Build credential CRUD API endpoints #356

New Issue

Closed

opened 2026-02-07 17:11:44 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-07 17:11:44 +00:00

Owner

Copy Link

Phase 3b - User Credential API

Problem

Users and admins need CRUD API endpoints to manage credentials (API keys, git tokens, etc.) stored in the UserCredential table. Credential values must be encrypted via VaultService and access must be audit-logged.

Requirements

User Credential Endpoints

• POST /api/credentials - Create credential (encrypt value, store ciphertext)
• GET /api/credentials - List credentials (masked values only, NEVER plaintext)
• GET /api/credentials/:id - Get single credential (masked)
• GET /api/credentials/:id/value - Decrypt and return value (audit logged)
• PATCH /api/credentials/:id - Update metadata only (not the value)
• POST /api/credentials/:id/rotate - Replace with new encrypted value
• DELETE /api/credentials/:id - Soft-delete (set isActive=false)

Admin Secret Endpoints

• POST /api/admin/secrets - Create system-level secret (AdminGuard)
• GET /api/admin/secrets - List system secrets (AdminGuard)
• PATCH /api/admin/secrets/:id - Update system secret
• DELETE /api/admin/secrets/:id - Revoke system secret

Security Design

• User endpoints: AuthGuard + WorkspaceGuard + PermissionGuard
• Admin endpoints: AuthGuard + AdminGuard
• GET /:id/value is intentionally separate from GET /:id - listing should NEVER return plaintext
• Every decryption (GET /value) creates an audit log entry (ActivityAction.CREDENTIAL_ACCESSED)
• Create, rotate, and delete also create audit entries
• Credential value never appears in response DTOs (only maskedValue)

Implementation Notes

• CredentialsModule with controller, service, DTOs
• Inject VaultService for encrypt/decrypt
• Inject ActivityService for audit logging
• Create DTOs: CreateCredentialDto, UpdateCredentialDto, QueryCredentialDto, CredentialResponseDto
• CredentialResponseDto MUST NOT include encryptedValue field
• On create: encrypt value, generate maskedValue (last 4 chars), store
• On rotate: encrypt new value, update maskedValue and rotatedAt
• On getValue: decrypt, update lastUsedAt, log access

Files

• apps/api/src/credentials/credentials.module.ts (new)
• apps/api/src/credentials/credentials.controller.ts (new)
• apps/api/src/credentials/credentials.controller.spec.ts (new)
• apps/api/src/credentials/credentials.service.ts (new)
• apps/api/src/credentials/credentials.service.spec.ts (new)
• apps/api/src/credentials/dto/create-credential.dto.ts (new)
• apps/api/src/credentials/dto/update-credential.dto.ts (new)
• apps/api/src/credentials/dto/query-credential.dto.ts (new)
• apps/api/src/credentials/dto/credential-response.dto.ts (new)
• apps/api/src/credentials/admin-credentials.controller.ts (new)
• apps/api/src/credentials/admin-credentials.controller.spec.ts (new)
• apps/api/src/app.module.ts (modify - import CredentialsModule)

Acceptance Criteria

• All user credential CRUD endpoints working
• All admin secret endpoints working
• Values encrypted via VaultService before storage
• Plaintext never appears in list/get responses (only maskedValue)
• GET /value decrypts and returns plaintext
• All credential operations audit-logged
• RLS enforces per-user isolation
• Input validation via class-validator DTOs
• Unit tests for service logic
• Integration tests for API endpoints

Dependencies

• Depends on: UserCredential model
• Depends on: VaultService (Phase 2b)
• Blocks: Frontend credential management (Phase 4)

Refs #346

## Phase 3b - User Credential API ### Problem Users and admins need CRUD API endpoints to manage credentials (API keys, git tokens, etc.) stored in the UserCredential table. Credential values must be encrypted via VaultService and access must be audit-logged. ### Requirements #### User Credential Endpoints - POST /api/credentials - Create credential (encrypt value, store ciphertext) - GET /api/credentials - List credentials (masked values only, NEVER plaintext) - GET /api/credentials/:id - Get single credential (masked) - GET /api/credentials/:id/value - Decrypt and return value (audit logged) - PATCH /api/credentials/:id - Update metadata only (not the value) - POST /api/credentials/:id/rotate - Replace with new encrypted value - DELETE /api/credentials/:id - Soft-delete (set isActive=false) #### Admin Secret Endpoints - POST /api/admin/secrets - Create system-level secret (AdminGuard) - GET /api/admin/secrets - List system secrets (AdminGuard) - PATCH /api/admin/secrets/:id - Update system secret - DELETE /api/admin/secrets/:id - Revoke system secret ### Security Design - User endpoints: AuthGuard + WorkspaceGuard + PermissionGuard - Admin endpoints: AuthGuard + AdminGuard - GET /:id/value is intentionally separate from GET /:id - listing should NEVER return plaintext - Every decryption (GET /value) creates an audit log entry (ActivityAction.CREDENTIAL_ACCESSED) - Create, rotate, and delete also create audit entries - Credential value never appears in response DTOs (only maskedValue) ### Implementation Notes - CredentialsModule with controller, service, DTOs - Inject VaultService for encrypt/decrypt - Inject ActivityService for audit logging - Create DTOs: CreateCredentialDto, UpdateCredentialDto, QueryCredentialDto, CredentialResponseDto - CredentialResponseDto MUST NOT include encryptedValue field - On create: encrypt value, generate maskedValue (last 4 chars), store - On rotate: encrypt new value, update maskedValue and rotatedAt - On getValue: decrypt, update lastUsedAt, log access ### Files - apps/api/src/credentials/credentials.module.ts (new) - apps/api/src/credentials/credentials.controller.ts (new) - apps/api/src/credentials/credentials.controller.spec.ts (new) - apps/api/src/credentials/credentials.service.ts (new) - apps/api/src/credentials/credentials.service.spec.ts (new) - apps/api/src/credentials/dto/create-credential.dto.ts (new) - apps/api/src/credentials/dto/update-credential.dto.ts (new) - apps/api/src/credentials/dto/query-credential.dto.ts (new) - apps/api/src/credentials/dto/credential-response.dto.ts (new) - apps/api/src/credentials/admin-credentials.controller.ts (new) - apps/api/src/credentials/admin-credentials.controller.spec.ts (new) - apps/api/src/app.module.ts (modify - import CredentialsModule) ### Acceptance Criteria - [ ] All user credential CRUD endpoints working - [ ] All admin secret endpoints working - [ ] Values encrypted via VaultService before storage - [ ] Plaintext never appears in list/get responses (only maskedValue) - [ ] GET /value decrypts and returns plaintext - [ ] All credential operations audit-logged - [ ] RLS enforces per-user isolation - [ ] Input validation via class-validator DTOs - [ ] Unit tests for service logic - [ ] Integration tests for API endpoints ### Dependencies - Depends on: UserCredential model - Depends on: VaultService (Phase 2b) - Blocks: Frontend credential management (Phase 4) Refs #346

jason.woltje added this to the M9-CredentialSecurity (0.0.9) milestone 2026-02-07 17:11:44 +00:00

jason.woltje added the securityapiapip1 labels 2026-02-07 17:11:44 +00:00

jason.woltje referenced this issue 2026-02-07 17:13:29 +00:00

Security: Vault-based credential storage for agents and CI #346

jason.woltje closed this issue 2026-02-07 22:50:39 +00:00

jason.woltje referenced this issue from a commit 2026-02-07 22:51:09 +00:00

feat(#356): Build credential CRUD API endpoints

jason.woltje referenced this issue from a commit 2026-02-07 22:51:09 +00:00

chore: Update tasks.md - Issues #356 and #359 complete

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/orchestrator-widget-endpoints

fix/dashboard-widget-mock-data

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label api api p1 security

Milestone

No items

No Milestone M9-CredentialSecurity (0.0.9)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#356