coder
diff --git a/‎.vscode/settings.json
+1 b/‎.vscode/settings.json
+1
diff --git a/‎cli/testdata/coder_tokens_list_--help.golden
+4-1 b/‎cli/testdata/coder_tokens_list_--help.golden
+4-1
diff --git a/‎cli/tokens.go
+67-8 b/‎cli/tokens.go
+67-8
diff --git a/‎coderd/apikey.go
+29-8 b/‎coderd/apikey.go
+29-8
diff --git a/‎coderd/apikey_test.go
+5-5 b/‎coderd/apikey_test.go
+5-5
diff --git a/‎coderd/coderdtest/authorize.go
+3-1 b/‎coderd/coderdtest/authorize.go
+3-1
diff --git a/‎coderd/database/dbauthz/querier.go
+4 b/‎coderd/database/dbauthz/querier.go
+4
diff --git a/‎coderd/database/dbauthz/querier_test.go
+12 b/‎coderd/database/dbauthz/querier_test.go
+12
diff --git a/‎coderd/database/dbfake/databasefake.go
+13 b/‎coderd/database/dbfake/databasefake.go
+13
diff --git a/‎coderd/database/querier.go
+1 b/‎coderd/database/querier.go
+1
diff --git a/‎coderd/database/queries.sql.go
+44 b/‎coderd/database/queries.sql.go
+44
diff --git a/‎coderd/database/queries/apikeys.sql
+3 b/‎coderd/database/queries/apikeys.sql
+3
@@ -113,6 +113,7 @@
     "stretchr",
     "STTY",
     "stuntest",
+    "tanstack",
     "tailbroker",
     "tailcfg",
     "tailexchange",
 
@@ -7,8 +7,11 @@ Aliases:
   list, ls
 
 Flags:
+  -a, --all              Specifies whether all users' tokens will be listed or not (must have
+                         Owner role to see all tokens).
   -c, --column strings   Columns to display in table output. Available columns: id, last used,
-                         expires at, created at (default [id,last used,expires at,created at])
+                         expires at, created at, owner (default [id,last used,expires
+                         at,created at])
   -h, --help             help for list
   -o, --output string    Output format. Available formats: table, json (default "table")
 
 
@@ -2,10 +2,13 @@ package cli
 
 import (
 	"fmt"
+	"os"
 	"strings"
 	"time"
 
+	"github.com/google/uuid"
 	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/cli/cliflag"
@@ -83,12 +86,47 @@ func createToken() *cobra.Command {
 	return cmd
 }
 
+// tokenListRow is the type provided to the OutputFormatter.
+type tokenListRow struct {
+	// For JSON format:
+	codersdk.APIKey `table:"-"`
+
+	// For table format:
+	ID        string    `json:"-" table:"id,default_sort"`
+	LastUsed  time.Time `json:"-" table:"last used"`
+	ExpiresAt time.Time `json:"-" table:"expires at"`
+	CreatedAt time.Time `json:"-" table:"created at"`
+	Owner     string    `json:"-" table:"owner"`
+}
+
+func tokenListRowFromToken(token codersdk.APIKey, usersByID map[uuid.UUID]codersdk.User) tokenListRow {
+	user := usersByID[token.UserID]
+
+	return tokenListRow{
+		APIKey:    token,
+		ID:        token.ID,
+		LastUsed:  token.LastUsed,
+		ExpiresAt: token.ExpiresAt,
+		CreatedAt: token.CreatedAt,
+		Owner:     user.Username,
+	}
+}
+
 func listTokens() *cobra.Command {
-	formatter := cliui.NewOutputFormatter(
-		cliui.TableFormat([]codersdk.APIKey{}, nil),
-		cliui.JSONFormat(),
-	)
+	// we only display the 'owner' column if the --all argument is passed in
+	defaultCols := []string{"id", "last used", "expires at", "created at"}
+	if slices.Contains(os.Args, "-a") || slices.Contains(os.Args, "--all") {
+		defaultCols = append(defaultCols, "owner")
+	}
 
+	var (
+		all           bool
+		displayTokens []tokenListRow
+		formatter     = cliui.NewOutputFormatter(
+			cliui.TableFormat([]tokenListRow{}, defaultCols),
+			cliui.JSONFormat(),
+		)
+	)
 	cmd := &cobra.Command{
 		Use:     "list",
 		Aliases: []string{"ls"},
@@ -99,18 +137,36 @@ func listTokens() *cobra.Command {
 				return xerrors.Errorf("create codersdk client: %w", err)
 			}
 
-			keys, err := client.Tokens(cmd.Context(), codersdk.Me)
+			tokens, err := client.Tokens(cmd.Context(), codersdk.Me, codersdk.TokensFilter{
+				IncludeAll: all,
+			})
 			if err != nil {
-				return xerrors.Errorf("create tokens: %w", err)
+				return xerrors.Errorf("list tokens: %w", err)
 			}
 
-			if len(keys) == 0 {
+			if len(tokens) == 0 {
 				cmd.Println(cliui.Styles.Wrap.Render(
 					"No tokens found.",
 				))
 			}
 
-			out, err := formatter.Format(cmd.Context(), keys)
+			userRes, err := client.Users(cmd.Context(), codersdk.UsersRequest{})
+			if err != nil {
+				return err
+			}
+
+			usersByID := map[uuid.UUID]codersdk.User{}
+			for _, user := range userRes.Users {
+				usersByID[user.ID] = user
+			}
+
+			displayTokens = make([]tokenListRow, len(tokens))
+
+			for i, token := range tokens {
+				displayTokens[i] = tokenListRowFromToken(token, usersByID)
+			}
+
+			out, err := formatter.Format(cmd.Context(), displayTokens)
 			if err != nil {
 				return err
 			}
@@ -120,6 +176,9 @@ func listTokens() *cobra.Command {
 		},
 	}
 
+	cmd.Flags().BoolVarP(&all, "all", "a", false,
+		"Specifies whether all users' tokens will be listed or not (must have Owner role to see all tokens).")
+
 	formatter.AttachFlags(cmd)
 	return cmd
 }
 
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"strconv"
 	"time"
 
 	"github.com/go-chi/chi/v5"
@@ -175,15 +176,35 @@ func (api *API) apiKey(rw http.ResponseWriter, r *http.Request) {
 // @Success 200 {array} codersdk.APIKey
 // @Router /users/{user}/keys/tokens [get]
 func (api *API) tokens(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	var (
+		ctx           = r.Context()
+		user          = httpmw.UserParam(r)
+		keys          []database.APIKey
+		err           error
+		queryStr      = r.URL.Query().Get("include_all")
+		includeAll, _ = strconv.ParseBool(queryStr)
+	)
 
-	keys, err := api.Database.GetAPIKeysByLoginType(ctx, database.LoginTypeToken)
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching API keys.",
-			Detail:  err.Error(),
-		})
-		return
+	if includeAll {
+		// get tokens for all users
+		keys, err = api.Database.GetAPIKeysByLoginType(ctx, database.LoginTypeToken)
+		if err != nil {
+			httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+				Message: "Internal error fetching API keys.",
+				Detail:  err.Error(),
+			})
+			return
+		}
+	} else {
+		// get user's tokens only
+		keys, err = api.Database.GetAPIKeysByUserID(ctx, database.GetAPIKeysByUserIDParams{LoginType: database.LoginTypeToken, UserID: user.ID})
+		if err != nil {
+			httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+				Message: "Internal error fetching API keys.",
+				Detail:  err.Error(),
+			})
+			return
+		}
 	}
 
 	keys, err = AuthorizeFilter(api.HTTPAuth, r, rbac.ActionRead, keys)
 
@@ -24,15 +24,15 @@ func TestTokenCRUD(t *testing.T) {
 	defer cancel()
 	client := coderdtest.New(t, nil)
 	_ = coderdtest.CreateFirstUser(t, client)
-	keys, err := client.Tokens(ctx, codersdk.Me)
+	keys, err := client.Tokens(ctx, codersdk.Me, codersdk.TokensFilter{})
 	require.NoError(t, err)
 	require.Empty(t, keys)
 
 	res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{})
 	require.NoError(t, err)
 	require.Greater(t, len(res.Key), 2)
 
-	keys, err = client.Tokens(ctx, codersdk.Me)
+	keys, err = client.Tokens(ctx, codersdk.Me, codersdk.TokensFilter{})
 	require.NoError(t, err)
 	require.EqualValues(t, len(keys), 1)
 	require.Contains(t, res.Key, keys[0].ID)
@@ -45,7 +45,7 @@ func TestTokenCRUD(t *testing.T) {
 
 	err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
 	require.NoError(t, err)
-	keys, err = client.Tokens(ctx, codersdk.Me)
+	keys, err = client.Tokens(ctx, codersdk.Me, codersdk.TokensFilter{})
 	require.NoError(t, err)
 	require.Empty(t, keys)
 }
@@ -64,7 +64,7 @@ func TestTokenScoped(t *testing.T) {
 	require.NoError(t, err)
 	require.Greater(t, len(res.Key), 2)
 
-	keys, err := client.Tokens(ctx, codersdk.Me)
+	keys, err := client.Tokens(ctx, codersdk.Me, codersdk.TokensFilter{})
 	require.NoError(t, err)
 	require.EqualValues(t, len(keys), 1)
 	require.Contains(t, res.Key, keys[0].ID)
@@ -83,7 +83,7 @@ func TestTokenDuration(t *testing.T) {
 		Lifetime: time.Hour * 24 * 7,
 	})
 	require.NoError(t, err)
-	keys, err := client.Tokens(ctx, codersdk.Me)
+	keys, err := client.Tokens(ctx, codersdk.Me, codersdk.TokensFilter{})
 	require.NoError(t, err)
 	require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*6*24))
 	require.Less(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*8*24))
 
@@ -347,7 +347,9 @@ func NewAuthTester(ctx context.Context, t *testing.T, client *codersdk.Client, a
 	})
 	require.NoError(t, err, "create token")
 
-	apiKeys, err := client.Tokens(ctx, admin.UserID.String())
+	apiKeys, err := client.Tokens(ctx, admin.UserID.String(), codersdk.TokensFilter{
+		IncludeAll: true,
+	})
 	require.NoError(t, err, "get tokens")
 	apiKey := apiKeys[0]
 
 
@@ -40,6 +40,10 @@ func (q *querier) GetAPIKeysByLoginType(ctx context.Context, loginType database.
 	return fetchWithPostFilter(q.auth, q.db.GetAPIKeysByLoginType)(ctx, loginType)
 }
 
+func (q *querier) GetAPIKeysByUserID(ctx context.Context, params database.GetAPIKeysByUserIDParams) ([]database.APIKey, error) {
+	return fetchWithPostFilter(q.auth, q.db.GetAPIKeysByUserID)(ctx, database.GetAPIKeysByUserIDParams{LoginType: params.LoginType, UserID: params.UserID})
+}
+
 func (q *querier) GetAPIKeysLastUsedAfter(ctx context.Context, lastUsed time.Time) ([]database.APIKey, error) {
 	return fetchWithPostFilter(q.auth, q.db.GetAPIKeysLastUsedAfter)(ctx, lastUsed)
 }
 
@@ -31,6 +31,18 @@ func (s *MethodTestSuite) TestAPIKey() {
 			Asserts(a, rbac.ActionRead, b, rbac.ActionRead).
 			Returns(slice.New(a, b))
 	}))
+	s.Run("GetAPIKeysByUserID", s.Subtest(func(db database.Store, check *expects) {
+		idAB := uuid.New()
+		idC := uuid.New()
+
+		keyA, _ := dbgen.APIKey(s.T(), db, database.APIKey{UserID: idAB, LoginType: database.LoginTypeToken})
+		keyB, _ := dbgen.APIKey(s.T(), db, database.APIKey{UserID: idAB, LoginType: database.LoginTypeToken})
+		_, _ = dbgen.APIKey(s.T(), db, database.APIKey{UserID: idC, LoginType: database.LoginTypeToken})
+
+		check.Args(database.GetAPIKeysByUserIDParams{LoginType: database.LoginTypeToken, UserID: idAB}).
+			Asserts(keyA, rbac.ActionRead, keyB, rbac.ActionRead).
+			Returns(slice.New(keyA, keyB))
+	}))
 	s.Run("GetAPIKeysLastUsedAfter", s.Subtest(func(db database.Store, check *expects) {
 		a, _ := dbgen.APIKey(s.T(), db, database.APIKey{LastUsed: time.Now().Add(time.Hour)})
 		b, _ := dbgen.APIKey(s.T(), db, database.APIKey{LastUsed: time.Now().Add(time.Hour)})
 
@@ -484,6 +484,19 @@ func (q *fakeQuerier) GetAPIKeysByLoginType(_ context.Context, t database.LoginT
 	return apiKeys, nil
 }
 
+func (q *fakeQuerier) GetAPIKeysByUserID(_ context.Context, params database.GetAPIKeysByUserIDParams) ([]database.APIKey, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	apiKeys := make([]database.APIKey, 0)
+	for _, key := range q.apiKeys {
+		if key.UserID == params.UserID && key.LoginType == params.LoginType {
+			apiKeys = append(apiKeys, key)
+		}
+	}
+	return apiKeys, nil
+}
+
 func (q *fakeQuerier) DeleteAPIKeyByID(_ context.Context, id string) error {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
@@ -14,6 +14,9 @@ SELECT * FROM api_keys WHERE last_used > $1;
 -- name: GetAPIKeysByLoginType :many
 SELECT * FROM api_keys WHERE login_type = $1;
 
+-- name: GetAPIKeysByUserID :many
+SELECT * FROM api_keys WHERE login_type = $1 AND user_id = $2;
+
 -- name: InsertAPIKey :one
 INSERT INTO
 	api_keys (
Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,10 @@ func (q *querier) GetAPIKeysByLoginType(ctx context.Context, loginType database.`
`40`	`40`	`return fetchWithPostFilter(q.auth, q.db.GetAPIKeysByLoginType)(ctx, loginType)`
`41`	`41`	`}`
`42`	`42`
	`43`	`+func (q *querier) GetAPIKeysByUserID(ctx context.Context, params database.GetAPIKeysByUserIDParams) ([]database.APIKey, error) {`
	`44`	`+ return fetchWithPostFilter(q.auth, q.db.GetAPIKeysByUserID)(ctx, database.GetAPIKeysByUserIDParams{LoginType: params.LoginType, UserID: params.UserID})`
	`45`	`+}`
	`46`	`+`
`43`	`47`	`func (q *querier) GetAPIKeysLastUsedAfter(ctx context.Context, lastUsed time.Time) ([]database.APIKey, error) {`
`44`	`48`	`return fetchWithPostFilter(q.auth, q.db.GetAPIKeysLastUsedAfter)(ctx, lastUsed)`
`45`	`49`	`}`