#751 Fix API Tokens are Visible to all Admins Types

[tariqksoliman]

Closes #751

With Claude (bedrock)

Fix API Token Visibility Security Issue (#751)

Description

This PR addresses a critical security vulnerability where regular admins could
view and potentially misuse API tokens created by other admins, including
SuperAdmins. This undermined the tailored permission system by allowing admins
to bypass their restricted permissions using other admins' tokens.

Changes Made

/api/longtermtoken/get endpoint

• Added permission-based filtering to restrict token visibility
• SuperAdmins (permission "111") continue to see all tokens
• Regular Admins (permission "110") now only see tokens they created
• Uses Sequelize's replacements functionality for SQL injection protection

/api/longtermtoken/clear endpoint

• Added ownership validation before token deletion
• SuperAdmins can delete any token
• Regular Admins can only delete their own tokens
• Returns appropriate error messages for unauthorized deletion attempts

Technical Details

• Modified API/Backend/LongTermToken/routes/longtermtokens.js
• Leverages session data (req.session.permission and req.session.uid) for access
  control
• Uses parameterized queries with Sequelize replacements to prevent SQL
  injection
• Properly handles edge cases (e.g., userId could be 0)

Testing

• Verify SuperAdmins can see all API tokens
• Verify Regular Admins only see their own tokens
• Verify Regular Admins cannot delete other users' tokens
• Verify SuperAdmins can delete any token

Security Impact

This fix ensures that admins with restricted permissions cannot circumvent their
access limitations by using API tokens from other admins, maintaining the
integrity of the permission system.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud