Add API tokens support (#9)

Make it possible to create token authorized to query predetermined set of routes.

Reviewed-on: #9
Co-authored-by: Pierre HUBERT <pierre.git@communiquons.org>
Co-committed-by: Pierre HUBERT <pierre.git@communiquons.org>

virtweb_backend/Cargo.lock

@@ -568,6 +568,12 @@ dependencies = [
  "rustc-demangle",
 ]
 
+[[package]]
+name = "base16ct"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
+
 [[package]]
 name = "base64"
 version = "0.20.0"
@@ -586,6 +592,26 @@ version = "0.22.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51"
 
+[[package]]
+name = "base64ct"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b"
+
+[[package]]
+name = "basic-jwt"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "741afb780192f091b1ceebdc794540a956f3eb96628939f83c5d15e0cb98fa71"
+dependencies = [
+ "anyhow",
+ "elliptic-curve",
+ "jsonwebtoken",
+ "p384",
+ "rand",
+ "serde",
+]
+
 [[package]]
 name = "bincode"
 version = "2.0.0-rc.3"
@@ -792,6 +818,12 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7"
 
+[[package]]
+name = "const-oid"
+version = "0.9.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+
 [[package]]
 name = "convert_case"
 version = "0.4.0"
@@ -890,6 +922,18 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7"
 
+[[package]]
+name = "crypto-bigint"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
+dependencies = [
+ "generic-array",
+ "rand_core",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "crypto-common"
 version = "0.1.6"
@@ -945,6 +989,17 @@ dependencies = [
  "syn 2.0.58",
 ]
 
+[[package]]
+name = "der"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0"
+dependencies = [
+ "const-oid",
+ "pem-rfc7468",
+ "zeroize",
+]
+
 [[package]]
 name = "deranged"
 version = "0.3.11"
@@ -974,6 +1029,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
 dependencies = [
  "block-buffer",
+ "const-oid",
  "crypto-common",
  "subtle",
 ]
@@ -984,12 +1040,47 @@ version = "0.15.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1aaf95b3e5c8f23aa320147307562d361db0ae0d51242340f558153b4eb2439b"
 
+[[package]]
+name = "ecdsa"
+version = "0.16.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
+dependencies = [
+ "der",
+ "digest",
+ "elliptic-curve",
+ "rfc6979",
+ "signature",
+ "spki",
+]
+
 [[package]]
 name = "either"
 version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "11157ac094ffbdde99aa67b23417ebdd801842852b500e395a45a9c0aac03e4a"
 
+[[package]]
+name = "elliptic-curve"
+version = "0.13.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
+dependencies = [
+ "base16ct",
+ "crypto-bigint",
+ "digest",
+ "ff",
+ "generic-array",
+ "group",
+ "hkdf",
+ "pem-rfc7468",
+ "pkcs8",
+ "rand_core",
+ "sec1",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "encoding_rs"
 version = "0.8.33"
@@ -1069,6 +1160,16 @@ dependencies = [
  "simd-adler32",
 ]
 
+[[package]]
+name = "ff"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449"
+dependencies = [
+ "rand_core",
+ "subtle",
+]
+
 [[package]]
 name = "flate2"
 version = "1.0.28"
@@ -1215,6 +1316,7 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
 dependencies = [
  "typenum",
  "version_check",
+ "zeroize",
 ]
 
 [[package]]
@@ -1224,8 +1326,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94b22e06ecb0110981051723910cbf0b5f5e09a2062dd7663334ee79a9d1286c"
 dependencies = [
  "cfg-if",
+ "js-sys",
  "libc",
  "wasi",
+ "wasm-bindgen",
 ]
 
 [[package]]
@@ -1254,6 +1358,17 @@ version = "0.28.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253"
 
+[[package]]
+name = "group"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
+dependencies = [
+ "ff",
+ "rand_core",
+ "subtle",
+]
+
 [[package]]
 name = "h2"
 version = "0.3.26"
@@ -1596,6 +1711,21 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "jsonwebtoken"
+version = "9.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9ae10193d25051e74945f1ea2d0b42e03cc3b890f7e4cc5faa44997d808193f"
+dependencies = [
+ "base64 0.21.7",
+ "js-sys",
+ "pem",
+ "ring",
+ "serde",
+ "serde_json",
+ "simple_asn1",
+]
+
 [[package]]
 name = "language-tags"
 version = "0.3.2"
@@ -2007,6 +2137,18 @@ dependencies = [
  "vcpkg",
 ]
 
+[[package]]
+name = "p384"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70786f51bcc69f6a4c0360e063a4cac5419ef7c5cd5b3c99ad70f3be5ba79209"
+dependencies = [
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "sha2",
+]
+
 [[package]]
 name = "parking_lot"
 version = "0.12.1"
@@ -2042,6 +2184,25 @@ version = "1.0.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "de3145af08024dea9fa9914f381a17b8fc6034dfb00f3a84013f7ff43f29ed4c"
 
+[[package]]
+name = "pem"
+version = "3.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae"
+dependencies = [
+ "base64 0.22.0",
+ "serde",
+]
+
+[[package]]
+name = "pem-rfc7468"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
+dependencies = [
+ "base64ct",
+]
+
 [[package]]
 name = "percent-encoding"
 version = "2.3.1"
@@ -2080,6 +2241,16 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
+[[package]]
+name = "pkcs8"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
+dependencies = [
+ "der",
+ "spki",
+]
+
 [[package]]
 name = "pkg-config"
 version = "0.3.30"
@@ -2123,6 +2294,15 @@ version = "0.2.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
 
+[[package]]
+name = "primeorder"
+version = "0.13.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
+dependencies = [
+ "elliptic-curve",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.79"
@@ -2367,6 +2547,16 @@ dependencies = [
  "winreg",
 ]
 
+[[package]]
+name = "rfc6979"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
+dependencies = [
+ "hmac",
+ "subtle",
+]
+
 [[package]]
 name = "rgb"
 version = "0.8.37"
@@ -2376,6 +2566,21 @@ dependencies = [
  "bytemuck",
 ]
 
+[[package]]
+name = "ring"
+version = "0.17.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "getrandom",
+ "libc",
+ "spin",
+ "untrusted",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "rust-embed"
 version = "8.3.0"
@@ -2484,6 +2689,20 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
+[[package]]
+name = "sec1"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
+dependencies = [
+ "base16ct",
+ "der",
+ "generic-array",
+ "pkcs8",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "security-framework"
 version = "2.10.0"
@@ -2515,18 +2734,18 @@ checksum = "92d43fe69e652f3df9bdc2b85b2854a0825b86e4fb76bc44d945137d053639ca"
 
 [[package]]
 name = "serde"
-version = "1.0.197"
+version = "1.0.198"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3fb1c873e1b9b056a4dc4c0c198b24c3ffa059243875552b2bd0933b1aee4ce2"
+checksum = "9846a40c979031340571da2545a4e5b7c4163bdae79b301d5f86d03979451fcc"
 dependencies = [
  "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.197"
+version = "1.0.198"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7eb0b34b42edc17f6b7cac84a52a1c5f0e1bb2227e997ca9011ea3dd34e8610b"
+checksum = "e88edab869b01783ba905e7d0153f9fc1a6505a96e4ad3018011eedb838566d9"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2605,6 +2824,16 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "signature"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
+dependencies = [
+ "digest",
+ "rand_core",
+]
+
 [[package]]
 name = "simd-adler32"
 version = "0.3.7"
@@ -2620,6 +2849,18 @@ dependencies = [
  "quote",
 ]
 
+[[package]]
+name = "simple_asn1"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "adc4e5204eb1910f40f9cfa375f6f05b68c3abac4b6fd879c8ff5e7ae8a0a085"
+dependencies = [
+ "num-bigint",
+ "num-traits",
+ "thiserror",
+ "time",
+]
+
 [[package]]
 name = "slab"
 version = "0.4.9"
@@ -2654,6 +2895,16 @@ dependencies = [
  "lock_api",
 ]
 
+[[package]]
+name = "spki"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
+dependencies = [
+ "base64ct",
+ "der",
+]
+
 [[package]]
 name = "strsim"
 version = "0.10.0"
@@ -3020,6 +3271,12 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "untrusted"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
+
 [[package]]
 name = "url"
 version = "2.5.0"
@@ -3129,6 +3386,7 @@ dependencies = [
  "actix-web",
  "actix-web-actors",
  "anyhow",
+ "basic-jwt",
  "bytes",
  "clap",
  "dotenvy",
@@ -3500,6 +3758,12 @@ dependencies = [
  "syn 2.0.58",
 ]
 
+[[package]]
+name = "zeroize"
+version = "1.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"
+
 [[package]]
 name = "zstd"
 version = "0.13.1"

virtweb_backend/Cargo.toml

@@ -45,3 +45,4 @@ rust-embed = { version = "8.3.0" }
 mime_guess = "2.0.4"
 dotenvy = "0.15.7"
 nix = { version = "0.28.0", features = ["net"] }
+basic-jwt = "0.2.0"

virtweb_backend/examples/api_curl.rs

@@ -0,0 +1,66 @@
+use basic_jwt::JWTPrivateKey;
+use clap::Parser;
+use std::os::unix::prelude::CommandExt;
+use std::process::Command;
+use std::str::FromStr;
+use virtweb_backend::api_tokens::TokenVerb;
+use virtweb_backend::extractors::api_auth_extractor::TokenClaims;
+use virtweb_backend::utils::time_utils::time;
+
+/// cURL wrapper to query Virtweb backend API
+#[derive(Parser, Debug)]
+#[command(version, about, long_about = None)]
+struct Args {
+    /// URL of VirtWeb
+    #[arg(short('u'), long, env, default_value = "http://localhost:8000")]
+    virtweb_url: String,
+
+    /// Token ID
+    #[arg(short('i'), long, env)]
+    token_id: String,
+
+    /// Token private key
+    #[arg(short('t'), long, env)]
+    token_key: String,
+
+    /// Request verb
+    #[arg(short('X'), long, default_value = "GET")]
+    verb: String,
+
+    /// Request URI
+    uri: String,
+
+    /// Command line arguments to pass to cURL
+    #[clap(trailing_var_arg = true, allow_hyphen_values = true)]
+    run: Vec<String>,
+}
+
+fn main() {
+    let args = Args::parse();
+
+    let full_url = format!("{}{}", args.virtweb_url, args.uri);
+    log::debug!("Full URL: {full_url}");
+
+    let key = JWTPrivateKey::ES384 {
+        r#priv: args.token_key,
+    };
+    let claims = TokenClaims {
+        sub: args.token_id.to_string(),
+        iat: time() as usize,
+        exp: time() as usize + 50,
+        verb: TokenVerb::from_str(&args.verb).expect("Invalid request verb!"),
+        path: args.uri,
+        nonce: uuid::Uuid::new_v4().to_string(),
+    };
+
+    let jwt = key.sign_jwt(&claims).expect("Failed to sign JWT!");
+
+    Command::new("curl")
+        .args(["-X", &args.verb])
+        .args(["-H", &format!("x-token-id: {}", args.token_id)])
+        .args(["-H", &format!("x-token-content: {jwt}")])
+        .args(args.run)
+        .arg(full_url)
+        .exec();
+    panic!("Failed to run curl!")
+}

virtweb_backend/src/api_tokens.rs

@@ -0,0 +1,299 @@
+//! # API tokens management
+
+use crate::app_config::AppConfig;
+use crate::constants;
+use crate::utils::time_utils::time;
+use actix_http::Method;
+use basic_jwt::{JWTPrivateKey, JWTPublicKey};
+use std::path::Path;
+use std::str::FromStr;
+
+#[derive(serde::Serialize, serde::Deserialize, Clone, Copy, Debug)]
+pub struct TokenID(pub uuid::Uuid);
+
+impl TokenID {
+    /// Parse a string as a token id
+    pub fn parse(t: &str) -> anyhow::Result<Self> {
+        Ok(Self(uuid::Uuid::parse_str(t)?))
+    }
+}
+
+#[derive(serde::Serialize, serde::Deserialize, Debug, Clone, Eq, PartialEq)]
+pub struct TokenRight {
+    verb: TokenVerb,
+    path: String,
+}
+
+#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
+pub struct TokenRights(Vec<TokenRight>);
+
+impl TokenRights {
+    pub fn check_error(&self) -> Option<&'static str> {
+        for r in &self.0 {
+            if !r.path.starts_with("/api/") {
+                return Some("All API rights shall start with /api/");
+            }
+
+            if r.path.len() > constants::API_TOKEN_RIGHT_PATH_MAX_LENGTH {
+                return Some("An API path shall not exceed maximum URL size!");
+            }
+        }
+        None
+    }
+
+    pub fn contains(&self, verb: TokenVerb, path: &str) -> bool {
+        let req_path_split = path.split('/').collect::<Vec<_>>();
+
+        'root: for r in &self.0 {
+            if r.verb != verb {
+                continue 'root;
+            }
+
+            let mut last_idx = 0;
+            for (idx, part) in r.path.split('/').enumerate() {
+                if idx >= req_path_split.len() {
+                    continue 'root;
+                }
+
+                if part != "*" && part != req_path_split[idx] {
+                    continue 'root;
+                }
+
+                last_idx = idx;
+            }
+
+            // Check we visited the whole path
+            if last_idx + 1 == req_path_split.len() {
+                return true;
+            }
+        }
+
+        false
+    }
+}
+
+#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
+pub struct Token {
+    pub id: TokenID,
+    pub name: String,
+    pub description: String,
+    created: u64,
+    updated: u64,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub pub_key: Option<JWTPublicKey>,
+    pub rights: TokenRights,
+    pub last_used: u64,
+    pub ip_restriction: Option<ipnetwork::IpNetwork>,
+    pub max_inactivity: Option<u64>,
+}
+
+impl Token {
+    /// Turn the token into a JSON string
+    fn save(&self) -> anyhow::Result<()> {
+        let json = serde_json::to_string(self)?;
+
+        std::fs::write(AppConfig::get().api_token_definition_path(self.id), json)?;
+
+        Ok(())
+    }
+
+    /// Load token information from a file
+    fn load_from_file(path: &Path) -> anyhow::Result<Self> {
+        Ok(serde_json::from_str(&std::fs::read_to_string(path)?)?)
+    }
+
+    /// Check whether a token is expired or not
+    pub fn is_expired(&self) -> bool {
+        if let Some(max_inactivity) = self.max_inactivity {
+            if max_inactivity + self.last_used < time() {
+                return true;
+            }
+        }
+
+        false
+    }
+
+    /// Check whether last_used shall be updated or not
+    pub fn should_update_last_activity(&self) -> bool {
+        self.last_used + 3600 < time()
+    }
+}
+
+#[derive(serde::Serialize, serde::Deserialize, Debug, Clone, Copy, Eq, PartialEq)]
+pub enum TokenVerb {
+    GET,
+    POST,
+    PUT,
+    PATCH,
+    DELETE,
+}
+
+impl TokenVerb {
+    pub fn as_method(&self) -> Method {
+        match self {
+            TokenVerb::GET => Method::GET,
+            TokenVerb::POST => Method::POST,
+            TokenVerb::PUT => Method::PUT,
+            TokenVerb::PATCH => Method::PATCH,
+            TokenVerb::DELETE => Method::DELETE,
+        }
+    }
+}
+
+impl FromStr for TokenVerb {
+    type Err = ();
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match s {
+            "GET" => Ok(TokenVerb::GET),
+            "POST" => Ok(TokenVerb::POST),
+            "PUT" => Ok(TokenVerb::PUT),
+            "PATCH" => Ok(TokenVerb::PATCH),
+            "DELETE" => Ok(TokenVerb::DELETE),
+            _ => Err(()),
+        }
+    }
+}
+
+/// Structure used to create a token
+#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
+pub struct NewToken {
+    pub name: String,
+    pub description: String,
+    pub rights: TokenRights,
+    pub ip_restriction: Option<ipnetwork::IpNetwork>,
+    pub max_inactivity: Option<u64>,
+}
+
+impl NewToken {
+    /// Check for error in token
+    pub fn check_error(&self) -> Option<&'static str> {
+        if self.name.len() < constants::API_TOKEN_NAME_MIN_LENGTH {
+            return Some("Name is too short!");
+        }
+
+        if self.name.len() > constants::API_TOKEN_NAME_MAX_LENGTH {
+            return Some("Name is too long!");
+        }
+
+        if self.description.len() < constants::API_TOKEN_DESCRIPTION_MIN_LENGTH {
+            return Some("Description is too short!");
+        }
+
+        if self.description.len() > constants::API_TOKEN_DESCRIPTION_MAX_LENGTH {
+            return Some("Description is too long!");
+        }
+
+        if let Some(err) = self.rights.check_error() {
+            return Some(err);
+        }
+
+        if let Some(t) = self.max_inactivity {
+            if t < 3600 {
+                return Some("API tokens shall be valid for at least 1 hour!");
+            }
+        }
+
+        None
+    }
+}
+
+/// Create a new Token
+pub async fn create(t: &NewToken) -> anyhow::Result<(Token, JWTPrivateKey)> {
+    let priv_key = JWTPrivateKey::generate_ec384_signing_key()?;
+    let pub_key = priv_key.to_public_key()?;
+
+    let token = Token {
+        name: t.name.to_string(),
+        description: t.description.to_string(),
+        id: TokenID(uuid::Uuid::new_v4()),
+        created: time(),
+        updated: time(),
+        pub_key: Some(pub_key),
+        rights: t.rights.clone(),
+        last_used: time(),
+        ip_restriction: t.ip_restriction,
+        max_inactivity: t.max_inactivity,
+    };
+
+    token.save()?;
+
+    Ok((token, priv_key))
+}
+
+/// Get the entire list of api tokens
+pub async fn full_list() -> anyhow::Result<Vec<Token>> {
+    let mut list = Vec::new();
+    for f in std::fs::read_dir(AppConfig::get().api_tokens_path())? {
+        list.push(Token::load_from_file(&f?.path())?);
+    }
+    Ok(list)
+}
+
+/// Get the information about a single token
+pub async fn get_single(id: TokenID) -> anyhow::Result<Token> {
+    Token::load_from_file(&AppConfig::get().api_token_definition_path(id))
+}
+
+/// Update API tokens rights
+pub async fn update_rights(id: TokenID, rights: TokenRights) -> anyhow::Result<()> {
+    let mut token = get_single(id).await?;
+    token.rights = rights;
+    token.updated = time();
+    token.save()?;
+    Ok(())
+}
+
+/// Set last_used value of token
+pub async fn refresh_last_used(id: TokenID) -> anyhow::Result<()> {
+    let mut token = get_single(id).await?;
+    token.last_used = time();
+    token.save()?;
+    Ok(())
+}
+
+/// Delete an API token
+pub async fn delete(id: TokenID) -> anyhow::Result<()> {
+    let path = AppConfig::get().api_token_definition_path(id);
+    if path.exists() {
+        std::fs::remove_file(path)?;
+    }
+    Ok(())
+}
+
+#[cfg(test)]
+mod test {
+    use crate::api_tokens::{TokenRight, TokenRights, TokenVerb};
+
+    #[test]
+    fn test_rights_patch() {
+        let rights = TokenRights(vec![
+            TokenRight {
+                path: "/api/vm/*".to_string(),
+                verb: TokenVerb::GET,
+            },
+            TokenRight {
+                path: "/api/vm/a".to_string(),
+                verb: TokenVerb::PUT,
+            },
+            TokenRight {
+                path: "/api/vm/a/other".to_string(),
+                verb: TokenVerb::DELETE,
+            },
+            TokenRight {
+                path: "/api/net/create".to_string(),
+                verb: TokenVerb::POST,
+            },
+        ]);
+
+        assert!(rights.contains(TokenVerb::GET, "/api/vm/ab"));
+        assert!(!rights.contains(TokenVerb::GET, "/api/vm"));
+        assert!(!rights.contains(TokenVerb::GET, "/api/vm/ab/c"));
+        assert!(rights.contains(TokenVerb::PUT, "/api/vm/a"));
+        assert!(!rights.contains(TokenVerb::PUT, "/api/vm/other"));
+        assert!(rights.contains(TokenVerb::POST, "/api/net/create"));
+        assert!(!rights.contains(TokenVerb::GET, "/api/net/create"));
+        assert!(!rights.contains(TokenVerb::POST, "/api/net/b"));
+        assert!(!rights.contains(TokenVerb::POST, "/api/net/create/b"));
+    }
+}

virtweb_backend/src/app_config.rs

@@ -1,3 +1,4 @@
+use crate::api_tokens::TokenID;
 use crate::constants;
 use crate::libvirt_lib_structures::XMLUuid;
 use crate::libvirt_rest_structures::net::NetworkName;
@@ -268,6 +269,14 @@ impl AppConfig {
         self.definitions_path()
             .join(format!("nwfilter-{}.json", name.0))
     }
+
+    pub fn api_tokens_path(&self) -> PathBuf {
+        self.storage_path().join(constants::STORAGE_TOKENS_DIR)
+    }
+
+    pub fn api_token_definition_path(&self, id: TokenID) -> PathBuf {
+        self.api_tokens_path().join(format!("{}.json", id.0))
+    }
 }
 
 #[derive(Debug, Clone, serde::Serialize)]

virtweb_backend/src/constants.rs

@@ -89,3 +89,21 @@ pub const NAT_MODE_ENV_VAR_NAME: &str = "NAT_MODE";
 
 /// Nat hook file path
 pub const NAT_HOOK_PATH: &str = "/etc/libvirt/hooks/network";
+
+/// Directory where API tokens are stored, inside storage directory
+pub const STORAGE_TOKENS_DIR: &str = "tokens";
+
+/// API token name min length
+pub const API_TOKEN_NAME_MIN_LENGTH: usize = 3;
+
+/// API token name max length
+pub const API_TOKEN_NAME_MAX_LENGTH: usize = 30;
+
+/// API token description min length
+pub const API_TOKEN_DESCRIPTION_MIN_LENGTH: usize = 5;
+
+/// API token description max length
+pub const API_TOKEN_DESCRIPTION_MAX_LENGTH: usize = 30;
+
+/// API token right path max length
+pub const API_TOKEN_RIGHT_PATH_MAX_LENGTH: usize = 255;

virtweb_backend/src/controllers/api_tokens_controller.rs

@@ -0,0 +1,100 @@
+//! # API tokens management
+
+use crate::api_tokens;
+use crate::api_tokens::{NewToken, TokenID, TokenRights};
+use crate::controllers::api_tokens_controller::rest_token::RestToken;
+use crate::controllers::HttpResult;
+use actix_web::{web, HttpResponse};
+use basic_jwt::JWTPrivateKey;
+
+/// Create a special module for REST token to enforce usage of constructor function
+mod rest_token {
+    use crate::api_tokens::Token;
+
+    #[derive(serde::Serialize)]
+    pub struct RestToken {
+        #[serde(flatten)]
+        token: Token,
+    }
+
+    impl RestToken {
+        pub fn new(mut token: Token) -> Self {
+            token.pub_key = None;
+            Self { token }
+        }
+    }
+}
+
+#[derive(serde::Serialize)]
+struct CreateTokenResult {
+    token: RestToken,
+    priv_key: JWTPrivateKey,
+}
+
+/// Create a new API token
+pub async fn create(new_token: web::Json<NewToken>) -> HttpResult {
+    if let Some(err) = new_token.check_error() {
+        log::error!("Failed to validate new API token information! {err}");
+        return Ok(HttpResponse::BadRequest().json(format!(
+            "Failed to validate new API token information! {err}"
+        )));
+    }
+
+    let (token, priv_key) = api_tokens::create(&new_token).await?;
+
+    Ok(HttpResponse::Ok().json(CreateTokenResult {
+        token: RestToken::new(token),
+        priv_key,
+    }))
+}
+
+/// Get the list of API tokens
+pub async fn list() -> HttpResult {
+    let list = api_tokens::full_list()
+        .await?
+        .into_iter()
+        .map(RestToken::new)
+        .collect::<Vec<_>>();
+
+    Ok(HttpResponse::Ok().json(list))
+}
+
+#[derive(serde::Deserialize)]
+pub struct TokenIDInPath {
+    uid: TokenID,
+}
+
+/// Get the information about a single token
+pub async fn get_single(path: web::Path<TokenIDInPath>) -> HttpResult {
+    let token = api_tokens::get_single(path.uid).await?;
+
+    Ok(HttpResponse::Ok().json(RestToken::new(token)))
+}
+
+#[derive(serde::Deserialize)]
+pub struct UpdateTokenBody {
+    rights: TokenRights,
+}
+
+/// Update a token
+pub async fn update(
+    path: web::Path<TokenIDInPath>,
+    body: web::Json<UpdateTokenBody>,
+) -> HttpResult {
+    if let Some(err) = body.rights.check_error() {
+        log::error!("Failed to validate updated API token information! {err}");
+        return Ok(HttpResponse::BadRequest()
+            .json(format!("Failed to validate API token information! {err}")));
+    }
+
+    api_tokens::update_rights(path.uid, body.0.rights).await?;
+
+    Ok(HttpResponse::Accepted().finish())
+}
+
+/// Delete a token
+pub async fn delete(path: web::Path<TokenIDInPath>) -> HttpResult {
+    api_tokens::delete(path.uid).await?;
+
+    Ok(HttpResponse::Accepted().finish())
+}

virtweb_backend/src/controllers/mod.rs

@@ -6,6 +6,7 @@ use std::error::Error;
 use std::fmt::{Display, Formatter};
 use std::io::ErrorKind;
 
+pub mod api_tokens_controller;
 pub mod auth_controller;
 pub mod iso_controller;
 pub mod network_controller;

virtweb_backend/src/controllers/server_controller.rs

@@ -51,6 +51,9 @@ struct ServerConstraints {
     nwfilter_comment_size: LenConstraints,
     nwfilter_priority: SLenConstraints,
     nwfilter_selectors_count: LenConstraints,
+    api_token_name_size: LenConstraints,
+    api_token_description_size: LenConstraints,
+    api_token_right_path_size: LenConstraints,
 }
 
 pub async fn static_config(local_auth: LocalAuthEnabled) -> impl Responder {
@@ -98,6 +101,21 @@ pub async fn static_config(local_auth: LocalAuthEnabled) -> impl Responder {
                 max: 1000,
             },
             nwfilter_selectors_count: LenConstraints { min: 0, max: 1 },
+
+            api_token_name_size: LenConstraints {
+                min: constants::API_TOKEN_NAME_MIN_LENGTH,
+                max: constants::API_TOKEN_NAME_MAX_LENGTH,
+            },
+
+            api_token_description_size: LenConstraints {
+                min: constants::API_TOKEN_DESCRIPTION_MIN_LENGTH,
+                max: constants::API_TOKEN_DESCRIPTION_MAX_LENGTH,
+            },
+
+            api_token_right_path_size: LenConstraints {
+                min: 0,
+                max: constants::API_TOKEN_RIGHT_PATH_MAX_LENGTH,
+            },
         },
     })
 }

virtweb_backend/src/extractors/api_auth_extractor.rs

@@ -0,0 +1,151 @@
+use crate::api_tokens::{Token, TokenID, TokenVerb};
+
+use crate::api_tokens;
+use crate::utils::time_utils::time;
+use actix_remote_ip::RemoteIP;
+use actix_web::dev::Payload;
+use actix_web::error::{ErrorBadRequest, ErrorUnauthorized};
+use actix_web::{Error, FromRequest, HttpRequest};
+use std::future::Future;
+use std::pin::Pin;
+
+#[derive(serde::Serialize, serde::Deserialize, Debug)]
+pub struct TokenClaims {
+    pub sub: String,
+    pub iat: usize,
+    pub exp: usize,
+    pub verb: TokenVerb,
+    pub path: String,
+    pub nonce: String,
+}
+
+pub struct ApiAuthExtractor {
+    pub token: Token,
+    pub claims: TokenClaims,
+}
+
+impl FromRequest for ApiAuthExtractor {
+    type Error = Error;
+    type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
+
+    fn from_request(req: &HttpRequest, payload: &mut Payload) -> Self::Future {
+        let req = req.clone();
+
+        let remote_ip = match RemoteIP::from_request(&req, payload).into_inner() {
+            Ok(ip) => ip,
+            Err(e) => return Box::pin(async { Err(e) }),
+        };
+
+        Box::pin(async move {
+            let (token_id, token_jwt) = match (
+                req.headers().get("x-token-id"),
+                req.headers().get("x-token-content"),
+            ) {
+                (Some(id), Some(jwt)) => (
+                    id.to_str().unwrap_or("").to_string(),
+                    jwt.to_str().unwrap_or("").to_string(),
+                ),
+                (_, _) => {
+                    return Err(ErrorBadRequest("API auth headers were not all specified!"));
+                }
+            };
+
+            let token_id = match TokenID::parse(&token_id) {
+                Ok(t) => t,
+                Err(e) => {
+                    log::error!("Failed to parse token id! {e}");
+                    return Err(ErrorBadRequest("Unable to validate token ID!"));
+                }
+            };
+
+            let token = match api_tokens::get_single(token_id).await {
+                Ok(t) => t,
+                Err(e) => {
+                    log::error!("Failed to retrieve token: {e}");
+                    return Err(ErrorBadRequest("Unable to validate token!"));
+                }
+            };
+
+            if token.is_expired() {
+                log::error!("Token has expired (not been used for too long)!");
+                return Err(ErrorBadRequest("Unable to validate token!"));
+            }
+
+            let claims = match token
+                .pub_key
+                .as_ref()
+                .expect("All tokens shall have public key!")
+                .validate_jwt::<TokenClaims>(&token_jwt)
+            {
+                Ok(c) => c,
+                Err(e) => {
+                    log::error!("Failed to validate JWT: {e}");
+                    return Err(ErrorBadRequest("Unable to validate token!"));
+                }
+            };
+
+            if claims.sub != token.id.0.to_string() {
+                log::error!("JWT sub mismatch (should equal to token id)!");
+                return Err(ErrorBadRequest(
+                    "JWT sub mismatch (should equal to token id)!",
+                ));
+            }
+
+            if time() + 60 * 15 < claims.iat as u64 {
+                log::error!("iat is in the future!");
+                return Err(ErrorBadRequest("iat is in the future!"));
+            }
+
+            if claims.exp < claims.iat {
+                log::error!("exp shall not be smaller than iat!");
+                return Err(ErrorBadRequest("exp shall not be smaller than iat!"));
+            }
+
+            if claims.exp - claims.iat > 1800 {
+                log::error!("JWT shall not be valid more than 30 minutes!");
+                return Err(ErrorBadRequest(
+                    "JWT shall not be valid more than 30 minutes!",
+                ));
+            }
+
+            if claims.path != req.path() {
+                log::error!("JWT path mismatch!");
+                return Err(ErrorBadRequest("JWT path mismatch!"));
+            }
+
+            if claims.verb.as_method() != req.method() {
+                log::error!("JWT method mismatch!");
+                return Err(ErrorBadRequest("JWT method mismatch!"));
+            }
+
+            if !token.rights.contains(claims.verb, req.path()) {
+                log::error!(
+                    "Attempt to use a token for an unauthorized route! (token_id={})",
+                    token.id.0
+                );
+                return Err(ErrorUnauthorized(
+                    "Token cannot be used to query this route!",
+                ));
+            }
+
+            if let Some(ip) = token.ip_restriction {
+                if !ip.contains(remote_ip.0) {
+                    log::error!(
+                        "Attempt to use a token for an unauthorized IP! {remote_ip:?} token_id={}",
+                        token.id.0
+                    );
+                    return Err(ErrorUnauthorized("Token cannot be used from this IP!"));
+                }
+            }
+
+            if token.should_update_last_activity() {
+                if let Err(e) = api_tokens::refresh_last_used(token.id).await {
+                    log::error!("Could not update token last activity! {e}");
+                    return Err(ErrorBadRequest("Couldn't refresh token last activity!"));
+                }
+            }
+
+            Ok(ApiAuthExtractor { token, claims })
+        })
+    }
+}

virtweb_backend/src/extractors/mod.rs

@@ -1,2 +1,3 @@
+pub mod api_auth_extractor;
 pub mod auth_extractor;
 pub mod local_auth_extractor;

virtweb_backend/src/lib.rs

@@ -1,4 +1,5 @@
 pub mod actors;
+pub mod api_tokens;
 pub mod app_config;
 pub mod constants;
 pub mod controllers;

virtweb_backend/src/main.rs

@@ -22,8 +22,8 @@ use virtweb_backend::constants::{
     MAX_INACTIVITY_DURATION, MAX_SESSION_DURATION, SESSION_COOKIE_NAME,
 };
 use virtweb_backend::controllers::{
-    auth_controller, iso_controller, network_controller, nwfilter_controller, server_controller,
+    api_tokens_controller, auth_controller, iso_controller, network_controller,
-    static_controller, vm_controller,
+    nwfilter_controller, server_controller, static_controller, vm_controller,
 };
 use virtweb_backend::libvirt_client::LibVirtClient;
 use virtweb_backend::middlewares::auth_middleware::AuthChecker;
@@ -50,6 +50,7 @@ async fn main() -> std::io::Result<()> {
     files_utils::create_directory_if_missing(AppConfig::get().disks_storage_path()).unwrap();
     files_utils::create_directory_if_missing(AppConfig::get().nat_path()).unwrap();
     files_utils::create_directory_if_missing(AppConfig::get().definitions_path()).unwrap();
+    files_utils::create_directory_if_missing(AppConfig::get().api_tokens_path()).unwrap();
 
     let conn = Data::new(LibVirtClient(
         LibVirtActor::connect()
@@ -84,7 +85,7 @@ async fn main() -> std::io::Result<()> {
 
         let mut cors = Cors::default()
             .allowed_origin(&AppConfig::get().website_origin)
-            .allowed_methods(vec!["GET", "POST", "DELETE", "PUT"])
+            .allowed_methods(vec!["GET", "POST", "DELETE", "PUT", "PATCH"])
             .allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT])
             .allowed_header(header::CONTENT_TYPE)
             .supports_credentials()
@@ -276,6 +277,27 @@ async fn main() -> std::io::Result<()> {
                 "/api/nwfilter/{uid}",
                 web::delete().to(nwfilter_controller::delete),
             )
+            // API tokens controller
+            .route(
+                "/api/token/create",
+                web::post().to(api_tokens_controller::create),
+            )
+            .route(
+                "/api/token/list",
+                web::get().to(api_tokens_controller::list),
+            )
+            .route(
+                "/api/token/{uid}",
+                web::get().to(api_tokens_controller::get_single),
+            )
+            .route(
+                "/api/token/{uid}",
+                web::patch().to(api_tokens_controller::update),
+            )
+            .route(
+                "/api/token/{uid}",
+                web::delete().to(api_tokens_controller::delete),
+            )
             // Static assets
             .route("/", web::get().to(static_controller::root_index))
             .route(

virtweb_backend/src/middlewares/auth_middleware.rs

@@ -3,6 +3,7 @@ use std::rc::Rc;
 
 use crate::app_config::AppConfig;
 use crate::constants;
+use crate::extractors::api_auth_extractor::ApiAuthExtractor;
 use crate::extractors::auth_extractor::AuthExtractor;
 use actix_web::body::EitherBody;
 use actix_web::dev::Payload;
@@ -68,8 +69,28 @@ where
 
             let auth_disabled = AppConfig::get().unsecure_disable_auth;
 
-            // Check authentication, if required
+            // Check API authentication
-            if !auth_disabled
+            if req.headers().get("x-token-id").is_some() {
+                let auth =
+                    match ApiAuthExtractor::from_request(req.request(), &mut Payload::None).await {
+                        Ok(auth) => auth,
+                        Err(e) => {
+                            log::error!(
+                            "Failed to extract API authentication information from request! {e}"
+                        );
+                            return Ok(req
+                                .into_response(HttpResponse::PreconditionFailed().finish())
+                                .map_into_right_body());
+                        }
+                    };
+
+                log::info!(
+                    "Using API token '{}' to perform the request",
+                    auth.token.name
+                );
+            }
+            // Check user authentication, if required
+            else if !auth_disabled
                 && !constants::ROUTES_WITHOUT_AUTH.contains(&req.path())
                 && req.path().starts_with("/api/")
             {

virtweb_frontend/package-lock.json

@@ -27,6 +27,7 @@
         "@types/react-syntax-highlighter": "^15.5.11",
         "@types/uuid": "^9.0.5",
         "@vitejs/plugin-react": "^4.2.1",
+        "date-and-time": "^3.1.1",
         "filesize": "^10.0.12",
         "humanize-duration": "^3.29.0",
         "mui-file-input": "^4.0.4",
@@ -35,7 +36,7 @@
         "react-router-dom": "^6.15.0",
         "react-syntax-highlighter": "^15.5.0",
         "react-vnc": "^1.0.0",
-        "typescript": "^4.1.6",
+        "typescript": "^4.0.0",
         "uuid": "^9.0.1",
         "vite": "^5.0.8",
         "vite-tsconfig-paths": "^4.2.2",
@@ -8877,6 +8878,11 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/date-and-time": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/date-and-time/-/date-and-time-3.1.1.tgz",
+      "integrity": "sha512-N9kstidT3P0VUk1iKOFilOZ6251r6iTUNx9M9kvgL2jqOk9mljWZUq5CjAtYwCnppWHbERk5YFQUrSbY7FQOpA=="
+    },
     "node_modules/debug": {
       "version": "4.3.4",
       "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
@@ -22232,9 +22238,9 @@
       }
     },
     "node_modules/vite-tsconfig-paths/node_modules/typescript": {
-      "version": "5.4.4",
+      "version": "5.4.5",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.4.4.tgz",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.4.5.tgz",
-      "integrity": "sha512-dGE2Vv8cpVvw28v8HCPqyb08EzbBURxDpuhJvTrusShUfGnhHBafDsLdS1EhhxyL6BJQE+2cT3dDPAv+MQ6oLw==",
+      "integrity": "sha512-vcI4UpRgg81oIRUFwR0WSIHKt11nJ7SAVlYNIu+QpqeyXP+gpQJy/Z4+F0aGxSE4MqwjyXvW/TzgkLAx2AGHwQ==",
       "optional": true,
       "peer": true,
       "bin": {

virtweb_frontend/package.json

@@ -23,6 +23,7 @@
     "@types/react-syntax-highlighter": "^15.5.11",
     "@types/uuid": "^9.0.5",
     "@vitejs/plugin-react": "^4.2.1",
+    "date-and-time": "^3.1.1",
     "filesize": "^10.0.12",
     "humanize-duration": "^3.29.0",
     "mui-file-input": "^4.0.4",
@@ -31,7 +32,7 @@
     "react-router-dom": "^6.15.0",
     "react-syntax-highlighter": "^15.5.0",
     "react-vnc": "^1.0.0",
-    "typescript": "^5.0.0",
+    "typescript": "^4.0.0",
     "uuid": "^9.0.1",
     "vite": "^5.0.8",
     "vite-tsconfig-paths": "^4.2.2",

virtweb_frontend/src/App.tsx

@@ -9,29 +9,35 @@ import "./App.css";
 import { AuthApi } from "./api/AuthApi";
 import { ServerApi } from "./api/ServerApi";
 import {
-  CreateNetworkRoute,
+  CreateApiTokenRoute,
-  EditNetworkRoute,
+  EditApiTokenRoute,
-} from "./routes/EditNetworkRoute";
+} from "./routes/EditAPITokenRoute";
-import { CreateVMRoute, EditVMRoute } from "./routes/EditVMRoute";
-import { IsoFilesRoute } from "./routes/IsoFilesRoute";
-import { NetworksListRoute } from "./routes/NetworksListRoute";
-import { NotFoundRoute } from "./routes/NotFound";
-import { SysInfoRoute } from "./routes/SysInfoRoute";
-import { VMListRoute } from "./routes/VMListRoute";
-import { VMRoute } from "./routes/VMRoute";
-import { VNCRoute } from "./routes/VNCRoute";
-import { LoginRoute } from "./routes/auth/LoginRoute";
-import { OIDCCbRoute } from "./routes/auth/OIDCCbRoute";
-import { BaseAuthenticatedPage } from "./widgets/BaseAuthenticatedPage";
-import { BaseLoginPage } from "./widgets/BaseLoginPage";
-import { ViewNetworkRoute } from "./routes/ViewNetworkRoute";
-import { HomeRoute } from "./routes/HomeRoute";
-import { NetworkFiltersListRoute } from "./routes/NetworkFiltersListRoute";
-import { ViewNWFilterRoute } from "./routes/ViewNWFilterRoute";
 import {
   CreateNWFilterRoute,
   EditNWFilterRoute,
 } from "./routes/EditNWFilterRoute";
+import {
+  CreateNetworkRoute,
+  EditNetworkRoute,
+} from "./routes/EditNetworkRoute";
+import { CreateVMRoute, EditVMRoute } from "./routes/EditVMRoute";
+import { HomeRoute } from "./routes/HomeRoute";
+import { IsoFilesRoute } from "./routes/IsoFilesRoute";
+import { NetworkFiltersListRoute } from "./routes/NetworkFiltersListRoute";
+import { NetworksListRoute } from "./routes/NetworksListRoute";
+import { NotFoundRoute } from "./routes/NotFound";
+import { SysInfoRoute } from "./routes/SysInfoRoute";
+import { TokensListRoute } from "./routes/TokensListRoute";
+import { VMListRoute } from "./routes/VMListRoute";
+import { VMRoute } from "./routes/VMRoute";
+import { VNCRoute } from "./routes/VNCRoute";
+import { ViewApiTokenRoute } from "./routes/ViewApiTokenRoute";
+import { ViewNWFilterRoute } from "./routes/ViewNWFilterRoute";
+import { ViewNetworkRoute } from "./routes/ViewNetworkRoute";
+import { LoginRoute } from "./routes/auth/LoginRoute";
+import { OIDCCbRoute } from "./routes/auth/OIDCCbRoute";
+import { BaseAuthenticatedPage } from "./widgets/BaseAuthenticatedPage";
+import { BaseLoginPage } from "./widgets/BaseLoginPage";
 
 interface AuthContext {
   signedIn: boolean;
@@ -72,6 +78,11 @@ export function App() {
           <Route path="nwfilter/:uuid" element={<ViewNWFilterRoute />} />
           <Route path="nwfilter/:uuid/edit" element={<EditNWFilterRoute />} />
 
+          <Route path="tokens" element={<TokensListRoute />} />
+          <Route path="token/new" element={<CreateApiTokenRoute />} />
+          <Route path="token/:id" element={<ViewApiTokenRoute />} />
+          <Route path="token/:id/edit" element={<EditApiTokenRoute />} />
+
           <Route path="sysinfo" element={<SysInfoRoute />} />
           <Route path="*" element={<NotFoundRoute />} />
         </Route>

virtweb_frontend/src/api/ServerApi.ts

@@ -27,6 +27,9 @@ export interface ServerConstraints {
   nwfilter_comment_size: LenConstraint;
   nwfilter_priority: LenConstraint;
   nwfilter_selectors_count: LenConstraint;
+  api_token_name_size: LenConstraint;
+  api_token_description_size: LenConstraint;
+  api_token_right_path_size: LenConstraint;
 }
 
 export interface LenConstraint {

virtweb_frontend/src/api/TokensApi.ts

@@ -0,0 +1,102 @@
+import { time } from "../utils/DateUtils";
+import { APIClient } from "./ApiClient";
+
+export type RightVerb = "POST" | "GET" | "PUT" | "DELETE" | "PATCH";
+
+export interface TokenRight {
+  verb: RightVerb;
+  path: string;
+}
+
+export interface APIToken {
+  id: string;
+  name: string;
+  description: string;
+  created: number;
+  updated: number;
+  rights: TokenRight[];
+  last_used: number;
+  ip_restriction?: string;
+  max_inactivity?: number;
+}
+
+export function APITokenURL(t: APIToken, edit: boolean = false): string {
+  return `/token/${t.id}${edit ? "/edit" : ""}`;
+}
+
+export function ExpiredAPIToken(t: APIToken): boolean {
+  if (!t.max_inactivity) return false;
+  return t.last_used + t.max_inactivity < time();
+}
+
+export interface APITokenPrivateKey {
+  alg: string;
+  priv: string;
+}
+
+export interface CreatedAPIToken {
+  token: APIToken;
+  priv_key: APITokenPrivateKey;
+}
+
+export class TokensApi {
+  /**
+   * Create a new API token
+   */
+  static async Create(n: APIToken): Promise<CreatedAPIToken> {
+    return (
+      await APIClient.exec({
+        method: "POST",
+        uri: "/token/create",
+        jsonData: n,
+      })
+    ).data;
+  }
+
+  /**
+   * Get the full list of tokens
+   */
+  static async GetList(): Promise<APIToken[]> {
+    return (
+      await APIClient.exec({
+        method: "GET",
+        uri: "/token/list",
+      })
+    ).data;
+  }
+
+  /**
+   * Get the information about a single token
+   */
+  static async GetSingle(uuid: string): Promise<APIToken> {
+    return (
+      await APIClient.exec({
+        method: "GET",
+        uri: `/token/${uuid}`,
+      })
+    ).data;
+  }
+
+  /**
+   * Update an existing API token information
+   */
+  static async Update(n: APIToken): Promise<void> {
+    return (
+      await APIClient.exec({
+        method: "PATCH",
+        uri: `/token/${n.id}`,
+        jsonData: n,
+      })
+    ).data;
+  }
+
+  /**
+   * Delete an API token
+   */
+  static async Delete(n: APIToken): Promise<void> {
+    await APIClient.exec({
+      method: "DELETE",
+      uri: `/token/${n.id}`,
+    });
+  }
+}

virtweb_frontend/src/dialogs/CreatedTokenDialog.tsx

@@ -0,0 +1,58 @@
+import {
+  Button,
+  Dialog,
+  DialogActions,
+  DialogContent,
+  DialogTitle,
+  Typography,
+} from "@mui/material";
+import { useNavigate } from "react-router-dom";
+import { APITokenURL, CreatedAPIToken } from "../api/TokensApi";
+import { CopyToClipboard } from "../widgets/CopyToClipboard";
+import { InlineCode } from "../widgets/InlineCode";
+
+export function CreatedTokenDialog(p: {
+  createdToken: CreatedAPIToken;
+}): React.ReactElement {
+  const navigate = useNavigate();
+
+  const close = () => {
+    navigate(APITokenURL(p.createdToken.token));
+  };
+  return (
+    <Dialog open>
+      <DialogTitle>Token successfully created</DialogTitle>
+      <DialogContent>
+        <Typography>
+          Your token was successfully created. You need now to copy the private
+          key, as it will be technically impossible to recover it after closing
+          this dialog.
+        </Typography>
+
+        <InfoBlock label="Token ID" value={p.createdToken.token.id} />
+        <InfoBlock label="Key algorithm" value={p.createdToken.priv_key.alg} />
+        <InfoBlock label="Private key" value={p.createdToken.priv_key.priv} />
+      </DialogContent>
+      <DialogActions>
+        <Button onClick={close} color="error">
+          I copied the key, close this dialog
+        </Button>
+      </DialogActions>
+    </Dialog>
+  );
+}
+
+function InfoBlock(
+  p: React.PropsWithChildren<{ label: string; value: string }>
+): React.ReactElement {
+  return (
+    <div
+      style={{ display: "flex", flexDirection: "column", margin: "20px 10px" }}
+    >
+      <Typography variant="overline">{p.label}</Typography>
+      <CopyToClipboard content={p.value}>
+        <InlineCode>{p.value}</InlineCode>
+      </CopyToClipboard>
+    </div>
+  );
+}

virtweb_frontend/src/routes/EditAPITokenRoute.tsx

@@ -0,0 +1,161 @@
+import { Button } from "@mui/material";
+import React from "react";
+import { useNavigate, useParams } from "react-router-dom";
+import {
+  APIToken,
+  APITokenURL,
+  CreatedAPIToken,
+  TokensApi,
+} from "../api/TokensApi";
+import { CreatedTokenDialog } from "../dialogs/CreatedTokenDialog";
+import { useAlert } from "../hooks/providers/AlertDialogProvider";
+import { useLoadingMessage } from "../hooks/providers/LoadingMessageProvider";
+import { useSnackbar } from "../hooks/providers/SnackbarProvider";
+import { time } from "../utils/DateUtils";
+import { AsyncWidget } from "../widgets/AsyncWidget";
+import { VirtWebRouteContainer } from "../widgets/VirtWebRouteContainer";
+import {
+  APITokenDetails,
+  TokenWidgetStatus,
+} from "../widgets/tokens/APITokenDetails";
+
+export function CreateApiTokenRoute(): React.ReactElement {
+  const alert = useAlert();
+  const snackbar = useSnackbar();
+  const navigate = useNavigate();
+
+  const [createdToken, setCreatedToken] = React.useState<
+    CreatedAPIToken | undefined
+  >();
+
+  const [token] = React.useState<APIToken>({
+    id: "",
+    name: "",
+    description: "",
+    created: time(),
+    updated: time(),
+    last_used: time(),
+    rights: [],
+  });
+
+  const createApiToken = async (n: APIToken) => {
+    try {
+      const res = await TokensApi.Create(n);
+      snackbar("The api token was successfully created!");
+      setCreatedToken(res);
+    } catch (e) {
+      console.error(e);
+      alert(`Failed to create API token!\n${e}`);
+    }
+  };
+
+  return (
+    <>
+      {createdToken && <CreatedTokenDialog createdToken={createdToken} />}
+
+      <EditApiTokenRouteInner
+        token={token}
+        creating={true}
+        onCancel={() => navigate("/tokens")}
+        onSave={createApiToken}
+      />
+    </>
+  );
+}
+
+export function EditApiTokenRoute(): React.ReactElement {
+  const alert = useAlert();
+  const snackbar = useSnackbar();
+
+  const { id } = useParams();
+  const navigate = useNavigate();
+
+  const [token, setToken] = React.useState<APIToken | undefined>();
+
+  const load = async () => {
+    setToken(await TokensApi.GetSingle(id!));
+  };
+
+  const updateApiToken = async (n: APIToken) => {
+    try {
+      await TokensApi.Update(n);
+      snackbar("The token was successfully updated!");
+      navigate(APITokenURL(token!));
+    } catch (e) {
+      console.error(e);
+      alert(`Failed to update token!\n${e}`);
+    }
+  };
+
+  return (
+    <AsyncWidget
+      loadKey={id}
+      ready={token !== undefined}
+      errMsg="Failed to fetch API token informations!"
+      load={load}
+      build={() => (
+        <EditApiTokenRouteInner
+          token={token!}
+          creating={false}
+          onCancel={() => navigate(`/token/${id}`)}
+          onSave={updateApiToken}
+        />
+      )}
+    />
+  );
+}
+
+function EditApiTokenRouteInner(p: {
+  token: APIToken;
+  creating: boolean;
+  onCancel: () => void;
+  onSave: (token: APIToken) => Promise<void>;
+}): React.ReactElement {
+  const loadingMessage = useLoadingMessage();
+
+  const [changed, setChanged] = React.useState(false);
+
+  const [, updateState] = React.useState<any>();
+  const forceUpdate = React.useCallback(() => updateState({}), []);
+
+  const valueChanged = () => {
+    setChanged(true);
+    forceUpdate();
+  };
+
+  const save = async () => {
+    loadingMessage.show("Saving API token configuration...");
+    await p.onSave(p.token);
+    loadingMessage.hide();
+  };
+
+  return (
+    <VirtWebRouteContainer
+      label={p.creating ? "Create an API Token" : "Edit API Token"}
+      actions={
+        <span>
+          {changed && (
+            <Button
+              variant="contained"
+              onClick={save}
+              style={{ marginRight: "10px" }}
+            >
+              {p.creating ? "Create" : "Save"}
+            </Button>
+          )}
+          <Button onClick={p.onCancel} variant="outlined">
+            Cancel
+          </Button>
+        </span>
+      }
+    >
+      <APITokenDetails
+        token={p.token}
+        status={
+          p.creating ? TokenWidgetStatus.Create : TokenWidgetStatus.Update
+        }
+        onChange={valueChanged}
+      />
+    </VirtWebRouteContainer>
+  );
+}

virtweb_frontend/src/routes/NetworksListRoute.tsx

@@ -1,4 +1,3 @@
-import DeleteIcon from "@mui/icons-material/Delete";
 import VisibilityIcon from "@mui/icons-material/Visibility";
 import {
   Button,
@@ -13,13 +12,13 @@ import {
   Typography,
 } from "@mui/material";
 import React from "react";
+import { useNavigate } from "react-router-dom";
 import { NetworkApi, NetworkInfo, NetworkURL } from "../api/NetworksApi";
 import { AsyncWidget } from "../widgets/AsyncWidget";
 import { RouterLink } from "../widgets/RouterLink";
 import { VirtWebRouteContainer } from "../widgets/VirtWebRouteContainer";
-import { NetworkStatusWidget } from "../widgets/net/NetworkStatusWidget";
-import { useNavigate } from "react-router-dom";
 import { NetworkHookStatusWidget } from "../widgets/net/NetworkHookStatusWidget";
+import { NetworkStatusWidget } from "../widgets/net/NetworkStatusWidget";
 
 export function NetworksListRoute(): React.ReactElement {
   const [list, setList] = React.useState<NetworkInfo[] | undefined>();

virtweb_frontend/src/routes/TokensListRoute.tsx

@@ -0,0 +1,126 @@
+import VisibilityIcon from "@mui/icons-material/Visibility";
+import {
+  Button,
+  IconButton,
+  Paper,
+  Table,
+  TableBody,
+  TableCell,
+  TableContainer,
+  TableHead,
+  TableRow,
+} from "@mui/material";
+import React from "react";
+import { useNavigate } from "react-router-dom";
+import {
+  APIToken,
+  APITokenURL,
+  ExpiredAPIToken,
+  TokensApi,
+} from "../api/TokensApi";
+import { AsyncWidget } from "../widgets/AsyncWidget";
+import { RouterLink } from "../widgets/RouterLink";
+import { TimeWidget, timeDiff } from "../widgets/TimeWidget";
+import { VirtWebRouteContainer } from "../widgets/VirtWebRouteContainer";
+
+export function TokensListRoute(): React.ReactElement {
+  const [list, setList] = React.useState<APIToken[] | undefined>();
+
+  const [count] = React.useState(1);
+
+  const load = async () => {
+    setList(await TokensApi.GetList());
+  };
+
+  return (
+    <AsyncWidget
+      loadKey={count}
+      load={load}
+      ready={list !== undefined}
+      errMsg="Failed to load the list of tokens!"
+      build={() => <TokensListRouteInner list={list!} />}
+    />
+  );
+}
+
+export function TokensListRouteInner(p: {
+  list: APIToken[];
+}): React.ReactElement {
+  const navigate = useNavigate();
+
+  return (
+    <VirtWebRouteContainer
+      label="API tokens"
+      actions={
+        <RouterLink to="/token/new">
+          <Button>New</Button>
+        </RouterLink>
+      }
+    >
+      <TableContainer component={Paper}>
+        <Table>
+          <TableHead>
+            <TableRow>
+              <TableCell>Name</TableCell>
+              <TableCell>Description</TableCell>
+              <TableCell>Created</TableCell>
+              <TableCell>Updated</TableCell>
+              <TableCell>Last used</TableCell>
+              <TableCell>IP restriction</TableCell>
+              <TableCell>Max inactivity</TableCell>
+              <TableCell>Rights</TableCell>
+              <TableCell>Actions</TableCell>
+            </TableRow>
+          </TableHead>
+          <TableBody>
+            {p.list.map((t) => {
+              return (
+                <TableRow
+                  key={t.id}
+                  hover
+                  onDoubleClick={() => navigate(APITokenURL(t))}
+                  style={{ backgroundColor: ExpiredAPIToken(t) ? "red" : "" }}
+                >
+                  <TableCell>
+                    {t.name} {ExpiredAPIToken(t) && <i>(Expired)</i>}
+                  </TableCell>
+                  <TableCell>{t.description}</TableCell>
+                  <TableCell>
+                    <TimeWidget time={t.created} />
+                  </TableCell>
+                  <TableCell>
+                    <TimeWidget time={t.updated} />
+                  </TableCell>
+                  <TableCell>
+                    <TimeWidget time={t.last_used} />
+                  </TableCell>
+                  <TableCell>{t.ip_restriction}</TableCell>
+                  <TableCell>
+                    {t.max_inactivity && timeDiff(0, t.max_inactivity)}
+                  </TableCell>
+                  <TableCell>
+                    {t.rights.map((r) => {
+                      return (
+                        <div>
+                          {r.verb} {r.path}
+                        </div>
+                      );
+                    })}
+                  </TableCell>
+
+                  <TableCell>
+                    <RouterLink to={APITokenURL(t)}>
+                      <IconButton>
+                        <VisibilityIcon />
+                      </IconButton>
+                    </RouterLink>
+                  </TableCell>
+                </TableRow>
+              );
+            })}
+          </TableBody>
+        </Table>
+      </TableContainer>
+    </VirtWebRouteContainer>
+  );
+}

virtweb_frontend/src/routes/ViewApiTokenRoute.tsx

@@ -0,0 +1,53 @@
+import { Button } from "@mui/material";
+import React from "react";
+import { useNavigate, useParams } from "react-router-dom";
+import { APIToken, APITokenURL, TokensApi } from "../api/TokensApi";
+import { AsyncWidget } from "../widgets/AsyncWidget";
+import { VirtWebRouteContainer } from "../widgets/VirtWebRouteContainer";
+import {
+  APITokenDetails,
+  TokenWidgetStatus,
+} from "../widgets/tokens/APITokenDetails";
+
+export function ViewApiTokenRoute() {
+  const { id } = useParams();
+
+  const [token, setToken] = React.useState<APIToken | undefined>();
+
+  const load = async () => {
+    setToken(await TokensApi.GetSingle(id!));
+  };
+
+  return (
+    <AsyncWidget
+      loadKey={id}
+      ready={token !== undefined}
+      errMsg="Failed to fetch API token information!"
+      load={load}
+      build={() => <ViewAPITokenRouteInner token={token!} />}
+    />
+  );
+}
+
+function ViewAPITokenRouteInner(p: { token: APIToken }): React.ReactElement {
+  const navigate = useNavigate();
+
+  return (
+    <VirtWebRouteContainer
+      label={`API token ${p.token.name}`}
+      actions={
+        <span style={{ display: "flex", alignItems: "center" }}>
+          <Button
+            variant="contained"
+            style={{ marginLeft: "15px" }}
+            onClick={() => navigate(APITokenURL(p.token, true))}
+          >
+            Edit
+          </Button>
+        </span>
+      }
+    >
+      <APITokenDetails token={p.token} status={TokenWidgetStatus.Read} />
+    </VirtWebRouteContainer>
+  );
+}

virtweb_frontend/src/widgets/BaseAuthenticatedPage.tsx

@@ -1,4 +1,5 @@
 import {
+  mdiApi,
   mdiBoxShadow,
   mdiDisc,
   mdiHome,
@@ -72,6 +73,11 @@ export function BaseAuthenticatedPage(): React.ReactElement {
             uri="/iso"
             icon={<Icon path={mdiDisc} size={1} />}
           />
+          <NavLink
+            label="API tokens"
+            uri="/tokens"
+            icon={<Icon path={mdiApi} size={1} />}
+          />
           <NavLink
             label="Sysinfo"
             uri="/sysinfo"

virtweb_frontend/src/widgets/InlineCode.tsx

@@ -0,0 +1,18 @@
+export function InlineCode(p: React.PropsWithChildren): React.ReactElement {
+  return (
+    <code
+      style={{
+        display: "inline-block",
+        backgroundColor: "black",
+        color: "white",
+        wordBreak: "break-all",
+        wordWrap: "break-word",
+        whiteSpace: "pre-wrap",
+        padding: "0px 7px",
+        borderRadius: "5px",
+      }}
+    >
+      {p.children}
+    </code>
+  );
+}

virtweb_frontend/src/widgets/TimeWidget.tsx

@@ -0,0 +1,65 @@
+import { Tooltip } from "@mui/material";
+import date from "date-and-time";
+import { time } from "../utils/DateUtils";
+
+export function formatDate(time: number): string {
+  const t = new Date();
+  t.setTime(1000 * time);
+  return date.format(t, "DD/MM/YYYY HH:mm:ss");
+}
+
+export function timeDiff(a: number, b: number): string {
+  let diff = b - a;
+
+  if (diff === 0) return "now";
+  if (diff === 1) return "1 second";
+
+  if (diff < 60) {
+    return `${diff} seconds`;
+  }
+
+  diff = Math.floor(diff / 60);
+
+  if (diff === 1) return "1 minute";
+  if (diff < 24) {
+    return `${diff} minutes`;
+  }
+
+  diff = Math.floor(diff / 60);
+
+  if (diff === 1) return "1 hour";
+  if (diff < 24) {
+    return `${diff} hours`;
+  }
+
+  const diffDays = Math.floor(diff / 24);
+
+  if (diffDays === 1) return "1 day";
+  if (diffDays < 31) {
+    return `${diffDays} days`;
+  }
+
+  diff = Math.floor(diffDays / 31);
+
+  if (diff < 12) {
+    return `${diff} month`;
+  }
+
+  const diffYears = Math.floor(diffDays / 365);
+
+  if (diffYears === 1) return "1 year";
+  return `${diffYears} years`;
+}
+
+export function timeDiffFromNow(t: number): string {
+  return timeDiff(t, time());
+}
+
+export function TimeWidget(p: { time?: number }): React.ReactElement {
+  if (!p.time) return <></>;
+  return (
+    <Tooltip title={formatDate(p.time)}>
+      <span>{timeDiffFromNow(p.time)}</span>
+    </Tooltip>
+  );
+}

virtweb_frontend/src/widgets/forms/IPInput.tsx

@@ -22,14 +22,16 @@ export function IPInput(p: {
 export function IPInputWithMask(p: {
   label: string;
   editable: boolean;
+  ipAndMask?: string;
   ip?: string;
   mask?: number;
-  onValueChange?: (ip?: string, mask?: number) => void;
+  onValueChange?: (ip?: string, mask?: number, ipAndMask?: string) => void;
   version: 4 | 6;
 }): React.ReactElement {
   const showSlash = React.useRef(!!p.mask);
 
   const currValue =
+    p.ipAndMask ??
     (p.ip ?? "") + (p.mask || showSlash.current ? "/" : "") + (p.mask ?? "");
 
   const { onValueChange, ...props } = p;
@@ -38,7 +40,7 @@ export function IPInputWithMask(p: {
       onValueChange={(v) => {
         showSlash.current = false;
         if (!v) {
-          onValueChange?.(undefined, undefined);
+          onValueChange?.(undefined, undefined, undefined);
           return;
         }
 
@@ -52,7 +54,11 @@ export function IPInputWithMask(p: {
           mask = sanitizeMask(p.version, split[1]);
         }
 
-        onValueChange?.(ip, mask);
+        onValueChange?.(
+          ip,
+          mask,
+          mask || showSlash.current ? `${ip}/${mask ?? ""}` : ip
+        );
       }}
       value={currValue}
       {...props}

virtweb_frontend/src/widgets/forms/SelectInput.tsx

@@ -16,7 +16,7 @@ export interface SelectOption {
 export function SelectInput(p: {
   value?: string;
   editable: boolean;
-  label: string;
+  label?: string;
   options: SelectOption[];
   onValueChange: (o?: string) => void;
 }): React.ReactElement {
@@ -29,7 +29,7 @@ export function SelectInput(p: {
 
   return (
     <FormControl fullWidth variant="standard" style={{ marginBottom: "15px" }}>
-      <InputLabel>{p.label}</InputLabel>
+      {p.label && <InputLabel>{p.label}</InputLabel>}
       <Select
         value={p.value ?? ""}
         label={p.label}

virtweb_frontend/src/widgets/net/NetworkHookStatusWidget.tsx

@@ -3,6 +3,7 @@ import React, { PropsWithChildren } from "react";
 import { NetworkHookStatus, ServerApi } from "../../api/ServerApi";
 import { AsyncWidget } from "../AsyncWidget";
 import { CopyToClipboard } from "../CopyToClipboard";
+import { InlineCode } from "../InlineCode";
 
 export function NetworkHookStatusWidget(p: {
   hiddenIfInstalled: boolean;
@@ -72,25 +73,6 @@ function NetworkHookStatusWidgetInner(p: {
   );
 }
 
-function InlineCode(p: PropsWithChildren): React.ReactElement {
-  return (
-    <code
-      style={{
-        display: "inline-block",
-        backgroundColor: "black",
-        color: "white",
-        wordBreak: "break-all",
-        wordWrap: "break-word",
-        whiteSpace: "pre-wrap",
-        padding: "0px 7px",
-        borderRadius: "5px",
-      }}
-    >
-      {p.children}
-    </code>
-  );
-}
-
 function CodeBlock(p: PropsWithChildren): React.ReactElement {
   return (
     <pre

virtweb_frontend/src/widgets/tokens/APITokenDetails.tsx

@@ -0,0 +1,256 @@
+import { Button, Grid } from "@mui/material";
+import React from "react";
+import { useNavigate } from "react-router-dom";
+import { NWFilter, NWFilterApi } from "../../api/NWFilterApi";
+import { NetworkApi, NetworkInfo } from "../../api/NetworksApi";
+import { ServerApi } from "../../api/ServerApi";
+import { APIToken, TokensApi } from "../../api/TokensApi";
+import { VMApi, VMInfo } from "../../api/VMApi";
+import { useAlert } from "../../hooks/providers/AlertDialogProvider";
+import { useConfirm } from "../../hooks/providers/ConfirmDialogProvider";
+import { useSnackbar } from "../../hooks/providers/SnackbarProvider";
+import { AsyncWidget } from "../AsyncWidget";
+import { TabsWidget } from "../TabsWidget";
+import { EditSection } from "../forms/EditSection";
+import { IPInputWithMask } from "../forms/IPInput";
+import { RadioGroupInput } from "../forms/RadioGroupInput";
+import { TextInput } from "../forms/TextInput";
+import { TokenRawRightsEditor } from "./TokenRawRightsEditor";
+import { TokenRightsEditor } from "./TokenRightsEditor";
+
+const SECS_PER_DAY = 3600 * 24;
+
+export enum TokenWidgetStatus {
+  Create,
+  Read,
+  Update,
+}
+
+interface DetailsProps {
+  token: APIToken;
+  status: TokenWidgetStatus;
+  onChange?: () => void;
+}
+
+export function APITokenDetails(p: DetailsProps): React.ReactElement {
+  const [vms, setVMs] = React.useState<VMInfo[]>();
+  const [networks, setNetworks] = React.useState<NetworkInfo[]>();
+  const [nwFilters, setNetworkFilters] = React.useState<NWFilter[]>();
+  const [tokens, setTokens] = React.useState<APIToken[]>();
+
+  const load = async () => {
+    setVMs(await VMApi.GetList());
+    setNetworks(await NetworkApi.GetList());
+    setNetworkFilters(await NWFilterApi.GetList());
+    setTokens(await TokensApi.GetList());
+  };
+
+  return (
+    <AsyncWidget
+      loadKey={"1"}
+      load={load}
+      errMsg="Failed to load some system entities!"
+      build={() => (
+        <APITokenDetailsInner
+          vms={vms!}
+          networks={networks!}
+          nwFilters={nwFilters!}
+          tokens={tokens!}
+          {...p}
+        />
+      )}
+    />
+  );
+}
+
+enum TokenTab {
+  General = 0,
+  Rights,
+  RawRights,
+  Danger,
+}
+
+type DetailsInnerProps = DetailsProps & {
+  vms: VMInfo[];
+  networks: NetworkInfo[];
+  nwFilters: NWFilter[];
+  tokens: APIToken[];
+};
+
+function APITokenDetailsInner(p: DetailsInnerProps): React.ReactElement {
+  const [currTab, setCurrTab] = React.useState(TokenTab.General);
+
+  return (
+    <>
+      <TabsWidget
+        currTab={currTab}
+        onTabChange={setCurrTab}
+        options={[
+          { label: "General", value: TokenTab.General, visible: true },
+          {
+            label: "Rights",
+            value: TokenTab.Rights,
+            visible: true,
+          },
+          {
+            label: "Raw rights",
+            value: TokenTab.RawRights,
+            visible: true,
+          },
+
+          {
+            label: "Danger zone",
+            value: TokenTab.Danger,
+            color: "red",
+            visible: p.status === TokenWidgetStatus.Read,
+          },
+        ]}
+      />
+      {currTab === TokenTab.General && <APITokenTabGeneral {...p} />}
+      {currTab === TokenTab.Rights && <APITokenRights {...p} />}
+      {currTab === TokenTab.RawRights && <APITokenRawRights {...p} />}
+      {currTab === TokenTab.Danger && <APITokenTabDanger {...p} />}
+    </>
+  );
+}
+
+function APITokenTabGeneral(p: DetailsInnerProps): React.ReactElement {
+  const [ipVersion, setIpVersion] = React.useState<4 | 6>(
+    (p.token.ip_restriction ?? "").includes(":") ? 6 : 4
+  );
+
+  return (
+    <Grid container spacing={2}>
+      {/* Metadata section */}
+      <EditSection title="Metadata">
+        {p.status !== TokenWidgetStatus.Create && (
+          <TextInput label="UUID" editable={false} value={p.token.id} />
+        )}
+
+        <TextInput
+          label="Name"
+          editable={p.status === TokenWidgetStatus.Create}
+          value={p.token.name}
+          onValueChange={(v) => {
+            p.token.name = v ?? "";
+            p.onChange?.();
+          }}
+          size={ServerApi.Config.constraints.api_token_name_size}
+        />
+
+        <TextInput
+          label="Description"
+          editable={p.status === TokenWidgetStatus.Create}
+          value={p.token.description}
+          onValueChange={(v) => {
+            p.token.description = v ?? "";
+            p.onChange?.();
+          }}
+          multiline={true}
+          size={ServerApi.Config.constraints.api_token_description_size}
+        />
+      </EditSection>
+
+      <EditSection title="General settings">
+        {p.status === TokenWidgetStatus.Create && (
+          <RadioGroupInput
+            {...p}
+            editable={p.status === TokenWidgetStatus.Create}
+            options={[
+              { label: "IPv4", value: "4" },
+              { label: "IPv6", value: "6" },
+            ]}
+            value={ipVersion.toString()}
+            onValueChange={(v) => {
+              setIpVersion(Number(v) as any);
+            }}
+            label="Token IP restriction version"
+          />
+        )}
+        <IPInputWithMask
+          {...p}
+          label="Token IP network restriction"
+          ipAndMask={p.token.ip_restriction}
+          editable={p.status === TokenWidgetStatus.Create}
+          version={ipVersion}
+          onValueChange={(_ip, _mask, ipAndMask) => {
+            p.token.ip_restriction = ipAndMask;
+            p.onChange?.();
+          }}
+        />
+
+        <TextInput
+          editable={p.status === TokenWidgetStatus.Create}
+          label="Max inactivity of tokens (days)"
+          type="number"
+          value={
+            p.token.max_inactivity
+              ? Math.floor(p.token.max_inactivity / SECS_PER_DAY).toString()
+              : ""
+          }
+          onValueChange={(v) => {
+            const secs = Number(v ?? "0") * SECS_PER_DAY;
+            p.token.max_inactivity = secs === 0 ? undefined : secs;
+            p.onChange?.();
+          }}
+        />
+      </EditSection>
+    </Grid>
+  );
+}
+
+function APITokenRights(p: DetailsInnerProps): React.ReactElement {
+  return (
+    <div style={{ padding: "30px" }}>
+      <TokenRightsEditor
+        {...p}
+        editable={p.status !== TokenWidgetStatus.Read}
+      />
+    </div>
+  );
+}
+
+function APITokenRawRights(p: DetailsInnerProps): React.ReactElement {
+  return (
+    <div style={{ padding: "30px" }}>
+      <TokenRawRightsEditor
+        {...p}
+        editable={p.status !== TokenWidgetStatus.Read}
+      />
+    </div>
+  );
+}
+
+function APITokenTabDanger(p: DetailsInnerProps): React.ReactElement {
+  const confirm = useConfirm();
+  const snackbar = useSnackbar();
+  const alert = useAlert();
+  const navigate = useNavigate();
+
+  const requestDelete = async () => {
+    try {
+      if (
+        !(await confirm(
+          "Do you really want to delete this API token?",
+          `Delete API token ${p.token.name}`,
+          "Delete"
+        ))
+      )
+        return;
+
+      await TokensApi.Delete(p.token);
+
+      navigate("/tokens");
+      snackbar("The API token was successfully deleted!");
+    } catch (e) {
+      console.error(e);
+      alert(`Failed to delete the API token!\n${e}`);
+    }
+  };
+
+  return (
+    <Button color="error" onClick={requestDelete}>
+      Delete this API token
+    </Button>
+  );
+}

virtweb_frontend/src/widgets/tokens/TokenRawRightsEditor.tsx

@@ -0,0 +1,111 @@
+import AddIcon from "@mui/icons-material/Add";
+import DeleteIcon from "@mui/icons-material/Delete";
+import {
+  IconButton,
+  Paper,
+  Table,
+  TableBody,
+  TableCell,
+  TableContainer,
+  TableHead,
+  TableRow,
+  Tooltip,
+  Typography,
+} from "@mui/material";
+import { ServerApi } from "../../api/ServerApi";
+import { APIToken } from "../../api/TokensApi";
+import { SelectInput } from "../forms/SelectInput";
+import { TextInput } from "../forms/TextInput";
+
+export function TokenRawRightsEditor(p: {
+  token: APIToken;
+  editable: boolean;
+  onChange?: () => void;
+}): React.ReactElement {
+  const addRule = () => {
+    p.token.rights.push({ path: "/api/", verb: "GET" });
+    p.onChange?.();
+  };
+
+  const deleteRule = (id: number) => {
+    p.token.rights.splice(id, 1);
+    p.onChange?.();
+  };
+
+  return (
+    <TableContainer component={Paper}>
+      <div
+        style={{
+          padding: "10px 10px 0px 10px",
+          display: "flex",
+          justifyContent: "space-between",
+        }}
+      >
+        <Typography variant="h5">Raw rights</Typography>
+        <div>
+          {p.editable && (
+            <Tooltip title="Add a new right rule">
+              <IconButton onClick={addRule}>
+                <AddIcon />
+              </IconButton>
+            </Tooltip>
+          )}
+        </div>
+      </div>
+
+      <Table>
+        <TableHead>
+          <TableRow>
+            <TableCell>Verb</TableCell>
+            <TableCell>URI</TableCell>
+            {p.editable && <TableCell>Actions</TableCell>}
+          </TableRow>
+        </TableHead>
+        <TableBody>
+          {p.token.rights.map((r, num) => (
+            <TableRow key={num} hover>
+              <TableCell style={{ width: "100px" }}>
+                <SelectInput
+                  {...p}
+                  value={r.verb}
+                  onValueChange={(v) => {
+                    r.verb = v as any;
+                    p.onChange?.();
+                  }}
+                  options={[
+                    { value: "GET" },
+                    { value: "POST" },
+                    { value: "PATCH" },
+                    { value: "PUT" },
+                    { value: "DELETE" },
+                  ]}
+                />
+              </TableCell>
+              <TableCell>
+                <TextInput
+                  {...p}
+                  value={r.path}
+                  onValueChange={(v) => {
+                    r.path = v ?? "";
+                    p.onChange?.();
+                  }}
+                  checkValue={(v) => v.startsWith("/api/")}
+                  size={ServerApi.Config.constraints.api_token_right_path_size}
+                />
+              </TableCell>
+              {p.editable && (
+                <TableCell style={{ width: "100px" }}>
+                  <IconButton onClick={() => deleteRule(num)}>
+                    <Tooltip title="Remove the rule">
+                      <DeleteIcon />
+                    </Tooltip>
+                  </IconButton>
+                </TableCell>
+              )}
+            </TableRow>
+          ))}
+        </TableBody>
+      </Table>
+    </TableContainer>
+  );
+}

virtweb_frontend/src/widgets/tokens/TokenRightsEditor.tsx

@@ -0,0 +1,690 @@
+import {
+  Checkbox,
+  FormControlLabel,
+  Paper,
+  Table,
+  TableBody,
+  TableCell,
+  TableHead,
+  TableRow,
+  Tooltip,
+  Typography,
+} from "@mui/material";
+import React from "react";
+import { NWFilter } from "../../api/NWFilterApi";
+import { NetworkInfo } from "../../api/NetworksApi";
+import { ServerApi } from "../../api/ServerApi";
+import { APIToken, TokenRight } from "../../api/TokensApi";
+import { VMInfo } from "../../api/VMApi";
+
+export function TokenRightsEditor(p: {
+  token: APIToken;
+  editable: boolean;
+  onChange?: () => void;
+  vms: VMInfo[];
+  networks: NetworkInfo[];
+  nwFilters: NWFilter[];
+  tokens: APIToken[];
+}): React.ReactElement {
+  return (
+    <>
+      {/* Virtual machines */}
+      <RightsSection label="Virtual machines">
+        <RouteRight
+          {...p}
+          right={{ verb: "POST", path: "/api/vm/create" }}
+          label="Create a new virtual machine"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "GET", path: "/api/vm/list" }}
+          label="Get list of virtual machines"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "GET", path: "/api/vnc" }}
+          label="Establish VNC connection"
+        />
+      </RightsSection>
+
+      <RightsSection label="VM configuration management">
+        <Table size="small">
+          <TableHead>
+            <TableRow>
+              <TableCell>VM name</TableCell>
+              <TableCell align="center">Get definition</TableCell>
+              <TableCell align="center">Update</TableCell>
+              <TableCell align="center">Delete</TableCell>
+              <TableCell align="center">Get XML definition</TableCell>
+              <TableCell align="center">Get autostart</TableCell>
+              <TableCell align="center">Set autostart</TableCell>
+            </TableRow>
+          </TableHead>
+          <TableBody>
+            {/* All VM operations */}
+            <TableRow hover>
+              <TableCell>
+                <i>All</i>
+              </TableCell>
+              <CellRight {...p} right={{ verb: "GET", path: "/api/vm/*" }} />
+              <CellRight {...p} right={{ verb: "PUT", path: "/api/vm/*" }} />
+              <CellRight {...p} right={{ verb: "DELETE", path: "/api/vm/*" }} />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/vm/*/src" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/vm/*/autostart" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "PUT", path: "/api/vm/*/autostart" }}
+              />
+            </TableRow>
+
+            {/* Per VM operations */}
+            {p.vms.map((v, n) => (
+              <TableRow hover key={n}>
+                <TableCell>{v.name}</TableCell>
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/vm/${v.uuid}` }}
+                  parent={{ verb: "GET", path: "/api/vm/*" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "PUT", path: `/api/vm/${v.uuid}` }}
+                  parent={{ verb: "PUT", path: "/api/vm/*" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "DELETE", path: `/api/vm/${v.uuid}` }}
+                  parent={{ verb: "DELETE", path: "/api/vm/*" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/vm/${v.uuid}/src` }}
+                  parent={{ verb: "GET", path: "/api/vm/*/src" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/vm/${v.uuid}/autostart` }}
+                  parent={{ verb: "GET", path: "/api/vm/*/autostart" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "PUT", path: `/api/vm/${v.uuid}/autostart` }}
+                  parent={{ verb: "PUT", path: "/api/vm/*/autostart" }}
+                />
+              </TableRow>
+            ))}
+          </TableBody>
+        </Table>
+      </RightsSection>
+
+      <RightsSection label="VM maintenance">
+        <Table size="small">
+          <TableHead>
+            <TableRow>
+              <TableCell>VM name</TableCell>
+              <TableCell align="center">Get state</TableCell>
+              <TableCell align="center">Start</TableCell>
+              <TableCell align="center">Shutdown</TableCell>
+              <TableCell align="center">Kill</TableCell>
+              <TableCell align="center">Reset</TableCell>
+              <TableCell align="center">Suspend</TableCell>
+              <TableCell align="center">Resume</TableCell>
+              <TableCell align="center">Screenshot</TableCell>
+              <TableCell align="center">VNC token</TableCell>
+            </TableRow>
+          </TableHead>
+          <TableBody>
+            {/* All VM operations */}
+            <TableRow hover>
+              <TableCell>
+                <i>All</i>
+              </TableCell>
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/vm/*/state" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/vm/*/start" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/vm/*/shutdown" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/vm/*/kill" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/vm/*/reset" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/vm/*/suspend" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/vm/*/resume" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/vm/*/screenshot" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/vm/*/vnc" }}
+              />
+            </TableRow>
+
+            {/* Per VM operations */}
+            {p.vms.map((v, n) => (
+              <TableRow hover key={n}>
+                <TableCell>{v.name}</TableCell>
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/vm/${v.uuid}/state` }}
+                  parent={{ verb: "GET", path: "/api/vm/*/state" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/vm/${v.uuid}/start` }}
+                  parent={{ verb: "GET", path: "/api/vm/*/start" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/vm/${v.uuid}/shutdown` }}
+                  parent={{ verb: "GET", path: "/api/vm/*/shutdown" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/vm/${v.uuid}/kill` }}
+                  parent={{ verb: "GET", path: "/api/vm/*/kill" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/vm/${v.uuid}/reset` }}
+                  parent={{ verb: "GET", path: "/api/vm/*/reset" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/vm/${v.uuid}/suspend` }}
+                  parent={{ verb: "GET", path: "/api/vm/*/suspend" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/vm/${v.uuid}/resume` }}
+                  parent={{ verb: "GET", path: "/api/vm/*/resume" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/vm/${v.uuid}/screenshot` }}
+                  parent={{ verb: "GET", path: "/api/vm/*/screenshot" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/vm/${v.uuid}/vnc` }}
+                  parent={{ verb: "GET", path: "/api/vm/*/vnc" }}
+                />
+              </TableRow>
+            ))}
+          </TableBody>
+        </Table>
+      </RightsSection>
+
+      {/* Networks */}
+      <RightsSection label="Networks">
+        <RouteRight
+          {...p}
+          right={{ verb: "POST", path: "/api/network/create" }}
+          label="Create a new network"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "GET", path: "/api/network/list" }}
+          label="Get list of networks"
+        />
+      </RightsSection>
+
+      {/* Networks management */}
+      <RightsSection label="Networks management">
+        <Table size="small">
+          <TableHead>
+            <TableRow>
+              <TableCell>Network name</TableCell>
+              <TableCell align="center">Get definition</TableCell>
+              <TableCell align="center">Update</TableCell>
+              <TableCell align="center">Delete</TableCell>
+              <TableCell align="center">Get XML definition</TableCell>
+              <TableCell align="center">Get autostart</TableCell>
+              <TableCell align="center">Set autostart</TableCell>
+              <TableCell align="center">Get status</TableCell>
+              <TableCell align="center">Start</TableCell>
+              <TableCell align="center">Stop</TableCell>
+            </TableRow>
+          </TableHead>
+          <TableBody>
+            {/* All networks operations */}
+            <TableRow hover>
+              <TableCell>
+                <i>All</i>
+              </TableCell>
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/network/*" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "PUT", path: "/api/network/*" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "DELETE", path: "/api/network/*" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/network/*/src" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/network/*/autostart" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "PUT", path: "/api/network/*/autostart" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/network/*/status" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/network/*/start" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/network/*/stop" }}
+              />
+            </TableRow>
+
+            {/* Per network operations */}
+            {p.networks.map((v, n) => (
+              <TableRow hover key={n}>
+                <TableCell>{v.name}</TableCell>
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/network/${v.uuid}` }}
+                  parent={{ verb: "GET", path: "/api/network/*" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "PUT", path: `/api/network/${v.uuid}` }}
+                  parent={{ verb: "PUT", path: "/api/network/*" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "DELETE", path: `/api/network/${v.uuid}` }}
+                  parent={{ verb: "DELETE", path: "/api/network/*" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/network/${v.uuid}/src` }}
+                  parent={{ verb: "GET", path: "/api/network/*/src" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{
+                    verb: "GET",
+                    path: `/api/network/${v.uuid}/autostart`,
+                  }}
+                  parent={{ verb: "GET", path: "/api/network/*/autostart" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{
+                    verb: "PUT",
+                    path: `/api/network/${v.uuid}/autostart`,
+                  }}
+                  parent={{ verb: "PUT", path: "/api/network/*/autostart" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{
+                    verb: "GET",
+                    path: `/api/network/${v.uuid}/status`,
+                  }}
+                  parent={{ verb: "GET", path: "/api/network/*/status" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{
+                    verb: "GET",
+                    path: `/api/network/${v.uuid}/start`,
+                  }}
+                  parent={{ verb: "GET", path: "/api/network/*/start" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{
+                    verb: "GET",
+                    path: `/api/network/${v.uuid}/stop`,
+                  }}
+                  parent={{ verb: "GET", path: "/api/network/*/stop" }}
+                />
+              </TableRow>
+            ))}
+          </TableBody>
+        </Table>
+      </RightsSection>
+
+      {/* Network filters */}
+      <RightsSection label="Network filters">
+        <RouteRight
+          {...p}
+          right={{ verb: "POST", path: "/api/nwfilter/create" }}
+          label="Create a new network filter"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "GET", path: "/api/nwfilter/list" }}
+          label="Get list of network filters"
+        />
+      </RightsSection>
+
+      {/* Networks filters management */}
+      <RightsSection label="Networks filters management">
+        <Table size="small">
+          <TableHead>
+            <TableRow>
+              <TableCell>Network filter name</TableCell>
+              <TableCell align="center">Get definition</TableCell>
+              <TableCell align="center">Update</TableCell>
+              <TableCell align="center">Delete</TableCell>
+              <TableCell align="center">Get XML definition</TableCell>
+            </TableRow>
+          </TableHead>
+          <TableBody>
+            {/* All networks filters operations */}
+            <TableRow hover>
+              <TableCell>
+                <i>All</i>
+              </TableCell>
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/nwfilter/*" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "PUT", path: "/api/nwfilter/*" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "DELETE", path: "/api/nwfilter/*" }}
+              />
+              <CellRight
+                {...p}
+                right={{ verb: "GET", path: "/api/nwfilter/*/src" }}
+              />
+            </TableRow>
+
+            {/* Per network filter operations */}
+            {p.nwFilters.map((v, n) => (
+              <TableRow hover key={n}>
+                <TableCell>{v.name}</TableCell>
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/nwfilter/${v.uuid}` }}
+                  parent={{ verb: "GET", path: "/api/nwfilter/*" }}
+                />
+                {ServerApi.Config.builtin_nwfilter_rules.includes(v.name!) ? (
+                  <TableCell></TableCell>
+                ) : (
+                  <CellRight
+                    {...p}
+                    right={{ verb: "PUT", path: `/api/nwfilter/${v.uuid}` }}
+                    parent={{ verb: "PUT", path: "/api/nwfilter/*" }}
+                  />
+                )}
+                {ServerApi.Config.builtin_nwfilter_rules.includes(v.name!) ? (
+                  <TableCell></TableCell>
+                ) : (
+                  <CellRight
+                    {...p}
+                    right={{ verb: "DELETE", path: `/api/nwfilter/${v.uuid}` }}
+                    parent={{ verb: "DELETE", path: "/api/nwfilter/*" }}
+                  />
+                )}
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/nwfilter/${v.uuid}/src` }}
+                  parent={{ verb: "GET", path: "/api/nwfilter/*/src" }}
+                />
+              </TableRow>
+            ))}
+          </TableBody>
+        </Table>
+      </RightsSection>
+
+      {/* API tokens */}
+      <RightsSection label="API tokens">
+        <RouteRight
+          {...p}
+          right={{ verb: "POST", path: "/api/token/create" }}
+          label="Create a new API token"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "GET", path: "/api/token/list" }}
+          label="Get list of API tokens"
+        />
+      </RightsSection>
+
+      {/* API tokens management */}
+      <RightsSection label="API tokens management">
+        <Table size="small">
+          <TableHead>
+            <TableRow>
+              <TableCell>API token name</TableCell>
+              <TableCell align="center">Get</TableCell>
+              <TableCell align="center">Update</TableCell>
+              <TableCell align="center">Delete</TableCell>
+            </TableRow>
+          </TableHead>
+          <TableBody>
+            {/* All API tokens operations */}
+            <TableRow hover>
+              <TableCell>
+                <i>All</i>
+              </TableCell>
+              <CellRight {...p} right={{ verb: "GET", path: "/api/token/*" }} />
+              <CellRight {...p} right={{ verb: "PUT", path: "/api/token/*" }} />
+              <CellRight
+                {...p}
+                right={{ verb: "DELETE", path: "/api/token/*" }}
+              />
+            </TableRow>
+
+            {/* Per API token operations */}
+            {p.tokens.map((v, n) => (
+              <TableRow hover key={n}>
+                <TableCell>{v.name}</TableCell>
+                <CellRight
+                  {...p}
+                  right={{ verb: "GET", path: `/api/token/${v.id}` }}
+                  parent={{ verb: "GET", path: "/api/token/*" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "PUT", path: `/api/token/${v.id}` }}
+                  parent={{ verb: "PUT", path: "/api/token/*" }}
+                />
+                <CellRight
+                  {...p}
+                  right={{ verb: "DELETE", path: `/api/token/${v.id}` }}
+                  parent={{ verb: "DELETE", path: "/api/token/*" }}
+                />
+              </TableRow>
+            ))}
+          </TableBody>
+        </Table>
+      </RightsSection>
+
+      {/* ISO files */}
+      <RightsSection label="ISO files">
+        <RouteRight
+          {...p}
+          right={{ verb: "POST", path: "/api/iso/upload" }}
+          label="Upload a new ISO file"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "POST", path: "/api/iso/upload_from_url" }}
+          label="Upload a new ISO file from a given URL"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "GET", path: "/api/iso/list" }}
+          label="Get the list of ISO files"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "GET", path: "/api/iso/*" }}
+          label="Download ISO files"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "DELETE", path: "/api/iso/*" }}
+          label="Delete ISO files"
+        />
+      </RightsSection>
+
+      {/* Server general information */}
+      <RightsSection label="Server">
+        <RouteRight
+          {...p}
+          right={{ verb: "GET", path: "/api/server/static_config" }}
+          label="Get static server configuration"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "GET", path: "/api/server/info" }}
+          label="Get server information"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "GET", path: "/api/server/network_hook_status" }}
+          label="Get network hook status"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "GET", path: "/api/server/number_vcpus" }}
+          label="Get number of vCPU"
+        />
+        <RouteRight
+          {...p}
+          right={{ verb: "GET", path: "/api/server/networks" }}
+          label="Get list of network cards"
+        />
+      </RightsSection>
+    </>
+  );
+}
+
+function RightsSection(
+  p: React.PropsWithChildren<{ label: string }>
+): React.ReactElement {
+  return (
+    <Paper style={{ padding: "20px", margin: "10px" }}>
+      <Typography variant="h5">{p.label}</Typography>
+      {p.children}
+    </Paper>
+  );
+}
+
+interface RightOpts {
+  right: TokenRight;
+  label?: string;
+  editable: boolean;
+  token: APIToken;
+  onChange?: () => void;
+  parent?: TokenRight;
+}
+
+function CellRight(p: RightOpts): React.ReactElement {
+  return (
+    <TableCell align="center">
+      <RouteRight {...p} />
+    </TableCell>
+  );
+}
+
+function RouteRight(p: RightOpts): React.ReactElement {
+  const rightIndex = p.token.rights.findIndex(
+    (r) => r.verb === p.right.verb && r.path === p.right.path
+  );
+  const activated = rightIndex !== -1;
+
+  const parentActivated =
+    !!p.parent &&
+    p.token.rights.findIndex(
+      (r) => r.verb === p.parent?.verb && r.path === p.parent?.path
+    ) !== -1;
+
+  const toggle = (a: boolean) => {
+    if (a) {
+      p.token.rights.push(p.right);
+    } else {
+      p.token.rights.splice(rightIndex, 1);
+    }
+    p.onChange?.();
+  };
+
+  return (
+    <div>
+      <Tooltip
+        title={`${p.right.verb} ${p.right.path}`}
+        arrow
+        placement="left"
+        slotProps={{
+          popper: {
+            modifiers: [
+              {
+                name: "offset",
+                options: {
+                  offset: [0, -14],
+                },
+              },
+            ],
+          },
+        }}
+      >
+        {p.label ? (
+          <FormControlLabel
+            control={
+              <Checkbox
+                checked={activated || parentActivated}
+                disabled={!p.editable || parentActivated}
+                onChange={(_e, a) => toggle(a)}
+              />
+            }
+            label={p.label}
+          />
+        ) : (
+          <span>
+            <Checkbox
+              checked={activated || parentActivated}
+              disabled={!p.editable || parentActivated}
+              onChange={(_e, a) => toggle(a)}
+            />
+          </span>
+        )}
+      </Tooltip>
+    </div>
+  );
+}