside targetMetadata, the explicitly set pat.UserID binding will be silently replaced. Build the merged map in the other order to give the explicit user_id precedence:

♻️ Proposed fix

-	metadata := map[string]any{"user_id": pat.UserID}
-	maps.Copy(metadata, targetMetadata)
+	metadata := maps.Clone(targetMetadata)
+	metadata["user_id"] = pat.UserID  // always authoritative

core/userpat/service_test.go (2)

272-301: "should hash the full token string" test case verifies nothing about the stored hash

The assertion — that sha256(tokenValue) produces a 64-character hex string — is trivially true for any non-empty input and carries zero coverage value. It does not capture SecretHash from the mock call or compare it to the token. TestService_Create_HashVerification (lines 428-458) already does the correct end-to-end hash verification. Consider removing this table case or replacing it with a comment referencing the standalone test.

---

353-372: Table case "should generate unique tokens on each call" makes only one Create call

Within the table loop body (lines 374-394) each case calls Create exactly once, so this case cannot demonstrate uniqueness. It reads as an ownership claim that the table runner doesn't fulfil. TestService_Create_UniqueTokens (lines 397-426) already covers uniqueness correctly. Rename this case to something that reflects its actual intent (e.g., "should succeed when count is 0") or remove it as a duplicate.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all PAT-related procedure constants and check authorization maps

echo "=== PAT-related procedure constants in codebase ==="
rg -n "PersonalToken" --type go

echo ""
echo "=== PAT procedures in authorization.go ==="
rg -n "PersonalToken" pkg/server/connect_interceptors/authorization.go

Repository: raystack/frontier

Length of output: 20840

---

🏁 Script executed:

#!/bin/bash
# Read the authorization map section to see exact permission for CreateCurrentUserPersonalToken

echo "=== Authorization entry for CreateCurrentUserPersonalToken (lines 700-715) ==="
sed -n '700,715p' pkg/server/connect_interceptors/authorization.go

echo ""
echo "=== Other Create* endpoints and their permissions ==="
rg -n "^[[:space:]]*frontierv1beta1connect\.FrontierServiceCreate" pkg/server/connect_interceptors/authorization.go -A 2

echo ""
echo "=== Schema permission constants ==="
rg -n "^[[:space:]]*(Get|Update|Create|Manage)Permission\s*=" --type go | head -30

Repository: raystack/frontier

Length of output: 2490

---

🏁 Script executed:

#!/bin/bash
# Search for other Create* endpoints to verify the pattern

echo "=== All Create* endpoints in authorization.go with their permissions ==="
rg -n "FrontierServiceCreate|AdminServiceCreate" pkg/server/connect_interceptors/authorization.go -A 2 | head -80

Repository: raystack/frontier

Length of output: 891

---

🏁 Script executed:

#!/bin/bash
# Search more broadly for all Create* procedures to see the full pattern

echo "=== All procedures matching Create pattern ==="
rg -n "case.*ServiceCreate" pkg/server/connect_interceptors/authorization.go -B 1 | head -100

echo ""
echo "=== Broader search: all FrontierServiceCreate procedures with full context ==="
rg -n "FrontierServiceCreate\w+Procedure:" pkg/server/connect_interceptors/authorization.go -A 2 | head -120

Repository: raystack/frontier

Length of output: 945

---

🏁 Script executed:

#!/bin/bash
# Get a comprehensive view of all entries in the authorizationValidationMap

echo "=== Full authorizationValidationMap from authorization.go ==="
# Extract the entire map - assuming it's bounded by "var authorizationValidationMap" and "}"
awk '/var authorizationValidationMap/,/^}/' pkg/server/connect_interceptors/authorization.go | grep -E "(Procedure:|Permission|func\()" | head -100

Repository: raystack/frontier

Length of output: 15806

---

🏁 Script executed:

#!/bin/bash
# Verify the actual permission values and understand the Create* endpoint patterns

echo "=== Schema permission constants definitions ==="
cat internal/bootstrap/schema/schema.go | grep -A 20 "GetPermission\|CreatePermission\|UpdatePermission\|ManagePermission" | head -30

echo ""
echo "=== Summary of Create* endpoints and their permissions ==="
rg "Create\w+Procedure.*Permission" pkg/server/connect_interceptors/authorization.go -o | sort | uniq

Repository: raystack/frontier

Length of output: 1254

---

🏁 Script executed:

#!/bin/bash
# Get a cleaner view of all Create* procedures and their permissions

echo "=== All Create* procedures and their permissions ==="
rg -n "Create\w+Procedure.*func\(ctx" pkg/server/connect_interceptors/authorization.go -A 2 | grep -E "(Procedure:|Permission)" | paste - - | head -40

Repository: raystack/frontier

Length of output: 174

---

🏁 Script executed:

#!/bin/bash
# Get all Create* procedures with their permissions

echo "=== All Create* procedures and their permissions ==="
rg -n "^\s+frontierv1beta1connect\.FrontierServiceCreate" pkg/server/connect_interceptors/authorization.go -A 2 | grep -v "^--$"

Repository: raystack/frontier

Length of output: 868

---

🏁 Script executed:

#!/bin/bash
# Verify that CreateProject and CreateOrganizationRole exist with their permissions

echo "=== Searching for CreateProject and CreateOrganizationRole ==="
rg -n "CreateProject|CreateRole" pkg/server/connect_interceptors/authorization.go | head -20

Repository: raystack/frontier

Length of output: 1036

---

🏁 Script executed:

#!/bin/bash
# Get the full context for CreateProject, CreateRole, and other Create* endpoints

echo "=== CreateProject permission ==="
sed -n '464,467p' pkg/server/connect_interceptors/authorization.go

echo ""
echo "=== CreateRole permission ==="
sed -n '1039,1042p' pkg/server/connect_interceptors/authorization.go

echo ""
echo "=== CreateGroup permission ==="
sed -n '555,558p' pkg/server/connect_interceptors/authorization.go

echo ""
echo "=== CreateOrganizationInvitation permission ==="
sed -n '494,497p' pkg/server/connect_interceptors/authorization.go

echo ""
echo "=== CreateServiceUser permission ==="
sed -n '410,413p' pkg/server/connect_interceptors/authorization.go

Repository: raystack/frontier

Length of output: 2144

---

🏁 Script executed:

#!/bin/bash
# Use rg to find and display the exact lines with context

echo "=== CreateProject ==="
rg -n "CreateProject.*func\(ctx" pkg/server/connect_interceptors/authorization.go -A 2 | head -5

echo ""
echo "=== CreateGroup ==="
rg -n "CreateGroup.*func\(ctx" pkg/server/connect_interceptors/authorization.go -A 2 | head -5

echo ""
echo "=== CreateOrganizationInvitation ==="
rg -n "CreateOrganizationInvitation.*func\(ctx" pkg/server/connect_interceptors/authorization.go -A 2 | head -5

echo ""
echo "=== CreateServiceUser ==="
rg -n "CreateServiceUser.*func\(ctx" pkg/server/connect_interceptors/authorization.go -A 2 | head -5

Repository: raystack/frontier

Length of output: 2335

---

GetPermission (read) gates a token-creation write operation — inconsistent with all other Create* endpoints.

Every other Create* endpoint in authorizationValidationMap uses a write-level or specialized-manage permission as the authorization gate:

Endpoint	Permission
CreateServiceUser	ServiceUserManagePermission
CreateOrganizationInvitation	InvitationCreatePermission
CreateGroup	GroupCreatePermission
CreateProject	ProjectCreatePermission

CreateCurrentUserPersonalToken uses only schema.GetPermission ("get"), meaning any read-only org member can create a PAT scoped to that org. Since PATs carry Roles and ProjectIds fields that can embed sensitive permissions, this allows a low-privileged member to create tokens with elevated role claims — a privilege escalation risk.

Unless the intent is explicitly to allow any org member to self-issue PATs, the permission should be raised — at minimum to schema.UpdatePermission, or ideally a dedicated PAT*ManagePermission constant.

Suggested fix

- return handler.IsAuthorized(ctx, relation.Object{Namespace: schema.OrganizationNamespace, ID: pbreq.Msg.GetOrgId()}, schema.GetPermission, req)
+ return handler.IsAuthorized(ctx, relation.Object{Namespace: schema.OrganizationNamespace, ID: pbreq.Msg.GetOrgId()}, schema.UpdatePermission, req)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	frontierv1beta1connect.FrontierServiceCreateCurrentUserPersonalTokenProcedure: func(ctx context.Context, handler *v1beta1connect.ConnectHandler, req connect.AnyRequest) error {
	pbreq := req.(*connect.Request[frontierv1beta1.CreateCurrentUserPersonalTokenRequest])
	return handler.IsAuthorized(ctx, relation.Object{Namespace: schema.OrganizationNamespace, ID: pbreq.Msg.GetOrgId()}, schema.GetPermission, req)
	},
	frontierv1beta1connect.FrontierServiceCreateCurrentUserPersonalTokenProcedure: func(ctx context.Context, handler *v1beta1connect.ConnectHandler, req connect.AnyRequest) error {
	pbreq := req.(*connect.Request[frontierv1beta1.CreateCurrentUserPersonalTokenRequest])
	return handler.IsAuthorized(ctx, relation.Object{Namespace: schema.OrganizationNamespace, ID: pbreq.Msg.GetOrgId()}, schema.UpdatePermission, req)
	},

[coveralls]

Pull Request Test Coverage Report for Build 22224691590

Details

• 205 of 241 (85.06%) changed or added relevant lines in 10 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.3%) to 38.724%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
pkg/server/server.go	0	1	0.0%
internal/api/v1beta1connect/user_pat.go	63	65	96.92%
internal/bootstrap/schema/schema.go	0	2	0.0%
internal/store/postgres/userpat.go	16	18	88.89%
internal/api/v1beta1connect/v1beta1connect.go	0	3	0.0%
pkg/server/connect_interceptors/authorization.go	0	4	0.0%
cmd/serve.go	0	5	0.0%
core/userpat/service.go	75	83	90.36%
internal/store/postgres/userpat_repository.go	45	54	83.33%

Totals
Change from base Build 22214392467:	0.3%
Covered Lines:	16405
Relevant Lines:	42364

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 2

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

"should hash the full token string" table case doesn't verify the stored hash — misleading name

The test computes SHA-256 of tokenValue locally and only checks the result is 64 hex chars (line 298–300). This assertion is trivially true for any string and doesn't confirm that the value actually stored in the repository matches SHA-256 of the token. The comment on lines 294–295 acknowledges this limitation. The meaningful verification is done in the standalone TestService_Create_HashVerification (lines 429–459), which captures pat.SecretHash via Run and compares it.

This case should either be removed (it adds no incremental signal over TestService_Create_HashVerification) or its name changed to something accurate, e.g. "should return a non-empty token value after creation".

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

"should generate unique tokens on each call" makes only one Create call — test name is misleading

The table case sets up the repo mock with a single CountActive + Create expectation and has no validateFunc, so it just verifies that one call succeeds without errors. Uniqueness across two calls is already tested properly in TestService_Create_UniqueTokens (line 398). This case either duplicates existing "happy-path creation" coverage or the test author intended it to assert uniqueness but forgot the second call.

Consider removing this case (redundant with other happy-path cases) or renaming it to reflect what it actually exercises.