feat(auth): support API tokens and bearer token authentication

- Add backend services to create, list, and delete API tokens.
- Implement Bearer token authentication to resolve tokens to users.
- Register HTTP routes for managing user tokens under `/account/tokens`.
- Add tests to verify that uploads with valid Bearer tokens associate the upload with the correct user, while invalid tokens fall back to anonymous uploads.

backend/libs/handlers/accounts_test.go

@@ -67,6 +67,61 @@ func TestLoggedInUploadStoresOwnerAndAnonymousUploadDoesNot(t *testing.T) {
 	}
 }
 
+func TestBearerTokenUploadActsAsUser(t *testing.T) {
+	app, cleanup := newTestApp(t)
+	defer cleanup()
+
+	user, err := app.authService.CreateBootstrapUser("daniel", "daniel@example.test", "password123")
+	if err != nil {
+		t.Fatalf("CreateBootstrapUser returned error: %v", err)
+	}
+	tokenResult, err := app.authService.CreateAPIToken(user.ID, "cli")
+	if err != nil {
+		t.Fatalf("CreateAPIToken returned error: %v", err)
+	}
+
+	request := multipartUploadRequest(t, "/api/v1/upload", "file", "owned.txt", "owned")
+	request.Header.Set("Accept", "application/json")
+	request.Header.Set("Authorization", "Bearer "+tokenResult.Plaintext)
+	response := httptest.NewRecorder()
+	app.Upload(response, request)
+	if response.Code != http.StatusCreated {
+		t.Fatalf("token upload status = %d, body = %s", response.Code, response.Body.String())
+	}
+	var payload services.UploadResult
+	if err := json.Unmarshal(response.Body.Bytes(), &payload); err != nil {
+		t.Fatalf("json.Unmarshal returned error: %v", err)
+	}
+	box, err := app.uploadService.GetBox(payload.BoxID)
+	if err != nil {
+		t.Fatalf("GetBox returned error: %v", err)
+	}
+	if box.OwnerID != user.ID {
+		t.Fatalf("OwnerID = %q, want %q", box.OwnerID, user.ID)
+	}
+
+	// An invalid bearer token must not authenticate as the user.
+	badRequest := multipartUploadRequest(t, "/api/v1/upload", "file", "x.txt", "x")
+	badRequest.Header.Set("Accept", "application/json")
+	badRequest.Header.Set("Authorization", "Bearer wbx_bogus.secret")
+	badResponse := httptest.NewRecorder()
+	app.Upload(badResponse, badRequest)
+	if badResponse.Code != http.StatusCreated {
+		t.Fatalf("anonymous fallback upload status = %d, body = %s", badResponse.Code, badResponse.Body.String())
+	}
+	var badPayload services.UploadResult
+	if err := json.Unmarshal(badResponse.Body.Bytes(), &badPayload); err != nil {
+		t.Fatalf("json.Unmarshal returned error: %v", err)
+	}
+	badBox, err := app.uploadService.GetBox(badPayload.BoxID)
+	if err != nil {
+		t.Fatalf("GetBox returned error: %v", err)
+	}
+	if badBox.OwnerID != "" {
+		t.Fatalf("invalid token OwnerID = %q, want empty", badBox.OwnerID)
+	}
+}
+
 func TestInviteHandlerCreatesUserAndMarksInviteUsed(t *testing.T) {
 	app, cleanup := newTestApp(t)
 	defer cleanup()

backend/libs/handlers/app.go

@@ -56,6 +56,8 @@ func (a *App) RegisterRoutes(mux *http.ServeMux) {
 	mux.HandleFunc("POST /app/boxes/{boxID}/delete", a.DeleteUserBox)
 	mux.HandleFunc("GET /account/settings", a.AccountSettings)
 	mux.HandleFunc("POST /account/password", a.ChangePassword)
+	mux.HandleFunc("POST /account/tokens", a.CreateUserToken)
+	mux.HandleFunc("POST /account/tokens/{tokenID}/delete", a.DeleteUserToken)
 	mux.HandleFunc("GET /admin/login", a.AdminLogin)
 	mux.HandleFunc("POST /admin/login", a.AdminLoginPost)
 	mux.HandleFunc("POST /admin/logout", a.AdminLogout)

backend/libs/handlers/auth.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"net/http"
+	"strings"
 	"time"
 
 	"warpbox.dev/backend/libs/services"
@@ -122,16 +123,92 @@ func (a *App) InvitePost(w http.ResponseWriter, r *http.Request) {
 	a.loginAndRedirect(w, r, user.Email, r.FormValue("password"), "/app")
 }
 
+type apiTokenView struct {
+	ID         string
+	Name       string
+	CreatedAt  string
+	LastUsedAt string
+}
+
+type accountData struct {
+	ID       string
+	Email    string
+	Role     string
+	Tokens   []apiTokenView
+	NewToken string
+	Error    string
+}
+
 func (a *App) AccountSettings(w http.ResponseWriter, r *http.Request) {
 	user, ok := a.requireUser(w, r)
 	if !ok {
 		return
 	}
-	a.renderPage(w, r, http.StatusOK, "account.html", web.PageData{
+	a.renderAccount(w, r, http.StatusOK, user, accountData{})
+}
+
+// CreateUserToken mints a new personal access token and renders the account
+// page with the one-time plaintext shown. The secret is never recoverable after
+// this response.
+func (a *App) CreateUserToken(w http.ResponseWriter, r *http.Request) {
+	user, ok := a.requireUser(w, r)
+	if !ok || !a.validateCSRF(w, r) {
+		return
+	}
+	if err := r.ParseForm(); err != nil {
+		a.renderAccount(w, r, http.StatusBadRequest, user, accountData{Error: "Unable to read form."})
+		return
+	}
+	result, err := a.authService.CreateAPIToken(user.ID, r.FormValue("name"))
+	if err != nil {
+		a.logger.Warn("api token create failed", "source", "user_activity", "severity", "warn", "code", 4420, "user_id", user.ID, "error", err.Error())
+		a.renderAccount(w, r, http.StatusBadRequest, user, accountData{Error: "Could not create token."})
+		return
+	}
+	a.logger.Info("api token created", "source", "user_activity", "severity", "user_activity", "code", 2420, "user_id", user.ID, "token_id", result.Token.ID)
+	a.renderAccount(w, r, http.StatusOK, user, accountData{NewToken: result.Plaintext})
+}
+
+func (a *App) DeleteUserToken(w http.ResponseWriter, r *http.Request) {
+	user, ok := a.requireUser(w, r)
+	if !ok || !a.validateCSRF(w, r) {
+		return
+	}
+	if err := a.authService.DeleteAPIToken(user.ID, r.PathValue("tokenID")); err != nil {
+		a.logger.Warn("api token delete failed", "source", "user_activity", "severity", "warn", "code", 4421, "user_id", user.ID, "error", err.Error())
+	}
+	http.Redirect(w, r, "/account/settings", http.StatusSeeOther)
+}
+
+func (a *App) renderAccount(w http.ResponseWriter, r *http.Request, status int, user services.User, data accountData) {
+	tokens, err := a.authService.ListAPITokens(user.ID)
+	if err != nil {
+		http.Error(w, "unable to load tokens", http.StatusInternalServerError)
+		return
+	}
+	views := make([]apiTokenView, 0, len(tokens))
+	for _, token := range tokens {
+		lastUsed := "Never"
+		if token.LastUsedAt != nil {
+			lastUsed = token.LastUsedAt.Format("Jan 2, 2006 15:04")
+		}
+		views = append(views, apiTokenView{
+			ID:         token.ID,
+			Name:       token.Name,
+			CreatedAt:  token.CreatedAt.Format("Jan 2, 2006"),
+			LastUsedAt: lastUsed,
+		})
+	}
+	data.ID = user.ID
+	data.Email = user.Email
+	data.Role = user.Role
+	data.Tokens = views
+
+	a.renderPage(w, r, status, "account.html", web.PageData{
 		Title:       "Account settings",
 		Description: "Manage your Warpbox account.",
 		CurrentUser: a.authService.PublicUser(user),
-		Data:        user,
+		Data:        data,
 	})
 }
 
@@ -174,6 +251,17 @@ func (a *App) loginAndRedirect(w http.ResponseWriter, r *http.Request, email, pa
 }
 
 func (a *App) currentUser(r *http.Request) (services.User, bool) {
+	// Personal access tokens via Authorization: Bearer act as their owning user.
+	// A bearer header is never set by browsers cross-site, so this path is not
+	// subject to CSRF and intentionally bypasses the session cookie.
+	if header := r.Header.Get("Authorization"); header != "" {
+		if raw, ok := strings.CutPrefix(header, "Bearer "); ok {
+			if user, err := a.authService.UserForAPIToken(raw); err == nil {
+				return user, true
+			}
+			return services.User{}, false
+		}
+	}
 	cookie, err := r.Cookie(userSessionCookieName)
 	if err != nil {
 		return services.User{}, false