Logchef v1.6.1
Patch release. Introduces Service accounts — non-login principals that own scoped API tokens — and reworks the API-token surface so every token carries an explicit scope list enforced by middleware. Also surfaces ClickHouse column comments through the schema API for the LogChef CLI v0.1.6 to consume.
Added
- Service accounts — Non-login principals you can add to teams and own API tokens. Created from Administration → Service Tokens. Cannot authenticate via OIDC or CLI exchange.
- Scoped API tokens — Tokens now carry an explicit scope list (
logs:read,alerts:write, ...). NewrequireTokenScopemiddleware enforces them on every route. Presets in the UI: Read-only, Logs viewer, Logs analyst, Alerts manager, Source admin, Full access. Active preset is highlighted while the selection matches. - Account-type toggle in Add Team Member dialog — Switch between Human user and Service account; the dropdown filters to the selected type and shows
full_namewith email as a subtitle. - Service account badge in team member tables, with a bot icon, so automation principals are visually distinct from humans.
- Team chips and "Manage teams" button on each service account card. Surfaces zero-team state ("token reaches no source") and lets you add or remove team memberships without leaving the page.
- New admin endpoints:
GET/POST/DELETE /admin/service-accountsGET/POST/DELETE /admin/service-accounts/:id/tokensGET/POST/DELETE /admin/service-accounts/:id/teams
- Schema column descriptions — The schema API now surfaces ClickHouse column comments as an optional
descriptionfield. Consumed by LogChef CLI v0.1.6'sschemacommand.
Changed
UserProfile"Create API Token" dialog defaults to the Read-only preset. Previously defaulted to Full access (*), which made every checkbox appear disabled-but-checked and gave no choice unless the user manually clicked away.- Read-only preset includes every
:readscope. Now coverstokens:read,users:read, andsettings:readin addition to the resource read scopes. Admin-gated routes still require admin role at the auth layer, so the wider scope set only matters for admin-owned tokens. /admin/users/*now 404s on service accounts. Service principals are managed through the dedicated/admin/service-accounts/*path so admins can't accidentally promote a service account to admin via the human-user CRUD path.
Fixed
TokenScopePickercheckboxes are now interactive. The component was binding to:checked/@update:checked, but the shadcn-vue Checkbox forwards reka-ui'sCheckboxRootProps, which usesmodel-value/update:model-value. The bug was hidden behind the old Full-access default; switching the default surfaced it.- Token creation rejects empty scopes (HTTP 400). Previously, a request with no scopes silently defaulted to
["*"], minting a god-token. - Corrupt or empty stored scopes fail closed. A row with malformed JSON in
api_tokens.scopesnow grants no access instead of*.
Migration notes
| Migration | What it does |
|---|---|
| 000023 | Adds users.account_type (human/service) and api_tokens.scopes (JSON array). Existing users default to human; existing tokens default to ["*"] to preserve behavior. Index on users(account_type).
|
Full Changelog: v1.6.0...v1.6.1