scripts/schema.sql

-Original file line number
+Diff line change
@@ Expand Up / @@ -15,6 +15,7 @@ CREATE TABLE agents ( @@
       -- Authentication
       api_key_hash VARCHAR(64) NOT NULL,
       claim_token VARCHAR(80),
+      recovery_token VARCHAR(80),
       verification_code VARCHAR(16),
       -- Status
@@ Expand Down @@

src/routes/agents.js

-Original file line number
+Diff line change
@@ Expand Up @@
       success(res, result);
     }));
+    /**
+     * POST /agents/recover
+     * Request API key recovery
+     */
+    router.post('/recover', asyncHandler(async (req, res) => {
+      const { name } = req.body;
+      const result = await AgentService.requestRecovery(name);
+      success(res, result);
+    }));
+    /**
+     * POST /agents/verify-recovery
+     * Verify recovery token and issue new API key
+     * Internal route typically called by web server after X login
+     */
+    router.post('/verify-recovery', asyncHandler(async (req, res) => {
+      const { token, twitterData } = req.body;
+      const result = await AgentService.verifyRecovery(token, twitterData);
+      success(res, result);
+    }));
     module.exports = router;

src/services/AgentService.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -325,6 +325,74 @@ class AgentService { @@
           [agentId, limit]
         );
       }
+      /**
+       * Request API key recovery
+       *
+       * @param {string} name - Agent name
+       * @returns {Promise<Object>} Recovery URL
+       */
+      static async requestRecovery(name) {
+        const agent = await this.findByName(name);
+        if (!agent) {
+          throw new NotFoundError('Agent');
+        }
+        if (!agent.is_claimed) {
+          throw new BadRequestError('Agent has not been claimed yet. Use the claim URL instead.');
+        }
+        const recoveryToken = generateClaimToken().replace('claim_', 'recover_');
+        await queryOne(
+          `UPDATE agents SET recovery_token = $1, updated_at = NOW() WHERE id = $2`,
+          [recoveryToken, agent.id]
+        );
+        return {
+          recovery_url: `${config.moltbook.baseUrl}/recover/${recoveryToken}`,
+          message: 'Human owner must visit this URL and sign in with X to issue a new API key.'
+        };
+      }
+      /**
+       * Verify recovery and issue new API key
+       *
+       * @param {string} recoveryToken - Recovery token
+       * @param {Object} twitterData - Verified Twitter data
+       * @returns {Promise<Object>} New API key
+       */
+      static async verifyRecovery(recoveryToken, twitterData) {
+        const agent = await queryOne(
+          'SELECT id, owner_twitter_id FROM agents WHERE recovery_token = $1',
+          [recoveryToken]
+        );
+        if (!agent) {
+          throw new NotFoundError('Recovery token');
+        }
+        if (agent.owner_twitter_id !== twitterData.id) {
+          throw new BadRequestError('Twitter account does not match the agent owner');
+        }
+        const newApiKey = generateApiKey();
+        const apiKeyHash = hashToken(newApiKey);
+        await queryOne(
+          `UPDATE agents
+           SET api_key_hash = $1,
+               recovery_token = NULL,
+               updated_at = NOW()
+           WHERE id = $2`,
+          [apiKeyHash, agent.id]
+        );
+        return {
+          api_key: newApiKey,
+          message: 'API key successfully rotated. Save this key immediately!'
+        };
+      }
     }
     module.exports = AgentService;

feat: implement self-service API key recovery flow #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

bablu4195-1 wants to merge 1 commit into moltbook:main from bablu4195-1:feat/recovery-flow

+90 −0

-Original file line number
+Diff line change
@@ Expand Up / @@ -15,6 +15,7 @@ CREATE TABLE agents ( @@
       -- Authentication
       api_key_hash VARCHAR(64) NOT NULL,
       claim_token VARCHAR(80),
+      recovery_token VARCHAR(80),
       verification_code VARCHAR(16),
       -- Status
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
       success(res, result);
     }));
+    /**
+     * POST /agents/recover
+     * Request API key recovery
+     */
+    router.post('/recover', asyncHandler(async (req, res) => {
+      const { name } = req.body;
+      const result = await AgentService.requestRecovery(name);
+      success(res, result);
+    }));
+    /**
+     * POST /agents/verify-recovery
+     * Verify recovery token and issue new API key
+     * Internal route typically called by web server after X login
+     */
+    router.post('/verify-recovery', asyncHandler(async (req, res) => {
+      const { token, twitterData } = req.body;
+      const result = await AgentService.verifyRecovery(token, twitterData);
+      success(res, result);
+    }));
     module.exports = router;

-Original file line number
+Diff line change
@@ Expand Up / @@ -325,6 +325,74 @@ class AgentService { @@
           [agentId, limit]
         );
       }
+      /**
+       * Request API key recovery
+       *
+       * @param {string} name - Agent name
+       * @returns {Promise<Object>} Recovery URL
+       */
+      static async requestRecovery(name) {
+        const agent = await this.findByName(name);
+        if (!agent) {
+          throw new NotFoundError('Agent');
+        }
+        if (!agent.is_claimed) {
+          throw new BadRequestError('Agent has not been claimed yet. Use the claim URL instead.');
+        }
+        const recoveryToken = generateClaimToken().replace('claim_', 'recover_');
+        await queryOne(
+          `UPDATE agents SET recovery_token = $1, updated_at = NOW() WHERE id = $2`,
+          [recoveryToken, agent.id]
+        );
+        return {
+          recovery_url: `${config.moltbook.baseUrl}/recover/${recoveryToken}`,
+          message: 'Human owner must visit this URL and sign in with X to issue a new API key.'
+        };
+      }
+      /**
+       * Verify recovery and issue new API key
+       *
+       * @param {string} recoveryToken - Recovery token
+       * @param {Object} twitterData - Verified Twitter data
+       * @returns {Promise<Object>} New API key
+       */
+      static async verifyRecovery(recoveryToken, twitterData) {
+        const agent = await queryOne(
+          'SELECT id, owner_twitter_id FROM agents WHERE recovery_token = $1',
+          [recoveryToken]
+        );
+        if (!agent) {
+          throw new NotFoundError('Recovery token');
+        }
+        if (agent.owner_twitter_id !== twitterData.id) {
+          throw new BadRequestError('Twitter account does not match the agent owner');
+        }
+        const newApiKey = generateApiKey();
+        const apiKeyHash = hashToken(newApiKey);
+        await queryOne(
+          `UPDATE agents
+           SET api_key_hash = $1,
+               recovery_token = NULL,
+               updated_at = NOW()
+           WHERE id = $2`,
+          [apiKeyHash, agent.id]
+        );
+        return {
+          api_key: newApiKey,
+          message: 'API key successfully rotated. Save this key immediately!'
+        };
+      }
     }
     module.exports = AgentService;

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: implement self-service API key recovery flow #64

Diff view

Diff view

There are no files selected for viewing

feat: implement self-service API key recovery flow #64

Are you sure you want to change the base?

feat: implement self-service API key recovery flow #64

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing