feat: add oauth2 provider accesstokens api

apps/authentication/api/__init__.py

@@ -16,3 +16,4 @@ from .sso import *
 from .temp_token import *
 from .token import *
 from .face import *
+from .access_token import *

apps/authentication/api/access_token.py

@@ -0,0 +1,32 @@
+from django.utils.translation import gettext as _
+from django.utils import timezone
+from rest_framework.response import Response
+from rest_framework.decorators import action
+from rest_framework.status import HTTP_200_OK
+from rbac.permissions import RBACPermission
+from common.api import JMSModelViewSet
+from ..serializers import AccessTokenSerializer
+
+from oauth2_provider.models import get_access_token_model
+
+AccessToken = get_access_token_model()
+
+class AccessTokenViewSet(JMSModelViewSet):
+    serializer_class = AccessTokenSerializer
+    permission_classes = [RBACPermission]
+    http_method_names = ['get', 'options', 'patch']
+    rbac_perms = {
+        'revoke': 'authentication.change_accesstoken',
+    }
+
+    def get_queryset(self):
+        return AccessToken.objects.filter(user=self.request.user).order_by('created')
+
+    @action(methods=['PATCH'], detail=True, url_path='revoke')
+    def revoke(self, *args, **kwargs):
+        token = AccessToken.objects.filter(id=kwargs['pk']).first()
+        if not token or token.user != self.request.user:
+            return Response({ "detail": _("Access token not found.") }, status=HTTP_200_OK)
+        token = token.refresh_token or token
+        token.revoke()
+        return Response( {"detail": _("Token revoked successfully.")}, status=HTTP_200_OK)

apps/authentication/serializers/token.py

@@ -9,11 +9,12 @@ from common.utils import get_object_or_none, random_string
 from users.models import User
 from users.serializers import UserProfileSerializer
 from ..models import AccessKey, TempToken
+from oauth2_provider.models import get_access_token_model
 
 __all__ = [
     'AccessKeySerializer', 'BearerTokenSerializer',
     'SSOTokenSerializer', 'TempTokenSerializer',
-    'AccessKeyCreateSerializer'
+    'AccessKeyCreateSerializer', 'AccessTokenSerializer',
 ]
 
 
@@ -114,3 +115,21 @@ class TempTokenSerializer(serializers.ModelSerializer):
         token = TempToken(**kwargs)
         token.save()
         return token
+
+
+class AccessTokenSerializer(serializers.ModelSerializer):
+    token_preview = serializers.SerializerMethodField()
+
+    class Meta:
+        model = get_access_token_model()
+        fields = [
+            'id', 'user', 'token_preview', 'application',
+            'is_expired', 'expires', 'scope', 'created', 'updated', 
+        ]
+        read_only_fields = fields
+
+    def get_token_preview(self, obj):
+        token_string = obj.token
+        if len(token_string) > 16: 
+            return f"{token_string[:6]}...{token_string[-4:]}"
+        return "****"

apps/authentication/urls/api_urls.py

@@ -16,6 +16,8 @@ router.register('super-connection-token', api.SuperConnectionTokenViewSet, 'supe
 router.register('admin-connection-token', api.AdminConnectionTokenViewSet, 'admin-connection-token')
 router.register('confirm', api.UserConfirmationViewSet, 'confirm')
 router.register('ssh-key', api.SSHkeyViewSet, 'ssh-key')
+# oauth2-provider
+router.register('access-tokens', api.AccessTokenViewSet, 'access-token')
 
 urlpatterns = [
     path('<str:backend>/qr/unbind/', api.QRUnBindForUserApi.as_view(), name='qr-unbind'),

apps/rbac/const.py

@@ -133,6 +133,11 @@ exclude_permissions = (
     ('terminal', 'session', 'delete,change', 'command'),
     ('applications', '*', '*', '*'),
     ('settings', 'chatprompt', 'add,delete,change', 'chatprompt'),
+    ('oauth2_provider', 'grant', '*', '*'),
+    ('oauth2_provider', 'refreshtoken', '*', '*'),
+    ('oauth2_provider', 'idtoken', '*', '*'),
+    ('oauth2_provider', 'application', '*', '*'),
+    ('oauth2_provider', 'accesstoken', 'add,delete', 'accesstoken')
 )
 
 only_system_permissions = (
@@ -160,6 +165,7 @@ only_system_permissions = (
     ('authentication', 'temptoken', '*', '*'),
     ('authentication', 'passkey', '*', '*'),
     ('authentication', 'ssotoken', '*', '*'),
+    ('oauth2_provider', 'accesstoken', '*', '*'),
     ('tickets', '*', '*', '*'),
     ('orgs', 'organization', 'view', 'rootorg'),
     ('terminal', 'applet', '*', '*'),

apps/rbac/tree.py

@@ -129,6 +129,7 @@ special_pid_mapper = {
     "rbac.view_systemtools": "view_workbench",
     'tickets.view_ticket': 'tickets',
     "audits.joblog": "job_audit",
+    'oauth2_provider.accesstoken': 'authentication',
 }
 
 special_setting_pid_mapper = {
@@ -184,6 +185,8 @@ verbose_name_mapper = {
     'tickets.view_ticket': _("Ticket"),
     'settings.setting': _("Common setting"),
     'rbac.view_permission': _('View permission tree'),
+    'authentication.passkey': _("Passkey"),
+    'oauth2_provider.accesstoken': _("Access token"),
 }
 
 xpack_nodes = [