fix: add middleware to new abilities, better ux for selecting permissions, etc.

2024-12-09 10:28:34 +01:00
parent 78f0ac80c1
commit 5bbcd7bf76
7 changed files with 191 additions and 136 deletions
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -69,5 +69,6 @@ class Kernel extends HttpKernel
        'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
        'abilities' => \Laravel\Sanctum\Http\Middleware\CheckAbilities::class,
        'ability' => \Laravel\Sanctum\Http\Middleware\CheckForAnyAbility::class,
+        'api.ability' => \App\Http\Middleware\ApiAbility::class,
    ];
 }
--- a/app/Http/Middleware/ApiAbility.php
+++ b/app/Http/Middleware/ApiAbility.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Laravel\Sanctum\Http\Middleware\CheckForAnyAbility;
+
+class ApiAbility extends CheckForAnyAbility
+{
+    public function handle($request, $next, ...$abilities)
+    {
+        try {
+            return parent::handle($request, $next, ...$abilities);
+        } catch (\Illuminate\Auth\AuthenticationException $e) {
+            return response()->json([
+                'message' => 'Unauthenticated.',
+            ], 401);
+        } catch (\Exception $e) {
+            return response()->json([
+                'message' => 'Missing required permissions: '.implode(', ', $abilities),
+            ], 403);
+        }
+    }
+}
--- a/app/Livewire/Security/ApiTokens.php
+++ b/app/Livewire/Security/ApiTokens.php
@@ -26,14 +26,20 @@ class ApiTokens extends Component
        $this->tokens = auth()->user()->tokens->sortByDesc('created_at');
    }

-    public function updated()
+    public function updatedPermissions($permissionToUpdate)
    {
+        if ($permissionToUpdate == 'write') {
+            $this->permissions = ['write', 'deploy', 'read', 'read:sensitive'];
+        } elseif ($permissionToUpdate == 'read:sensitive' && ! in_array('read', $this->permissions)) {
+            $this->permissions[] = 'read';
+        } elseif ($permissionToUpdate == 'deploy') {
+            $this->permissions = ['deploy'];
+        } else {
            if (count($this->permissions) == 0) {
                $this->permissions = ['read'];
            }
-        if (in_array('read:sensitive', $this->permissions) && !in_array('read', $this->permissions)) {
-            $this->permissions[] = 'read';
        }
+        sort($this->permissions);
    }

    public function addNewToken()
--- a/database/migrations/2024_10_30_074601_rename_token_permissions.php
+++ b/database/migrations/2024_10_30_074601_rename_token_permissions.php
@@ -2,8 +2,6 @@

 use App\Models\PersonalAccessToken;
 use Illuminate\Database\Migrations\Migration;
-use Illuminate\Database\Schema\Blueprint;
-use Illuminate\Support\Facades\Schema;

 return new class extends Migration
 {
@@ -12,15 +10,25 @@ return new class extends Migration
     */
    public function up(): void
    {
+        try {
            $tokens = PersonalAccessToken::all();
            foreach ($tokens as $token) {
                $abilities = collect();
-            if (in_array('*', $token->abilities)) $abilities->push('write', 'read', 'read:sensitive');
-            if (in_array('read-only', $token->abilities)) $abilities->push('read');
-            if (in_array('view:sensitive', $token->abilities)) $abilities->push('read', 'read:sensitive');
+                if (in_array('*', $token->abilities)) {
+                    $abilities->push('write', 'deploy', 'read', 'read:sensitive');
+                }
+                if (in_array('read-only', $token->abilities)) {
+                    $abilities->push('read');
+                }
+                if (in_array('view:sensitive', $token->abilities)) {
+                    $abilities->push('read', 'read:sensitive');
+                }
                $token->abilities = $abilities->unique()->values()->all();
                $token->save();
            }
+        } catch (\Exception $e) {
+            \Log::error('Error renaming token permissions: '.$e->getMessage());
+        }
    }

    /**
@@ -28,17 +36,25 @@ return new class extends Migration
     */
    public function down(): void
    {
+        try {
            $tokens = PersonalAccessToken::all();
            foreach ($tokens as $token) {
                $abilities = collect();
                if (in_array('write', $token->abilities)) {
                    $abilities->push('*');
                } else {
-                if (in_array('read', $token->abilities)) $abilities->push('read-only');
-                if (in_array('read:sensitive', $token->abilities)) $abilities->push('view:sensitive');
+                    if (in_array('read', $token->abilities)) {
+                        $abilities->push('read-only');
+                    }
+                    if (in_array('read:sensitive', $token->abilities)) {
+                        $abilities->push('view:sensitive');
+                    }
                }
                $token->abilities = $abilities->unique()->values()->all();
                $token->save();
            }
+        } catch (\Exception $e) {
+            \Log::error('Error renaming token permissions: '.$e->getMessage());
+        }
    }
 };
--- a/resources/views/components/forms/checkbox.blade.php
+++ b/resources/views/components/forms/checkbox.blade.php
@@ -5,8 +5,8 @@
    'disabled' => false,
    'instantSave' => false,
    'value' => null,
+    'domValue' => null,
    'checked' => false,
-    'hideLabel' => false,
    'fullWidth' => false,
 ])

@@ -14,7 +14,6 @@
    'flex flex-row items-center gap-4 pr-2 py-1 form-control min-w-fit dark:hover:bg-coolgray-100',
    'w-full' => $fullWidth,
 ])>
-    @if (!$hideLabel)
    <label @class([
        'flex gap-4 items-center px-0 min-w-fit label w-full cursor-pointer',
    ])>
@@ -28,12 +27,19 @@
                <x-helper :helper="$helper" />
            @endif
        </span>
+        @if ($instantSave)
+            <input type="checkbox" @disabled($disabled) {{ $attributes->merge(['class' => $defaultClass]) }}
+                wire:loading.attr="disabled"
+                wire:click='{{ $instantSave === 'instantSave' || $instantSave == '1' ? 'instantSave' : $instantSave }}'
+                wire:model={{ $id }} @if ($checked) checked @endif />
+        @else
+            @if ($domValue)
+                <input type="checkbox" @disabled($disabled) {{ $attributes->merge(['class' => $defaultClass]) }}
+                    value={{ $domValue }} @if ($checked) checked @endif />
+            @else
+                <input type="checkbox" @disabled($disabled) {{ $attributes->merge(['class' => $defaultClass]) }}
+                    wire:model={{ $value ?? $id }} @if ($checked) checked @endif />
+            @endif
        @endif
-    <input @disabled($disabled) type="checkbox" {{ $attributes->merge(['class' => $defaultClass]) }}
-        @if ($instantSave) wire:loading.attr="disabled" wire:click='{{ $instantSave === 'instantSave' || $instantSave == '1' ? 'instantSave' : $instantSave }}'
-        @if ($checked) checked @endif
-    wire:model={{ $id }} @else wire:model={{ $value ?? $id }} @endif />
-    @if (!$hideLabel)
    </label>
-    @endif
 </div>
--- a/resources/views/livewire/security/api-tokens.blade.php
+++ b/resources/views/livewire/security/api-tokens.blade.php
@@ -30,21 +30,24 @@
                @endif
            </div>
        </div>
+
+        <h4>Token Permissions</h4>
+        <div class="w-64">
+            <x-forms.checkbox label="write" wire:model.live="permissions" domValue="write"
+                helper="Root access, be careful!" :checked="in_array('write', $permissions)"></x-forms.checkbox>
+            @if (!in_array('write', $permissions))
+                <x-forms.checkbox label="deploy" wire:model.live="permissions" domValue="deploy"
+                    helper="Can trigger deploy webhooks" :checked="in_array('deploy', $permissions)"></x-forms.checkbox>
+                <x-forms.checkbox label="read" domValue="read" wire:model.live="permissions" domValue="read"
+                    :checked="in_array('read', $permissions)"></x-forms.checkbox>
+                <x-forms.checkbox label="read:sensitive" wire:model.live="permissions" domValue="read:sensitive"
+                    helper="Responses will include secrets, logs, passwords, and compose file contents"
+                    :checked="in_array('read:sensitive', $permissions)"></x-forms.checkbox>
+            @endif
+        </div>
        @if (in_array('write', $permissions))
            <div class="font-bold text-warning">Root access, be careful!</div>
        @endif
-        <h4>Token Permissions</h4>
-        <div class="w-64">
-            <x-forms.checkbox label="read" wire:model.live="permissions" value="read"
-                :checked="in_array('read', $permissions)"></x-forms.checkbox>
-            <x-forms.checkbox label="read:sensitive" wire:model.live="permissions" value="read:sensitive"
-                helper="Responses will include secrets, logs, passwords, and compose file contents"
-                :checked="in_array('read:sensitive', $permissions)"></x-forms.checkbox>
-            <x-forms.checkbox label="write" wire:model.live="permissions" value="write"
-                helper="Root access, be careful!" :checked="in_array('write', $permissions)"></x-forms.checkbox>
-            <x-forms.checkbox label="deploy" wire:model.live="permissions" value="deploy"
-                helper="Can trigger deploy webhooks" :checked="in_array('deploy', $permissions)"></x-forms.checkbox>
-        </div>
    </form>
    @if (session()->has('token'))
        <div class="py-4 font-bold dark:text-warning">Please copy this token now. For your security, it won't be shown
@@ -60,7 +63,7 @@
                <div>Last used: {{ $token->last_used_at ? $token->last_used_at->diffForHumans() : 'Never' }}</div>
                <div class="flex gap-1">
                    @if ($token->abilities)
-                        Abilities:
+                        Permissions:
                        @foreach ($token->abilities as $ability)
                            <div class="font-bold dark:text-white">{{ $ability }}</div>
                        @endforeach
--- a/routes/api.php
+++ b/routes/api.php
@@ -19,7 +19,7 @@ Route::get('/health', [OtherController::class, 'healthcheck']);
 Route::post('/feedback', [OtherController::class, 'feedback']);

 Route::group([
-    'middleware' => ['auth:sanctum', 'ability:write'],
+    'middleware' => ['auth:sanctum', 'api.ability:write'],
    'prefix' => 'v1',
 ], function () {
    Route::get('/enable', [OtherController::class, 'enable_api']);
@@ -29,103 +29,103 @@ Route::group([
    'middleware' => ['auth:sanctum', ApiAllowed::class],
    'prefix' => 'v1',
 ], function () {
-    Route::get('/version', [OtherController::class, 'version'])->middleware(['ability:read']);
+    Route::get('/version', [OtherController::class, 'version'])->middleware(['api.ability:read']);

-    Route::get('/teams', [TeamController::class, 'teams'])->middleware(['ability:read']);
-    Route::get('/teams/current', [TeamController::class, 'current_team'])->middleware(['ability:read']);
-    Route::get('/teams/current/members', [TeamController::class, 'current_team_members'])->middleware(['ability:read']);
-    Route::get('/teams/{id}', [TeamController::class, 'team_by_id'])->middleware(['ability:read']);
-    Route::get('/teams/{id}/members', [TeamController::class, 'members_by_id'])->middleware(['ability:read']);
+    Route::get('/teams', [TeamController::class, 'teams'])->middleware(['api.ability:read']);
+    Route::get('/teams/current', [TeamController::class, 'current_team'])->middleware(['api.ability:read']);
+    Route::get('/teams/current/members', [TeamController::class, 'current_team_members'])->middleware(['api.ability:read']);
+    Route::get('/teams/{id}', [TeamController::class, 'team_by_id'])->middleware(['api.ability:read']);
+    Route::get('/teams/{id}/members', [TeamController::class, 'members_by_id'])->middleware(['api.ability:read']);

-    Route::get('/projects', [ProjectController::class, 'projects'])->middleware(['ability:read']);
-    Route::get('/projects/{uuid}', [ProjectController::class, 'project_by_uuid'])->middleware(['ability:read']);
-    Route::get('/projects/{uuid}/{environment_name}', [ProjectController::class, 'environment_details'])->middleware(['ability:read']);
+    Route::get('/projects', [ProjectController::class, 'projects'])->middleware(['api.ability:read']);
+    Route::get('/projects/{uuid}', [ProjectController::class, 'project_by_uuid'])->middleware(['api.ability:read']);
+    Route::get('/projects/{uuid}/{environment_name}', [ProjectController::class, 'environment_details'])->middleware(['api.ability:read']);

-    Route::post('/projects', [ProjectController::class, 'create_project'])->middleware(['ability:read']);
-    Route::patch('/projects/{uuid}', [ProjectController::class, 'update_project'])->middleware(['ability:write']);
-    Route::delete('/projects/{uuid}', [ProjectController::class, 'delete_project'])->middleware(['ability:write']);
+    Route::post('/projects', [ProjectController::class, 'create_project'])->middleware(['api.ability:read']);
+    Route::patch('/projects/{uuid}', [ProjectController::class, 'update_project'])->middleware(['api.ability:write']);
+    Route::delete('/projects/{uuid}', [ProjectController::class, 'delete_project'])->middleware(['api.ability:write']);

-    Route::get('/security/keys', [SecurityController::class, 'keys'])->middleware(['ability:read']);
-    Route::post('/security/keys', [SecurityController::class, 'create_key'])->middleware(['ability:write']);
+    Route::get('/security/keys', [SecurityController::class, 'keys'])->middleware(['api.ability:read']);
+    Route::post('/security/keys', [SecurityController::class, 'create_key'])->middleware(['api.ability:write']);

-    Route::get('/security/keys/{uuid}', [SecurityController::class, 'key_by_uuid'])->middleware(['ability:read']);
-    Route::patch('/security/keys/{uuid}', [SecurityController::class, 'update_key'])->middleware(['ability:write']);
-    Route::delete('/security/keys/{uuid}', [SecurityController::class, 'delete_key'])->middleware(['ability:write']);
+    Route::get('/security/keys/{uuid}', [SecurityController::class, 'key_by_uuid'])->middleware(['api.ability:read']);
+    Route::patch('/security/keys/{uuid}', [SecurityController::class, 'update_key'])->middleware(['api.ability:write']);
+    Route::delete('/security/keys/{uuid}', [SecurityController::class, 'delete_key'])->middleware(['api.ability:write']);

-    Route::match(['get', 'post'], '/deploy', [DeployController::class, 'deploy'])->middleware(['ability:write,deploy']);
-    Route::get('/deployments', [DeployController::class, 'deployments'])->middleware(['ability:read']);
-    Route::get('/deployments/{uuid}', [DeployController::class, 'deployment_by_uuid'])->middleware(['ability:read']);
+    Route::match(['get', 'post'], '/deploy', [DeployController::class, 'deploy'])->middleware(['api.ability:write,deploy']);
+    Route::get('/deployments', [DeployController::class, 'deployments'])->middleware(['api.ability:read']);
+    Route::get('/deployments/{uuid}', [DeployController::class, 'deployment_by_uuid'])->middleware(['api.ability:read']);

-    Route::get('/servers', [ServersController::class, 'servers'])->middleware(['ability:read']);
-    Route::get('/servers/{uuid}', [ServersController::class, 'server_by_uuid'])->middleware(['ability:read']);
-    Route::get('/servers/{uuid}/domains', [ServersController::class, 'domains_by_server'])->middleware(['ability:read']);
-    Route::get('/servers/{uuid}/resources', [ServersController::class, 'resources_by_server'])->middleware(['ability:read']);
+    Route::get('/servers', [ServersController::class, 'servers'])->middleware(['api.ability:read']);
+    Route::get('/servers/{uuid}', [ServersController::class, 'server_by_uuid'])->middleware(['api.ability:read']);
+    Route::get('/servers/{uuid}/domains', [ServersController::class, 'domains_by_server'])->middleware(['api.ability:read']);
+    Route::get('/servers/{uuid}/resources', [ServersController::class, 'resources_by_server'])->middleware(['api.ability:read']);

-    Route::get('/servers/{uuid}/validate', [ServersController::class, 'validate_server'])->middleware(['ability:read']);
+    Route::get('/servers/{uuid}/validate', [ServersController::class, 'validate_server'])->middleware(['api.ability:read']);

-    Route::post('/servers', [ServersController::class, 'create_server'])->middleware(['ability:read']);
-    Route::patch('/servers/{uuid}', [ServersController::class, 'update_server'])->middleware(['ability:write']);
-    Route::delete('/servers/{uuid}', [ServersController::class, 'delete_server'])->middleware(['ability:write']);
+    Route::post('/servers', [ServersController::class, 'create_server'])->middleware(['api.ability:read']);
+    Route::patch('/servers/{uuid}', [ServersController::class, 'update_server'])->middleware(['api.ability:write']);
+    Route::delete('/servers/{uuid}', [ServersController::class, 'delete_server'])->middleware(['api.ability:write']);

-    Route::get('/resources', [ResourcesController::class, 'resources'])->middleware(['ability:read']);
+    Route::get('/resources', [ResourcesController::class, 'resources'])->middleware(['api.ability:read']);

-    Route::get('/applications', [ApplicationsController::class, 'applications'])->middleware(['ability:read']);
-    Route::post('/applications/public', [ApplicationsController::class, 'create_public_application'])->middleware(['ability:write']);
-    Route::post('/applications/private-github-app', [ApplicationsController::class, 'create_private_gh_app_application'])->middleware(['ability:write']);
-    Route::post('/applications/private-deploy-key', [ApplicationsController::class, 'create_private_deploy_key_application'])->middleware(['ability:write']);
-    Route::post('/applications/dockerfile', [ApplicationsController::class, 'create_dockerfile_application'])->middleware(['ability:write']);
-    Route::post('/applications/dockerimage', [ApplicationsController::class, 'create_dockerimage_application'])->middleware(['ability:write']);
-    Route::post('/applications/dockercompose', [ApplicationsController::class, 'create_dockercompose_application'])->middleware(['ability:write']);
+    Route::get('/applications', [ApplicationsController::class, 'applications'])->middleware(['api.ability:read']);
+    Route::post('/applications/public', [ApplicationsController::class, 'create_public_application'])->middleware(['api.ability:write']);
+    Route::post('/applications/private-github-app', [ApplicationsController::class, 'create_private_gh_app_application'])->middleware(['api.ability:write']);
+    Route::post('/applications/private-deploy-key', [ApplicationsController::class, 'create_private_deploy_key_application'])->middleware(['api.ability:write']);
+    Route::post('/applications/dockerfile', [ApplicationsController::class, 'create_dockerfile_application'])->middleware(['api.ability:write']);
+    Route::post('/applications/dockerimage', [ApplicationsController::class, 'create_dockerimage_application'])->middleware(['api.ability:write']);
+    Route::post('/applications/dockercompose', [ApplicationsController::class, 'create_dockercompose_application'])->middleware(['api.ability:write']);

-    Route::get('/applications/{uuid}', [ApplicationsController::class, 'application_by_uuid'])->middleware(['ability:read']);
-    Route::patch('/applications/{uuid}', [ApplicationsController::class, 'update_by_uuid'])->middleware(['ability:write']);
-    Route::delete('/applications/{uuid}', [ApplicationsController::class, 'delete_by_uuid'])->middleware(['ability:write']);
+    Route::get('/applications/{uuid}', [ApplicationsController::class, 'application_by_uuid'])->middleware(['api.ability:read']);
+    Route::patch('/applications/{uuid}', [ApplicationsController::class, 'update_by_uuid'])->middleware(['api.ability:write']);
+    Route::delete('/applications/{uuid}', [ApplicationsController::class, 'delete_by_uuid'])->middleware(['api.ability:write']);

-    Route::get('/applications/{uuid}/envs', [ApplicationsController::class, 'envs'])->middleware(['ability:read']);
-    Route::post('/applications/{uuid}/envs', [ApplicationsController::class, 'create_env'])->middleware(['ability:write']);
-    Route::patch('/applications/{uuid}/envs/bulk', [ApplicationsController::class, 'create_bulk_envs'])->middleware(['ability:write']);
-    Route::patch('/applications/{uuid}/envs', [ApplicationsController::class, 'update_env_by_uuid'])->middleware(['ability:write']);
-    Route::delete('/applications/{uuid}/envs/{env_uuid}', [ApplicationsController::class, 'delete_env_by_uuid'])->middleware(['ability:write']);
+    Route::get('/applications/{uuid}/envs', [ApplicationsController::class, 'envs'])->middleware(['api.ability:read']);
+    Route::post('/applications/{uuid}/envs', [ApplicationsController::class, 'create_env'])->middleware(['api.ability:write']);
+    Route::patch('/applications/{uuid}/envs/bulk', [ApplicationsController::class, 'create_bulk_envs'])->middleware(['api.ability:write']);
+    Route::patch('/applications/{uuid}/envs', [ApplicationsController::class, 'update_env_by_uuid'])->middleware(['api.ability:write']);
+    Route::delete('/applications/{uuid}/envs/{env_uuid}', [ApplicationsController::class, 'delete_env_by_uuid'])->middleware(['api.ability:write']);
    // Route::post('/applications/{uuid}/execute', [ApplicationsController::class, 'execute_command_by_uuid'])->middleware(['ability:write']);

-    Route::match(['get', 'post'], '/applications/{uuid}/start', [ApplicationsController::class, 'action_deploy'])->middleware(['ability:write']);
-    Route::match(['get', 'post'], '/applications/{uuid}/restart', [ApplicationsController::class, 'action_restart'])->middleware(['ability:write']);
-    Route::match(['get', 'post'], '/applications/{uuid}/stop', [ApplicationsController::class, 'action_stop'])->middleware(['ability:write']);
+    Route::match(['get', 'post'], '/applications/{uuid}/start', [ApplicationsController::class, 'action_deploy'])->middleware(['api.ability:write']);
+    Route::match(['get', 'post'], '/applications/{uuid}/restart', [ApplicationsController::class, 'action_restart'])->middleware(['api.ability:write']);
+    Route::match(['get', 'post'], '/applications/{uuid}/stop', [ApplicationsController::class, 'action_stop'])->middleware(['api.ability:write']);

-    Route::get('/databases', [DatabasesController::class, 'databases'])->middleware(['ability:read']);
-    Route::post('/databases/postgresql', [DatabasesController::class, 'create_database_postgresql'])->middleware(['ability:write']);
-    Route::post('/databases/mysql', [DatabasesController::class, 'create_database_mysql'])->middleware(['ability:write']);
-    Route::post('/databases/mariadb', [DatabasesController::class, 'create_database_mariadb'])->middleware(['ability:write']);
-    Route::post('/databases/mongodb', [DatabasesController::class, 'create_database_mongodb'])->middleware(['ability:write']);
-    Route::post('/databases/redis', [DatabasesController::class, 'create_database_redis'])->middleware(['ability:write']);
-    Route::post('/databases/clickhouse', [DatabasesController::class, 'create_database_clickhouse'])->middleware(['ability:write']);
-    Route::post('/databases/dragonfly', [DatabasesController::class, 'create_database_dragonfly'])->middleware(['ability:write']);
-    Route::post('/databases/keydb', [DatabasesController::class, 'create_database_keydb'])->middleware(['ability:write']);
+    Route::get('/databases', [DatabasesController::class, 'databases'])->middleware(['api.ability:read']);
+    Route::post('/databases/postgresql', [DatabasesController::class, 'create_database_postgresql'])->middleware(['api.ability:write']);
+    Route::post('/databases/mysql', [DatabasesController::class, 'create_database_mysql'])->middleware(['api.ability:write']);
+    Route::post('/databases/mariadb', [DatabasesController::class, 'create_database_mariadb'])->middleware(['api.ability:write']);
+    Route::post('/databases/mongodb', [DatabasesController::class, 'create_database_mongodb'])->middleware(['api.ability:write']);
+    Route::post('/databases/redis', [DatabasesController::class, 'create_database_redis'])->middleware(['api.ability:write']);
+    Route::post('/databases/clickhouse', [DatabasesController::class, 'create_database_clickhouse'])->middleware(['api.ability:write']);
+    Route::post('/databases/dragonfly', [DatabasesController::class, 'create_database_dragonfly'])->middleware(['api.ability:write']);
+    Route::post('/databases/keydb', [DatabasesController::class, 'create_database_keydb'])->middleware(['api.ability:write']);

-    Route::get('/databases/{uuid}', [DatabasesController::class, 'database_by_uuid'])->middleware(['ability:read']);
-    Route::patch('/databases/{uuid}', [DatabasesController::class, 'update_by_uuid'])->middleware(['ability:write']);
-    Route::delete('/databases/{uuid}', [DatabasesController::class, 'delete_by_uuid'])->middleware(['ability:write']);
+    Route::get('/databases/{uuid}', [DatabasesController::class, 'database_by_uuid'])->middleware(['api.ability:read']);
+    Route::patch('/databases/{uuid}', [DatabasesController::class, 'update_by_uuid'])->middleware(['api.ability:write']);
+    Route::delete('/databases/{uuid}', [DatabasesController::class, 'delete_by_uuid'])->middleware(['api.ability:write']);

-    Route::match(['get', 'post'], '/databases/{uuid}/start', [DatabasesController::class, 'action_deploy'])->middleware(['ability:write']);
-    Route::match(['get', 'post'], '/databases/{uuid}/restart', [DatabasesController::class, 'action_restart'])->middleware(['ability:write']);
-    Route::match(['get', 'post'], '/databases/{uuid}/stop', [DatabasesController::class, 'action_stop'])->middleware(['ability:write']);
+    Route::match(['get', 'post'], '/databases/{uuid}/start', [DatabasesController::class, 'action_deploy'])->middleware(['api.ability:write']);
+    Route::match(['get', 'post'], '/databases/{uuid}/restart', [DatabasesController::class, 'action_restart'])->middleware(['api.ability:write']);
+    Route::match(['get', 'post'], '/databases/{uuid}/stop', [DatabasesController::class, 'action_stop'])->middleware(['api.ability:write']);

-    Route::get('/services', [ServicesController::class, 'services'])->middleware(['ability:read']);
-    Route::post('/services', [ServicesController::class, 'create_service'])->middleware(['ability:write']);
+    Route::get('/services', [ServicesController::class, 'services'])->middleware(['api.ability:read']);
+    Route::post('/services', [ServicesController::class, 'create_service'])->middleware(['api.ability:write']);

-    Route::get('/services/{uuid}', [ServicesController::class, 'service_by_uuid'])->middleware(['ability:read']);
+    Route::get('/services/{uuid}', [ServicesController::class, 'service_by_uuid'])->middleware(['api.ability:read']);
    // Route::patch('/services/{uuid}', [ServicesController::class, 'update_by_uuid'])->middleware(['ability:write']);
-    Route::delete('/services/{uuid}', [ServicesController::class, 'delete_by_uuid'])->middleware(['ability:write']);
+    Route::delete('/services/{uuid}', [ServicesController::class, 'delete_by_uuid'])->middleware(['api.ability:write']);

-    Route::get('/services/{uuid}/envs', [ServicesController::class, 'envs'])->middleware(['ability:read']);
-    Route::post('/services/{uuid}/envs', [ServicesController::class, 'create_env'])->middleware(['ability:write']);
-    Route::patch('/services/{uuid}/envs/bulk', [ServicesController::class, 'create_bulk_envs'])->middleware(['ability:write']);
-    Route::patch('/services/{uuid}/envs', [ServicesController::class, 'update_env_by_uuid'])->middleware(['ability:write']);
-    Route::delete('/services/{uuid}/envs/{env_uuid}', [ServicesController::class, 'delete_env_by_uuid'])->middleware(['ability:write']);
+    Route::get('/services/{uuid}/envs', [ServicesController::class, 'envs'])->middleware(['api.ability:read']);
+    Route::post('/services/{uuid}/envs', [ServicesController::class, 'create_env'])->middleware(['api.ability:write']);
+    Route::patch('/services/{uuid}/envs/bulk', [ServicesController::class, 'create_bulk_envs'])->middleware(['api.ability:write']);
+    Route::patch('/services/{uuid}/envs', [ServicesController::class, 'update_env_by_uuid'])->middleware(['api.ability:write']);
+    Route::delete('/services/{uuid}/envs/{env_uuid}', [ServicesController::class, 'delete_env_by_uuid'])->middleware(['api.ability:write']);

-    Route::match(['get', 'post'], '/services/{uuid}/start', [ServicesController::class, 'action_deploy'])->middleware(['ability:write']);
-    Route::match(['get', 'post'], '/services/{uuid}/restart', [ServicesController::class, 'action_restart'])->middleware(['ability:write']);
-    Route::match(['get', 'post'], '/services/{uuid}/stop', [ServicesController::class, 'action_stop'])->middleware(['ability:write']);
+    Route::match(['get', 'post'], '/services/{uuid}/start', [ServicesController::class, 'action_deploy'])->middleware(['api.ability:write']);
+    Route::match(['get', 'post'], '/services/{uuid}/restart', [ServicesController::class, 'action_restart'])->middleware(['api.ability:write']);
+    Route::match(['get', 'post'], '/services/{uuid}/stop', [ServicesController::class, 'action_stop'])->middleware(['api.ability:write']);
 });

 Route::group([