feat: scoped Personal Access Token auth for browser-extension stock writes

[ryota-murakami]

Summary

Lets the browser extension save reading-list "stocks" without a cookie login, using a scoped, DB-backed Personal Access Token (PAT). The owner mints a token from the web Settings UI (raw nsx_pat_<64hex> shown once, SHA-256 hash stored), pastes it into the extension, and the extension sends Authorization: Bearer nsx_pat_... on the two stock-write endpoints only. Cookie login for the web app is untouched.

Server (96b9fa31, 53434887)

• New PersonalAccessToken Prisma model + migration (tokenHash UNIQUE, FK → authors ON DELETE CASCADE, revokedAt / expiresAt / lastUsedAt).
• authenticateStockPatToken validates a PAT in one atomic query (not revoked, not expired) and hydrates the full session user. The authenticateStockRequest middleware dispatches: Authorization header → PAT path, otherwise → unchanged cookie session. A bad PAT never reads or clears auth cookies (U5 confused-deputy guard).
• PAT routes: mint (cookie-gated, rate-limited in prod), list (masked — last 4 only, never the hash), revoke (owner-scoped, idempotent).
• /api/push_stock + /api/stock/exists now sit behind authenticateStockRequest; /stocklist and DELETE /stock/:id stay cookie-only.
• Logger redaction: removed console.error(JSON.stringify(error)) that serialized the Bearer header; pino redacts authorization / token paths.

Web (0bf3203c)

• Settings → "Extension Token" section to mint / copy-once / list / revoke PATs (RTK Query). W1–W3 component tests.

Extension (610feb38)

• Popup reads the PAT from chrome.storage.local and attaches it as a Bearer header on both stock calls. Additive connect / connected / reconnect UI; the save checkbox + POST stay unconditional, so the existing token-less e2e flow is unchanged — reconnect only triggers on a token-present 401.
• VITE_API_URL → VITE_API_ENDPOINT (origin only — buildPushStockApiUrl appends the path). Un-ignored .env.{development,production} so CI/prod builds inject the endpoint instead of falling back to localhost. Verified: the prod build's popup chunk targets nsx.malloc.tokyo (localhost count 0).
• host_permissions narrowed from <all_urls> to the two NSX origins (E15).

Test Coverage

• Server: personalAccessToken.test.ts (mint / list / revoke, incl. new "5abc" → 400 before any DB lookup regression), authenticateStockRequest.contract.test.ts (U1–U8 confused-deputy / scope / cookie-fallback + new lastUsedAt write failure still authenticates regression).
• Web: ExtensionToken.test.tsx (W1–W3).
• Extension: App.test.tsx (X1–X4: paste panel shown w/o token, persist + connect, Bearer attach on save, 401 → reconnect) — runs in the browser-extension CI (vitest unit).
• Root vitest: 98 passed (36 files). typecheck + lint clean.
• E2E (Playwright, root + browser-extension) runs in CI against a freshly-migrated MySQL — the only gate that exercises the unskipped NSX-80 build-config e2e and the unconditional-checkbox invariant.

Pre-Landing Review (adversarial, fresh context)

• No P0/P1. Auth bypass, scope limitation, token leakage, revocation immediacy, and the confused-deputy guard were each checked and ruled out against quoted code.
• P2 fixed (53434887): lastUsedAt made genuinely best-effort — it previously 500'd a valid token's save on a transient DB write failure; revoke id now ^\d+$-guarded — Number.parseInt('5abc', 10) had silently parsed to 5.
• P2 accepted: no total-token cap (owner-only mint → self-DoS only, single-user app); raw token resident in client memory until "Done" (inherent to the one-time-reveal UX).

Known gaps / verification

• No automated test covers the authenticated happy path end-to-end (mint → paste → save → 200 + DB row): server tests mock Prisma, extension tests mock axios, and the success-path e2e (NSX-81) stays skipped pending real-DB PAT provisioning. Token format / hash alignment checks out on paper. The real verification is a post-deploy prod smoke test.

Test plan

• Root vitest: 98 passed (36 files)
• typecheck + lint clean (max-warnings=0)
• Prod extension build injects nsx.malloc.tokyo (not localhost)
• CI: test / typecheck / lint / browser-extension E2E green
• Post-deploy prod smoke: mint → paste → save → 200 + personal_access_tokens row

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Personal Access Token (PAT) management: generate, view masked tokens, copy revealed token once, and revoke from dashboard and extension popup.

• Enhancements

  • Extension popup now supports PAT-based auth with connect/disconnect and reconnect prompts; improved save feedback and error handling.
  • Reduced extension permissions to specific API origins.

• Tests

  • Added unit, integration, and e2e tests covering PAT flows and auth behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c28ca369-7678-4ba8-b3f6-f8c8f38f4c59

📥 Commits

Reviewing files that changed from the base of the PR and between 5343488 and ce5ca3a.

📒 Files selected for processing (4)

• browser-extension/src/entrypoints/popup/usePersonalAccessToken.ts
• browser-extension/tests/e2e/api-integration.spec.ts
• server/lib/authSession.ts
• src/pages/Dashboard/Setting/ExtensionToken.tsx

🚧 Files skipped from review as they are similar to previous changes (3)

• browser-extension/src/entrypoints/popup/usePersonalAccessToken.ts
• src/pages/Dashboard/Setting/ExtensionToken.tsx
• server/lib/authSession.ts

---

📝 Walkthrough

Walkthrough

This PR implements end-to-end Personal Access Token (PAT) support: DB schema and migration, server auth and CRUD routes, logger redaction, browser-extension popup token state and auth-aware requests, web Settings UI and RTK endpoints, tests, and build/manifest updates.

Changes

Personal Access Token (PAT) System

Layer / File(s)	Summary
PAT Data Models & API Contracts prisma/schema.prisma, prisma/migrations/*, @types/response.d.ts, server/lib/requestSchemas.ts	PersonalAccessToken model with hashed token storage and metadata; Prisma migration creates table; response types expose masked token list and one-time raw token on mint; mint request body validated.
Server PAT CRUD Handlers & Routes server/routes/personalAccessToken.ts, server/api.ts	Mint returns raw token once and stores only hashed token+suffix (rate-limited in prod); list returns masked fields only; revoke is idempotent and owner-scoped; router mounted into API.
PAT Authentication Infrastructure server/lib/authSession.ts, server/auth.ts, server/routes/stock.ts, server/lib/Logger.ts	Shared SHA‑256 hashToken; authenticateStockPatToken validates Bearer PAT via atomic Prisma query and updates lastUsedAt best-effort; authenticateStockRequest dispatches between cookie session and PAT auth; stock routes use new dispatcher; logger redaction expanded for PAT fields.
Browser Extension Token State Management browser-extension/src/entrypoints/popup/constants.ts, browser-extension/src/entrypoints/popup/utils/patStorage.ts, browser-extension/src/entrypoints/popup/usePersonalAccessToken.ts	PAT storage key and UI messages; chrome.storage.local helpers to read/write/clear token; usePersonalAccessToken hook loads persisted token on mount, exposes connect/disconnect/markRejected and guards state updates after unmount.
Extension Request Configuration & Error Handling browser-extension/src/entrypoints/popup/utils/buildStockRequestConfig.ts, browser-extension/src/entrypoints/popup/utils/isUnauthorizedResponse.ts, browser-extension/src/entrypoints/popup/utils/logStockRequestError.ts	buildStockRequestConfig attaches Authorization: Bearer when token present; isUnauthorizedResponse detects Axios 401 responses; logStockRequestError logs redacted status/message only.
Popup UI Integration browser-extension/src/entrypoints/popup/App.tsx, browser-extension/src/entrypoints/popup/style.css	App integrates token hook: existence-check and save use auth-aware config; 401 marks token rejected and triggers reconnect UI; errors reset state and are logged; UI shows connect/paste panel or connected status and reconnect notice. CSS adds PAT panel styles and min-height layout.
Web Dashboard Settings Page src/pages/Dashboard/Setting/ExtensionToken.tsx, src/pages/Dashboard/Setting/index.tsx	New ExtensionToken component lists masked tokens, mints a raw token once (reveal + copy), revokes tokens; shows locale-formatted dates and error alerts; wired into Settings tabs.
RTK Query API Integration src/redux/API.ts	Adds PersonalAccessTokens tag type and endpoints: get list query, mint mutation, revoke mutation; exports useGetPersonalAccessTokensQuery, useMintPersonalAccessTokenMutation, useRevokePersonalAccessTokenMutation.
Extension Build Configuration browser-extension/.env.development, browser-extension/.env.production, browser-extension/.gitignore, browser-extension/wxt.config.ts	VITE_API_ENDPOINT defined for dev/prod builds; .gitignore adjusted to ship non-secret env files; WXT manifest narrows host_permissions to explicit origins and repositions icons.
Tests: Unit, Contract & Integration browser-extension/tests/setup.ts, browser-extension/tests/unit/entrypoints/popup/App.test.tsx, server/routes/personalAccessToken.test.ts, server/lib/authenticateStockRequest.contract.test.ts, src/pages/Dashboard/Setting/ExtensionToken.test.tsx, browser-extension/tests/e2e/api-integration.spec.ts	Vitest test setup updated; popup unit tests for connect/save/401 reconnect; server route tests for mint/list/revoke behaviors and data safety; authenticateStockRequest contract tests PAT and cookie paths and resilience of lastUsedAt update; Settings UI tests cover reveal/copy/list/revoke; E2E test for VITE_API_ENDPOINT enabled.

Sequence Diagram(s)

sequenceDiagram
  participant Popup as Browser Extension Popup
  participant AuthBuilder as buildStockRequestConfig
  participant StockAPI as Server /push_stock or /stock/exists
  participant AuthDispatcher as authenticateStockRequest
  participant Prisma as Database (Prisma)

  Popup->>AuthBuilder: attach Bearer header when token present
  Popup->>StockAPI: request (with/without Authorization)
  StockAPI->>AuthDispatcher: middleware invoked
  AuthDispatcher->>Prisma: findFirst(tokenHash, not revoked, not expired) if Authorization present
  Prisma-->>AuthDispatcher: user or null
  AuthDispatcher-->>StockAPI: set req.authenticatedUser or return 401
  StockAPI-->>Popup: 200/201 or 401/409

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

• Extension login flow — PR2: scoped PAT auth for stock writes (E3–E16) #3784: Same PAT feature request covering DB model, server auth, routes, and extension popup flow; this PR implements those objectives.

Possibly related PRs

• laststance/nsx#3764: Related auth/session refactor that this PR builds upon.
• laststance/nsx#3763: Overlaps with introduced Zod request schemas and validation.
• laststance/nsx#3785: Contract-test scaffold that the authenticateStockRequest tests complete.

Poem

🐰 I minted keys beneath the moonlit code,
I hid the hashes down a secret road,
One-time token shown, then gently swept,
Extensions hum while servers safely kept,
A rabbit copies, pastes — the system glows.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: enabling Personal Access Token authentication for browser-extension stock writes, which is the primary objective of this large multi-part feature addition.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/extension-login-flow

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed: dependency version conflict. Check your lock file or package.json.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

browser-extension/tests/e2e/api-integration.spec.ts (1)

167-202: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Fix E2E test to not “happy-path” save without auth (and to actually assert success)
File: browser-extension/tests/e2e/api-integration.spec.ts (around lines 167-202)

• POST /api/push_stock is protected: when Authorization is absent, authenticateStockRequest falls back to cookie-session auth (isAuthorized), which returns 401 when no cookies/JWT are present.
• The popup save flow only sets Authorization: Bearer <token> when chrome.storage.local contains nsx_pat (buildStockRequestConfig(token) returns {} when token is null). This spec never connects/pastes a PAT, and openPopup() only stubs /api/stock/exists—so the real save request is very likely unauthenticated (401).
• The test doesn’t fail even if the save fails: it calls await verifySuccessMessage(popupPage) but does not assert the returned boolean.

Suggested adjustment: either seed a valid nsx_pat (or mock successful auth) and assert verifySuccessMessage(...) === true, or change the test to explicitly expect the unauthenticated/401 path.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@browser-extension/tests/e2e/api-integration.spec.ts` around lines 167 - 202,
The test currently happy-paths a save without seeding authentication and never
asserts the result, so either seed a valid PAT in extension storage before
opening the popup or mock the auth/save endpoints and also assert the success
boolean; specifically, before calling openPopup(...) set chrome.storage.local
nsx_pat (so buildStockRequestConfig(token) attaches Authorization) or stub the
POST /api/push_stock to return 200, then replace await
verifySuccessMessage(popupPage) with const ok = await
verifySuccessMessage(popupPage); expect(ok).toBe(true) to ensure the save
actually succeeded (see openPopup, verifySuccessMessage,
buildStockRequestConfig, authenticateStockRequest, nsx_pat).

🧹 Nitpick comments (1)

browser-extension/src/entrypoints/popup/style.css (1)

21-76: ⚖️ Poor tradeoff

PAT panel styles lack dark-mode support.

The new .pat-* rules use fixed light-theme hex colors (e.g. borders, label/notice text) with no dark variants, so the panel won't adapt in dark mode. Add dark-mode handling (Tailwind dark variants/config or a prefers-color-scheme block) consistent with the main app.

As per coding guidelines: "Use TailwindCSS for styling in popup UI, with support for dark mode using the same config as main app".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@browser-extension/src/entrypoints/popup/style.css` around lines 21 - 76, The
PAT panel CSS uses hard-coded light-theme hex colors; update the selectors
(.pat-connect/.pat-connected, .pat-input, .pat-connect-btn/.pat-disconnect-btn,
.pat-connected-label, .pat-reconnect-notice, .pat-connect-label) to support dark
mode by using the same approach as the main app: replace fixed hex values with
the app's Tailwind dark variants or shared CSS variables and/or add a
prefers-color-scheme: dark block that sets the dark equivalents (borders,
background, label/notice colors, button background/opacity) consistent with the
main app theme; ensure disabled state (.pat-connect-btn:disabled) also adapts in
dark mode.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@browser-extension/src/entrypoints/popup/usePersonalAccessToken.ts`:
- Around line 43-53: The useEffect that calls readStoredPatToken() can reject
and leave isLoading true; update the promise chain for readStoredPatToken()
inside the effect to add a .catch handler that (when isActive) sets isLoading
false (and optionally clears token or logs error), and keep the existing success
path (setToken and setIsLoading(false)) and the isActive guard; i.e., modify the
readStoredPatToken().then(...) call to readStoredPatToken().then(...).catch(err
=> { if (!isActive) return; setIsLoading(false); /* optional: handle/log err */
}) so failures no longer pin loading state.

In `@server/lib/authSession.ts`:
- Around line 349-358: The extractBearerToken function currently only matches a
case-sensitive single-space "Bearer " prefix; update its parsing to accept
case-insensitive scheme and flexible whitespace by using a case-insensitive
regex (e.g. /^Bearer\s+(.+)$/i) or equivalent splitting logic on the first
whitespace, then trim the captured token and return null for empty tokens;
update the matching line in extractBearerToken to use the new regex and keep the
same null-return behavior for missing/malformed tokens.

In `@src/pages/Dashboard/Setting/ExtensionToken.tsx`:
- Around line 139-146: The token name input currently uses only a placeholder
and needs a stable accessible label; update the input with an accessible name by
either adding aria-label="Token name" to the input element that has value={name}
and data-testid="token-name-input" or add a visible <label
htmlFor="token-name-input">Token name</label> and give the input
id="token-name-input" so screen readers receive a permanent label; ensure the
onChange handler (setName) remains unchanged and the test id is preserved.
- Around line 68-72: The handleCopy function currently calls
navigator.clipboard.writeText(mintedToken.token) without handling
navigator.clipboard being undefined or writeText rejecting; wrap the copy logic
in a try/catch, check for navigator.clipboard before calling writeText, and on
failure fall back to a DOM-based copy (e.g., create a temporary textarea, set
its value to mintedToken.token, select and document.execCommand('copy'), then
remove it); always call setDidCopy(true) on successful copy and provide a
failure path that sets an error state or triggers user feedback when both
clipboard and fallback fail, referencing handleCopy, mintedToken,
navigator.clipboard, writeText, setDidCopy and the fallback
textarea/document.execCommand approach.

---

Outside diff comments:
In `@browser-extension/tests/e2e/api-integration.spec.ts`:
- Around line 167-202: The test currently happy-paths a save without seeding
authentication and never asserts the result, so either seed a valid PAT in
extension storage before opening the popup or mock the auth/save endpoints and
also assert the success boolean; specifically, before calling openPopup(...) set
chrome.storage.local nsx_pat (so buildStockRequestConfig(token) attaches
Authorization) or stub the POST /api/push_stock to return 200, then replace
await verifySuccessMessage(popupPage) with const ok = await
verifySuccessMessage(popupPage); expect(ok).toBe(true) to ensure the save
actually succeeded (see openPopup, verifySuccessMessage,
buildStockRequestConfig, authenticateStockRequest, nsx_pat).

---

Nitpick comments:
In `@browser-extension/src/entrypoints/popup/style.css`:
- Around line 21-76: The PAT panel CSS uses hard-coded light-theme hex colors;
update the selectors (.pat-connect/.pat-connected, .pat-input,
.pat-connect-btn/.pat-disconnect-btn, .pat-connected-label,
.pat-reconnect-notice, .pat-connect-label) to support dark mode by using the
same approach as the main app: replace fixed hex values with the app's Tailwind
dark variants or shared CSS variables and/or add a prefers-color-scheme: dark
block that sets the dark equivalents (borders, background, label/notice colors,
button background/opacity) consistent with the main app theme; ensure disabled
state (.pat-connect-btn:disabled) also adapts in dark mode.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 1bd42db9-ae48-4bbb-8c1c-61937d2b7466

📥 Commits

Reviewing files that changed from the base of the PR and between 19358d2 and 5343488.

📒 Files selected for processing (31)

• @types/response.d.ts
• browser-extension/.env.development
• browser-extension/.env.production
• browser-extension/.gitignore
• browser-extension/src/entrypoints/popup/App.tsx
• browser-extension/src/entrypoints/popup/constants.ts
• browser-extension/src/entrypoints/popup/style.css
• browser-extension/src/entrypoints/popup/usePersonalAccessToken.ts
• browser-extension/src/entrypoints/popup/utils/buildStockRequestConfig.ts
• browser-extension/src/entrypoints/popup/utils/isUnauthorizedResponse.ts
• browser-extension/src/entrypoints/popup/utils/logStockRequestError.ts
• browser-extension/src/entrypoints/popup/utils/patStorage.ts
• browser-extension/tests/e2e/api-integration.spec.ts
• browser-extension/tests/setup.ts
• browser-extension/tests/unit/entrypoints/popup/App.test.tsx
• browser-extension/wxt.config.ts
• prisma/migrations/20260530141710_add_personal_access_tokens/migration.sql
• prisma/schema.prisma
• server/api.ts
• server/auth.ts
• server/lib/Logger.ts
• server/lib/authSession.ts
• server/lib/authenticateStockRequest.contract.test.ts
• server/lib/requestSchemas.ts
• server/routes/personalAccessToken.test.ts
• server/routes/personalAccessToken.ts
• server/routes/stock.ts
• src/pages/Dashboard/Setting/ExtensionToken.test.tsx
• src/pages/Dashboard/Setting/ExtensionToken.tsx
• src/pages/Dashboard/Setting/index.tsx
• src/redux/API.ts

[ryota-murakami]

Addressed CodeRabbit review findings in ce5ca3a:

Fixed (4 inline threads resolved):

• usePersonalAccessToken.ts — clear isLoading via .finally so a failed chrome.storage read can't pin loading and stall the existence check.
• server/lib/authSession.ts — extractBearerToken now uses /^Bearer\s+(.+)$/i (case-insensitive scheme + flexible whitespace, RFC 7235).
• ExtensionToken.tsx handleCopy — wrapped clipboard.writeText in try/catch with a manual-copy fallback message.
• ExtensionToken.tsx — added aria-label="Token name" to the token-name input.

Fixed (outside-diff, Major):

• api-integration.spec.ts 'uses correct VITE_API_ENDPOINT' — stub POST /api/push_stock→200 and assert verifySuccessMessage is true, so the test no longer silently passes on a 401 (auth is now required for stock writes).

Skipped with reason (nitpick):

• popup/style.css dark-mode for .pat-* — out of scope for this auth PR. The entire popup (.twitter-btn, .result, and all pre-existing rules) uses hardcoded light-theme colors with no dark variants; adding dark mode only to the new PAT panel would be inconsistent. Better handled as a dedicated popup theming change.

@coderabbitai review

[coderabbitai]

@ryota-murakami Thanks for the thorough write-up! All five fixes look solid:

• .finally for isLoading — correct guard; a rejected chrome.storage read can no longer pin the loading state and block the existence check.
• RFC 7235 extractBearerToken regex — /^Bearer\s+(.+)$/i with case-insensitive scheme and flexible whitespace is the right call.
• handleCopy try/catch — good fallback for environments where navigator.clipboard is unavailable or denied.
• aria-label="Token name" — accessibility improvement appreciated.
• api-integration.spec.ts stub + assertion — stubbing POST /api/push_stock → 200 and asserting verifySuccessMessage closes the silent-pass loophole properly.

The dark-mode deferral rationale is sound — adding dark-mode rules only to .pat-* while the rest of the popup stays hardcoded light-theme would be inconsistent. A dedicated theming follow-up makes more sense.

Triggering a fresh review now.

(´• ω •`) 🐇

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.