limit api tokens feature to certain users

api/server/handlers/api_token/create.go

@@ -1,6 +1,7 @@
 package api_token
 
 import (
+	"fmt"
 	"net/http"
 	"time"
 
@@ -34,6 +35,11 @@ func (p *APITokenCreateHandler) ServeHTTP(w http.ResponseWriter, r *http.Request
 	user, _ := r.Context().Value(types.UserScope).(*models.User)
 	proj, _ := r.Context().Value(types.ProjectScope).(*models.Project)
 
+	if !proj.APITokensEnabled {
+		p.HandleAPIError(w, r, apierrors.NewErrForbidden(fmt.Errorf("api token endpoints are not enabled for this project")))
+		return
+	}
+
 	req := &types.CreateAPIToken{}
 
 	if ok := p.DecodeAndValidate(w, r, req); !ok {

api/server/handlers/api_token/get.go

@@ -33,6 +33,11 @@ func NewAPITokenGetHandler(
 func (p *APITokenGetHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	proj, _ := r.Context().Value(types.ProjectScope).(*models.Project)
 
+	if !proj.APITokensEnabled {
+		p.HandleAPIError(w, r, apierrors.NewErrForbidden(fmt.Errorf("api token endpoints are not enabled for this project")))
+		return
+	}
+
 	// get the token id from the request
 	tokenID, reqErr := requestutils.GetURLParamString(r, types.URLParamTokenID)
 

api/server/handlers/api_token/list.go

@@ -1,6 +1,7 @@
 package api_token
 
 import (
+	"fmt"
 	"net/http"
 
 	"github.com/porter-dev/porter/api/server/handlers"
@@ -28,6 +29,11 @@ func NewAPITokenListHandler(
 func (p *APITokenListHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	proj, _ := r.Context().Value(types.ProjectScope).(*models.Project)
 
+	if !proj.APITokensEnabled {
+		p.HandleAPIError(w, r, apierrors.NewErrForbidden(fmt.Errorf("api token endpoints are not enabled for this project")))
+		return
+	}
+
 	tokens, err := p.Repo().APIToken().ListAPITokensByProjectID(proj.ID)
 
 	if err != nil {

api/server/handlers/api_token/revoke.go

@@ -32,6 +32,11 @@ func NewAPITokenRevokeHandler(
 func (p *APITokenRevokeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	proj, _ := r.Context().Value(types.ProjectScope).(*models.Project)
 
+	if !proj.APITokensEnabled {
+		p.HandleAPIError(w, r, apierrors.NewErrForbidden(fmt.Errorf("api token endpoints are not enabled for this project")))
+		return
+	}
+
 	// get the token id from the request
 	tokenID, reqErr := requestutils.GetURLParamString(r, types.URLParamTokenID)
 

api/types/project.go

@@ -7,6 +7,7 @@ type Project struct {
 	PreviewEnvsEnabled  bool    `json:"preview_envs_enabled"`
 	RDSDatabasesEnabled bool    `json:"enable_rds_databases"`
 	ManagedInfraEnabled bool    `json:"managed_infra_enabled"`
+	APITokensEnabled    bool    `json:"api_tokens_enabled"`
 }
 
 type CreateProjectRequest struct {

dashboard/src/main/home/project-settings/ProjectSettings.tsx

@@ -74,10 +74,12 @@ class ProjectSettings extends Component<PropsType, StateType> {
         });
       }
 
-      tabOptions.push({
-        value: "api-tokens",
-        label: "API Tokens",
-      });
+      if (currentProject?.api_tokens_enabled) {
+        tabOptions.push({
+          value: "api-tokens",
+          label: "API Tokens",
+        });
+      }
 
       tabOptions.push({
         value: "additional-settings",

dashboard/src/shared/types.tsx

@@ -235,6 +235,7 @@ export interface ProjectType {
   preview_envs_enabled: boolean;
   enable_rds_databases: boolean;
   managed_infra_enabled: boolean;
+  api_tokens_enabled: boolean;
   roles: {
     id: number;
     kind: string;

internal/models/project.go

@@ -59,6 +59,7 @@ type Project struct {
 	PreviewEnvsEnabled  bool
 	RDSDatabasesEnabled bool
 	ManagedInfraEnabled bool
+	APITokensEnabled    bool
 }
 
 // ToProjectType generates an external types.Project to be shared over REST
@@ -76,5 +77,6 @@ func (p *Project) ToProjectType() *types.Project {
 		PreviewEnvsEnabled:  p.PreviewEnvsEnabled,
 		RDSDatabasesEnabled: p.RDSDatabasesEnabled,
 		ManagedInfraEnabled: p.ManagedInfraEnabled,
+		APITokensEnabled:    p.APITokensEnabled,
 	}
 }