refactored PUT /api/vaults/{v}/access-tokens/{u} → POST /api/vaults/{v}/access-tokens

backend/src/main/java/org/cryptomator/hub/api/VaultResource.java

@@ -11,6 +11,7 @@
 import jakarta.transaction.Transactional;
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 import jakarta.ws.rs.BadRequestException;
 import jakarta.ws.rs.ClientErrorException;
@@ -52,7 +53,6 @@
 import org.cryptomator.hub.validation.NoHtmlOrScriptChars;
 import org.cryptomator.hub.validation.OnlyBase64Chars;
 import org.cryptomator.hub.validation.ValidId;
-import org.cryptomator.hub.validation.ValidJWE;
 import org.cryptomator.hub.validation.ValidJWS;
 import org.eclipse.microprofile.jwt.JsonWebToken;
 import org.eclipse.microprofile.openapi.annotations.Operation;
@@ -65,6 +65,7 @@
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.UUID;
 import java.util.stream.Stream;
@@ -341,34 +342,42 @@ public String unlock(@PathParam("vaultId") UUID vaultId, @QueryParam("evenIfArch
 		}
 	}
 
-	@PUT
-	@Path("/{vaultId}/access-tokens/{userId}")
+	@POST
+	@Path("/{vaultId}/access-tokens")
 	@RolesAllowed("user")
 	@VaultRole(VaultAccess.Role.OWNER) // may throw 403
 	@Transactional
-	@Consumes(MediaType.TEXT_PLAIN)
-	@Operation(summary = "adds a user-specific vault key")
-	@APIResponse(responseCode = "201", description = "user-specific key stored")
+	@Consumes(MediaType.APPLICATION_JSON)
+	@Operation(summary = "adds user-specific vault keys", description = "Stores one or more user-vaultkey-tuples, as defined in the request body ({user1: token1, user2: token2, ...}). Non-existing users are skipped.")
+	@APIResponse(responseCode = "200", description = "at least one key stored")
 	@APIResponse(responseCode = "403", description = "not a vault owner")
-	@APIResponse(responseCode = "404", description = "userId not found")
+	@APIResponse(responseCode = "404", description = "none of the specified users have been found")
 	@APIResponse(responseCode = "409", description = "access to vault for device already granted")
-	@APIResponse(responseCode = "410", description = "Vault is archived")
-	public Response grantAccess(@PathParam("vaultId") UUID vaultId, @PathParam("userId") @ValidId String userId, @NotNull @ValidJWE String vaultKey) {
-		var user = User.<User>findByIdOptional(userId).orElseThrow(NotFoundException::new);
+	@APIResponse(responseCode = "410", description = "vault is archived")
+	public Response grantAccess(@PathParam("vaultId") UUID vaultId, @NotEmpty Map<String, String> tokens) {
 		var vault = Vault.<Vault>findById(vaultId); // should always be found, since @VaultRole filter would have triggered
 		if (vault.archived) {
 			throw new GoneException("Vault is archived.");
 		}
 
-		var access = new AccessToken();
-		access.vault = vault;
-		access.user = user;
-		access.vaultKey = vaultKey;
-
 		try {
-			access.persistAndFlush();
-			AuditEventVaultAccessGrant.log(jwt.getSubject(), vaultId, userId);
-			return Response.created(URI.create(".")).build();
+			boolean addedAtLeastOne = false;
+			for (var entry : tokens.entrySet()) {
+				var userId = entry.getKey();
+				var user = User.<User>findByIdOptional(userId);
+				if (user.isPresent()) {
+					var access = new AccessToken();
+					access.vault = vault;
+					access.user = user.get();
+					access.vaultKey = entry.getValue();
+					access.persistAndFlush();
+					AuditEventVaultAccessGrant.log(jwt.getSubject(), vaultId, userId);
+					addedAtLeastOne = true;
+				}
+			}
+			return addedAtLeastOne
+					? Response.ok().build()
+					: Response.status(Response.Status.NOT_FOUND).build();
 		} catch (ConstraintViolationException e) {
 			throw new ClientErrorException(Response.Status.CONFLICT, e);
 		}

backend/src/test/java/org/cryptomator/hub/api/VaultResourceTest.java

@@ -40,6 +40,7 @@
 import java.sql.SQLException;
 import java.time.Instant;
 import java.util.Base64;
+import java.util.Map;
 import java.util.UUID;
 
 import static io.restassured.RestAssured.given;
@@ -311,56 +312,68 @@ public void testUpdateVault() {
 	public class GrantAccess {
 
 		@Test
-		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens/user999 returns 201")
+		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens returns 200 for [user998, user999, user666]")
 		public void testGrantAccess1() throws SQLException {
 			try (var s = dataSource.getConnection().createStatement()) {
 				s.execute("""
+						INSERT INTO "authority" ("id", "type", "name") VALUES ('user998', 'USER', 'User 998');
 						INSERT INTO "authority" ("id", "type", "name") VALUES ('user999', 'USER', 'User 999');
+						INSERT INTO "user_details" ("id") VALUES ('user998');
 						INSERT INTO "user_details" ("id") VALUES ('user999');
-						INSERT INTO "group_membership" ("group_id", "member_id") VALUES ('group2', 'user999')
+						INSERT INTO "group_membership" ("group_id", "member_id") VALUES ('group2', 'user998');
+						INSERT INTO "group_membership" ("group_id", "member_id") VALUES ('group2', 'user999');
 						""");
 			}
 
-			given().contentType(ContentType.TEXT).body("jwe.jwe.jwe.vault1.user999")
-					.when().put("/vaults/{vaultId}/access-tokens/{userId}", "7E57C0DE-0000-4000-8000-000100001111", "user999")
-					.then().statusCode(201);
+			given().contentType(ContentType.JSON).body(Map.of("user998", "jwe.jwe.jwe.vault1.user998", "user999", "jwe.jwe.jwe.vault1.user999", "user666", "jwe.jwe.jwe.vault1.user666"))
+					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
+					.then().statusCode(200);
 
 			try (var s = dataSource.getConnection().createStatement()) {
 				s.execute("""
+						DELETE FROM "authority" WHERE "id" = 'user998';
 						DELETE FROM "authority" WHERE "id" = 'user999';
 						""");
 			}
 		}
 
 		@Test
-		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens/user1 returns 409 due to user access already granted")
+		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens returns 409 for user1")
 		public void testGrantAccess2() {
-			given().contentType(ContentType.TEXT).body("jwe.jwe.jwe.vault1.user1")
-					.when().put("/vaults/{vaultId}/access-tokens/{userId}", "7E57C0DE-0000-4000-8000-000100001111", "user1")
+			given().contentType(ContentType.JSON).body(Map.of("user1", "jwe.jwe.jwe.vault1.user1"))
+					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(409);
 		}
 
 		@Test
-		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-BADBADBADBAD/access-tokens/user1 returns 403 (not owning a nonexisting vault)")
+		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-BADBADBADBAD/access-tokens returns 403 (not owning this vault)")
 		public void testGrantAccess3() {
-			given().contentType(ContentType.TEXT).body("jwe.jwe.jwe.vault666.user1")
-					.when().put("/vaults/{vaultId}/access-tokens/{userId}", "7E57C0DE-0000-4000-8000-BADBADBADBAD", "user1")
+			given().contentType(ContentType.JSON).body(Map.of("user1", "jwe.jwe.jwe.vault666.user1"))
+					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-BADBADBADBAD")
 					.then().statusCode(403);
 		}
 
 		@Test
-		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens/nonExistingUser returns 404 (no such user)")
+		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens returns 404 for nonExistingUser")
 		public void testGrantAccess4() {
-			given().contentType(ContentType.TEXT).body("jwe.jwe.jwe.vault2.user666")
-					.when().put("/vaults/{vaultId}/access-tokens/{userId}", "7E57C0DE-0000-4000-8000-000100001111", "nonExistingUser")
+			given().contentType(ContentType.JSON).body(Map.of("user666", "jwe.jwe.jwe.vault1.user666"))
+					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(404);
 		}
 
 		@Test
-		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-00010000AAAA/access-tokens/user1 returns 410")
+		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens returns 400 for empty body")
+		public void testGrantAccess5() {
+			given().contentType(ContentType.JSON).body(Map.of())
+					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
+					.then().statusCode(400);
+		}
+
+		@Test
+		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-00010000AAAA/access-tokens returns 410")
 		public void testGrantAccessArchived() {
-			given().contentType(ContentType.TEXT).body("jwe3.jwe3.jwe3.jwe3.jwe3")
-					.when().put("/vaults/{vaultId}/access-tokens/{userId}", "7E57C0DE-0000-4000-8000-00010000AAAA", "user1")
+			given().contentType(ContentType.JSON).body(Map.of("user1", "jwe.jwe.jwe.vaultAAA.user1"))
+					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-00010000AAAA")
 					.then().statusCode(410);
 		}
 
@@ -477,11 +490,11 @@ public void testGetUsersRequiringAccess2() throws SQLException {
 
 		@Test
 		@Order(11)
-		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100002222/access-tokens/user2 returns 201")
+		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100002222/access-tokens for user2 returns 200")
 		public void testGrantAccess() {
-			given().contentType(ContentType.TEXT).body("jwe.jwe.jwe.vault2.user2")
-					.when().put("/vaults/{vaultId}/access-tokens/{userId}", "7E57C0DE-0000-4000-8000-000100002222", "user2")
-					.then().statusCode(201);
+			given().contentType(ContentType.JSON).body(Map.of("user2", "jwe.jwe.jwe.vault2.user2"))
+					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100002222")
+					.then().statusCode(200);
 		}
 
 		@Test
@@ -577,11 +590,11 @@ public void testGetUsersRequiringAccess3() {
 
 		@Test
 		@Order(5)
-		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens/user999 returns 201")
+		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens for user999 returns 200")
 		public void testGrantAccess2() {
-			given().contentType(ContentType.TEXT).body("jwe.jwe.jwe.vault2.user999")
-					.when().put("/vaults/{vaultId}/access-tokens/{userId}", "7E57C0DE-0000-4000-8000-000100001111", "user999")
-					.then().statusCode(201);
+			given().contentType(ContentType.JSON).body(Map.of("user999", "jwe.jwe.jwe.vault2.user999"))
+					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
+					.then().statusCode(200);
 		}
 
 		@Test

frontend/src/common/backend.ts

@@ -59,6 +59,11 @@ export type DeviceDto = {
 
 export type VaultRole = 'MEMBER' | 'OWNER';
 
+export type AccessGrant = {
+  userId: string,
+  token: string
+};
+
 enum AuthorityType {
   User = 'USER',
   Group = 'GROUP'
@@ -265,8 +270,12 @@ class VaultService {
       .catch((error) => rethrowAndConvertIfExpected(error, 403));
   }
 
-  public async grantAccess(vaultId: string, userId: string, jwe: string) {
-    await axiosAuth.put(`/vaults/${vaultId}/access-tokens/${userId}`, jwe, { headers: { 'Content-Type': 'text/plain' } })
+  public async grantAccess(vaultId: string, ...grants: AccessGrant[]) {
+    var body = grants.reduce<Record<string, string>>((accumulator, curr) => {
+      accumulator[curr.userId] = curr.token;
+      return accumulator;
+    }, {});
+    await axiosAuth.post(`/vaults/${vaultId}/access-tokens`, body)
       .catch((error) => rethrowAndConvertIfExpected(error, 404, 409));
   }
 

frontend/src/components/CreateVault.vue

@@ -295,7 +295,7 @@ async function createVault() {
     vaultConfig.value = await VaultConfig.create(vaultId, vaultKeys.value);
     const ownerJwe = await vaultKeys.value.encryptForUser(base64.parse(owner.publicKey));
     await backend.vaults.createOrUpdateVault(vaultId, vaultName.value, false, vaultDescription.value);
-    await backend.vaults.grantAccess(vaultId, owner.id, ownerJwe);
+    await backend.vaults.grantAccess(vaultId, { userId: owner.id, token: ownerJwe });
     state.value = State.Finished;
   } catch (error) {
     console.error('Creating vault failed.', error);

frontend/src/components/GrantPermissionDialog.vue

@@ -71,7 +71,7 @@ import { ExclamationTriangleIcon } from '@heroicons/vue/24/outline';
 import { base64 } from 'rfc4648';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
-import backend, { ConflictError, NotFoundError, UserDto, VaultDto } from '../common/backend';
+import backend, { AccessGrant, ConflictError, NotFoundError, UserDto, VaultDto } from '../common/backend';
 import { getFingerprint } from '../common/crypto';
 
 import { VaultKeys } from '../common/crypto';
@@ -124,13 +124,15 @@ async function grantAccess() {
 }
 
 async function giveUsersAccess(users: UserDto[]) {
+  let tokens: AccessGrant[] = [];
   for (const user of users) {
     if (user.publicKey) { // some users might not have set up their key pair, so we can't share secrets with them yet
       const publicKey = base64.parse(user.publicKey);
       const jwe = await props.vaultKeys.encryptForUser(publicKey);
-      await backend.vaults.grantAccess(props.vault.id, user.id, jwe);
+      tokens.push({ userId: user.id, token: jwe });
     }
   }
+  await backend.vaults.grantAccess(props.vault.id, ...tokens);
 }
 
 </script>

frontend/src/components/RecoverVaultDialog.vue

@@ -108,7 +108,7 @@ async function recoverVault() {
     if (props.me.publicKey && vaultKeys) {
       const publicKey = base64.parse(props.me.publicKey);
       const jwe = await vaultKeys.encryptForUser(publicKey);
-      await backend.vaults.grantAccess(props.vault.id, props.me.id, jwe);
+      await backend.vaults.grantAccess(props.vault.id, { userId: props.me.id, token: jwe });
       emit('recovered');
       open.value = false;
     }

frontend/src/components/VaultDetails.vue

@@ -310,7 +310,7 @@ async function provedOwnership(keys: VaultKeys, ownerKeyPair: CryptoKeyPair) {
 
   const vaultKeyJwe = keys.encryptForUser(base64.parse(me.value.publicKey));
   try {
-    await backend.vaults.grantAccess(props.vaultId, me.value.id, await vaultKeyJwe);
+    await backend.vaults.grantAccess(props.vaultId, { userId: me.value.id, token: await vaultKeyJwe });
   } catch (error) {
     if (error instanceof ConflictError) {
       console.debug('User already member of this vault.');