feat(deployment): Add deployment management routes and enhance user session handling

Author: abdotop

.env.test

@@ -2,4 +2,8 @@ APP_ENV=test
 PORT=3021
 GOOGLE_CLIENT_ID=...test.apps.googleusercontent.com
 CLIENT_SECRET=GOC...test
-REDIRECT_URI=http://localhost:7737/api/auth/google
+REDIRECT_URI=http://localhost:7737/api/auth/google
+
+CLICKHOUSE_HOST=http://localhost:8443
+CLICKHOUSE_USER=default
+CLICKHOUSE_PASSWORD=token_pass

api/click-house-client.ts

@@ -57,7 +57,7 @@ try {
     `,
   })
 
-  log.info('deployment_logs table is ready')
+  log.info('logs table is ready')
 } catch (error) {
   log.error('Error creating ClickHouse table:', { error })
   Deno.exit(1)
@@ -85,7 +85,7 @@ async function insertLogs(
     })
     return respond.OK()
   } catch (error) {
-    log.error("Erreur lors de l'insertion des logs dans ClickHouse:", { error })
+    log.error('Error inserting logs into ClickHouse:', { error })
     throw respond.InternalServerError()
   }
 }

api/routes.ts

@@ -2,6 +2,8 @@ import { makeRouter, route } from '/api/lib/router.ts'
 import type { RequestContext } from '/api/lib/context.ts'
 import { handleGoogleCallback, initiateGoogleAuth } from './auth.ts'
 import {
+  DeploymentDef,
+  DeploymentsCollection,
   ProjectDef,
   ProjectsCollection,
   TeamDef,
@@ -10,12 +12,12 @@ import {
   UserDef,
   UsersCollection,
 } from './schema.ts'
-import { ARR, BOOL, OBJ, optional, STR } from './lib/validator.ts'
+import { ARR, BOOL, NUM, OBJ, optional, STR } from './lib/validator.ts'
 import { respond } from './lib/response.ts'
 import { deleteCookie } from 'jsr:@std/http/cookie'
 import { getPicture } from '/api/picture.ts'
 import { insertLogs, LogsInputSchema } from './click-house-client.ts'
-import { decryptMessage } from './user.ts'
+import { decryptMessage, encryptMessage } from './user.ts'
 
 const withUserSession = ({ user }: RequestContext) => {
   if (!user) throw Error('Missing user session')
@@ -28,11 +30,28 @@ const withAdminSession = ({ user }: RequestContext) => {
 const withDeploymentSession = async (ctx: RequestContext) => {
   const token = ctx.req.headers.get('Authorization')?.replace(/^Bearer /i, '')
   if (!token) throw respond.Unauthorized({ message: 'Missing token' })
-  const data = await decryptMessage(token)
-  if (!data) throw respond.Unauthorized({ message: 'Invalid token' })
-  ctx.resource = 'default'
+  const message = await decryptMessage(token)
+  if (!message) throw respond.Unauthorized({ message: 'Invalid token' })
+  const data = JSON.parse(message)
+  const dep = DeploymentsCollection.get(data?.url)
+  if (!dep || dep.tokenSalt !== data?.tokenSalt) {
+    throw respond.Unauthorized({ message: 'Invalid token' })
+  }
+  ctx.resource = dep?.url
 }
 
+const deploymentOutput = OBJ({
+  projectId: STR('The ID of the project'),
+  url: STR('The URL of the deployment'),
+  logsEnabled: BOOL('Whether logging is enabled'),
+  databaseEnabled: BOOL('Whether the database is enabled'),
+  sqlEndpoint: optional(STR('The SQL endpoint')),
+  sqlToken: optional(STR('The SQL token')),
+  createdAt: optional(NUM('The creation date of the deployment')),
+  updatedAt: optional(NUM('The last update date of the deployment')),
+  token: optional(STR('The deployment token')),
+})
+
 const defs = {
   'GET/api/health': route({
     fn: () => new Response('OK'),
@@ -193,14 +212,134 @@ const defs = {
     output: BOOL('Indicates if the project was deleted'),
     description: 'Delete a project by ID',
   }),
+  'GET/api/project/deployments': route({
+    authorize: withUserSession,
+    fn: (_ctx, { project }) => {
+      const deployments = DeploymentsCollection.filter((d) =>
+        d.projectId === project
+      )
+      if (!deployments.length) {
+        throw respond.NotFound({ message: 'Deployments not found' })
+      }
+      return deployments.map(({ tokenSalt: _, ...d }) => {
+        return {
+          ...d,
+          createdAt: d.createdAt,
+          updatedAt: d.updatedAt,
+          token: undefined,
+          sqlToken: undefined,
+          sqlEndpoint: undefined,
+        }
+      })
+    },
+    input: OBJ({ project: STR('The ID of the project') }),
+    output: ARR(deploymentOutput, 'List of deployments'),
+    description: 'Get deployments by project ID',
+  }),
+  'GET/api/deployment': route({
+    authorize: withAdminSession,
+    fn: async (_ctx, url) => {
+      const dep = DeploymentsCollection.get(url)
+      if (!dep) throw respond.NotFound()
+      const { tokenSalt, ...deployment } = dep
+      const token = await encryptMessage(
+        JSON.stringify({ url: deployment.url, tokenSalt }),
+      )
+      return {
+        ...deployment,
+        createdAt: deployment.createdAt,
+        updatedAt: deployment.updatedAt,
+        token,
+      }
+    },
+    input: STR(),
+    output: deploymentOutput,
+    description: 'Get a deployment by ID',
+  }),
+  'POST/api/deployment': route({
+    authorize: withAdminSession,
+    fn: async (_ctx, input) => {
+      const tokenSalt = performance.now().toString()
+      const { tokenSalt: _, ...deployment } = await DeploymentsCollection
+        .insert({
+          ...input,
+          tokenSalt,
+        })
+      const token = await encryptMessage(
+        JSON.stringify({ url: deployment.url, tokenSalt }),
+      )
+      return {
+        ...deployment,
+        createdAt: deployment.createdAt,
+        updatedAt: deployment.updatedAt,
+        token,
+      }
+    },
+    input: DeploymentDef,
+    output: deploymentOutput,
+    description: 'Create a new deployment',
+  }),
+  'PUT/api/deployment': route({
+    authorize: withAdminSession,
+    fn: async (_ctx, input) => {
+      const { tokenSalt, ...deployment } = await DeploymentsCollection
+        .update(input.url, input)
+      const token = await encryptMessage(
+        JSON.stringify({ url: deployment.url, tokenSalt }),
+      )
+      return {
+        ...deployment,
+        createdAt: deployment.createdAt,
+        updatedAt: deployment.updatedAt,
+        token,
+      }
+    },
+    input: DeploymentDef,
+    output: deploymentOutput,
+    description: 'Update a deployment by ID',
+  }),
+  'GET/api/deployment/token/regenerate': route({
+    authorize: withAdminSession,
+    fn: async (_ctx, input) => {
+      const dep = DeploymentsCollection.get(input)
+      if (!dep) throw respond.NotFound()
+      const tokenSalt = performance.now().toString()
+
+      const { tokenSalt: _, ...deployment } = await DeploymentsCollection
+        .update(input, { ...dep, tokenSalt })
+      const token = await encryptMessage(
+        JSON.stringify({ url: deployment.url, tokenSalt }),
+      )
+      return {
+        ...deployment,
+        createdAt: deployment.createdAt,
+        updatedAt: deployment.updatedAt,
+        token,
+      }
+    },
+    input: STR(),
+    output: deploymentOutput,
+    description: 'Regenerate a deployment token',
+  }),
+  'DELETE/api/deployment': route({
+    authorize: withAdminSession,
+    fn: async (_ctx, input) => {
+      const dep = DeploymentsCollection.get(input)
+      if (!dep) throw respond.NotFound()
+      await DeploymentsCollection.delete(input)
+      return respond.NoContent()
+    },
+    input: STR(),
+    description: 'Delete a deployment',
+  }),
   'POST/api/logs': route({
     authorize: withDeploymentSession,
     fn: (ctx, logs) => {
       if (!ctx.resource) throw respond.InternalServerError()
       return insertLogs(ctx.resource, logs)
     },
     input: LogsInputSchema,
-    description: 'Insert logs into ClickHouse',
+    description: 'Insert logs into ClickHouse NB: a Bearer token is required',
   }),
 } as const
 

api/user.ts

@@ -7,7 +7,7 @@ const encoder = new TextEncoder()
 const decoder = new TextDecoder()
 const IV_SIZE = 12 // Initialization vector (12 bytes for AES-GCM)
 
-async function encryptMessage(message: string) {
+export async function encryptMessage(message: string) {
   const iv = crypto.getRandomValues(new Uint8Array(IV_SIZE))
   const encryptedMessage = await crypto.subtle.encrypt(
     { name: 'AES-GCM', iv },

deno.json

@@ -34,7 +34,7 @@
     "preact": "npm:preact@^10.26.9",
     "@preact/preset-vite": "npm:@preact/preset-vite@^2.10.2",
     "@preact/signals": "npm:@preact/signals",
-    "@@clickhouse/client": "npm:@clickhouse/client",
+    "@clickhouse/client": "npm:@clickhouse/client",
     "@tailwindcss/vite": "npm:@tailwindcss/vite@^4.1.11",
     "tailwindcss": "npm:tailwindcss@^4.1.11",
     "daisyui": "npm:daisyui@^5.0.46",