Redefine API prefix of PAT endpoint

application/src/main/java/run/halo/app/security/authentication/pat/PatEndpoint.java

@@ -26,7 +26,7 @@ public PatEndpoint(UserScopedPatHandler patHandler) {
     @Override
     public RouterFunction<ServerResponse> endpoint() {
         var tag = groupVersion().toString() + "/" + PersonalAccessToken.KIND;
-        return route().nest(path("/users/-/personalaccesstokens"),
+        return route().nest(path("/personalaccesstokens"),
                 () -> route()
                     .POST(patHandler::create,
                         builder -> builder

application/src/main/java/run/halo/app/security/authentication/pat/impl/UserScopedPatHandlerImpl.java

@@ -1,6 +1,5 @@
 package run.halo.app.security.authentication.pat.impl;
 
-import static org.apache.commons.lang3.StringUtils.startsWith;
 import static run.halo.app.extension.Comparators.compareCreationTimestamp;
 import static run.halo.app.security.authentication.pat.PatServerWebExchangeMatcher.PAT_TOKEN_PREFIX;
 
@@ -12,7 +11,6 @@
 import java.util.List;
 import java.util.Objects;
 import java.util.function.Predicate;
-import java.util.stream.Collectors;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
@@ -48,8 +46,6 @@
 @Service
 public class UserScopedPatHandlerImpl implements UserScopedPatHandler {
 
-    private static final String ROLE_PREFIX = AuthorityUtils.ROLE_PREFIX;
-
     private static final String ACCESS_TOKEN_ANNO_NAME = "security.halo.run/access-token";
 
     private static final NotFoundException PAT_NOT_FOUND_EX =
@@ -257,22 +253,6 @@ private Mono<Boolean> hasSufficientRoles(
         return roleService.contains(grantedRoles, requestRoles);
     }
 
-    private static boolean containsIllegalRoles(
-        Collection<? extends GrantedAuthority> grantedAuthorities,
-        List<String> roles) {
-        if (CollectionUtils.isEmpty(roles)) {
-            return false;
-        }
-        var roleSet = roles.stream()
-            .map(role -> ROLE_PREFIX + role)
-            .collect(Collectors.toSet());
-        var grantedRoleSet = grantedAuthorities.stream()
-            .map(GrantedAuthority::getAuthority)
-            .filter(authority -> startsWith(authority, ROLE_PREFIX))
-            .collect(Collectors.toSet());
-        return !grantedRoleSet.containsAll(roleSet);
-    }
-
     private Mono<PersonalAccessToken> getPat(String name, String username) {
         return client.get(PersonalAccessToken.class, name)
             .filter(pat -> Objects.equals(pat.getSpec().getUsername(), username)

application/src/main/resources/extensions/role-template-authenticated.yaml

@@ -105,11 +105,9 @@ metadata:
     halo.run/role-template: "true"
     halo.run/hidden: "true"
 rules:
-  - apiGroups: [ "api.console.security.halo.run" ]
-    resources: [ "users/personalaccesstokens" ]
-    resourceNames: [ "-" ]
+  - apiGroups: [ "api.security.halo.run" ]
+    resources: [ "personalaccesstokens" ]
     verbs: [ "*" ]
-  - apiGroups: [ "api.console.security.halo.run" ]
-    resources: [ "users/personalaccesstokens/actions" ]
-    resourceNames: [ "-" ]
+  - apiGroups: [ "api.security.halo.run" ]
+    resources: [ "personalaccesstokens/actions" ]
     verbs: [ "update" ]

console/packages/api-client/src/.openapi-generator/FILES

@@ -14,7 +14,6 @@ api/api-console-halo-run-v1alpha1-system-api.ts
 api/api-console-halo-run-v1alpha1-theme-api.ts
 api/api-console-halo-run-v1alpha1-user-api.ts
 api/api-console-migration-halo-run-v1alpha1-migration-api.ts
-api/api-console-security-halo-run-v1alpha1-personal-access-token-api.ts
 api/api-content-halo-run-v1alpha1-category-api.ts
 api/api-content-halo-run-v1alpha1-post-api.ts
 api/api-content-halo-run-v1alpha1-single-page-api.ts
@@ -26,6 +25,7 @@ api/api-halo-run-v1alpha1-stats-api.ts
 api/api-halo-run-v1alpha1-tracker-api.ts
 api/api-halo-run-v1alpha1-user-api.ts
 api/api-plugin-halo-run-v1alpha1-plugin-api.ts
+api/api-security-halo-run-v1alpha1-personal-access-token-api.ts
 api/auth-halo-run-v1alpha1-auth-provider-api.ts
 api/auth-halo-run-v1alpha1-user-connection-api.ts
 api/content-halo-run-v1alpha1-category-api.ts

console/packages/api-client/src/api.ts

@@ -25,7 +25,6 @@ export * from "./api/api-console-halo-run-v1alpha1-system-api";
 export * from "./api/api-console-halo-run-v1alpha1-theme-api";
 export * from "./api/api-console-halo-run-v1alpha1-user-api";
 export * from "./api/api-console-migration-halo-run-v1alpha1-migration-api";
-export * from "./api/api-console-security-halo-run-v1alpha1-personal-access-token-api";
 export * from "./api/api-content-halo-run-v1alpha1-category-api";
 export * from "./api/api-content-halo-run-v1alpha1-post-api";
 export * from "./api/api-content-halo-run-v1alpha1-single-page-api";
@@ -37,6 +36,7 @@ export * from "./api/api-halo-run-v1alpha1-stats-api";
 export * from "./api/api-halo-run-v1alpha1-tracker-api";
 export * from "./api/api-halo-run-v1alpha1-user-api";
 export * from "./api/api-plugin-halo-run-v1alpha1-plugin-api";
+export * from "./api/api-security-halo-run-v1alpha1-personal-access-token-api";
 export * from "./api/auth-halo-run-v1alpha1-auth-provider-api";
 export * from "./api/auth-halo-run-v1alpha1-user-connection-api";
 export * from "./api/content-halo-run-v1alpha1-category-api";