feat: implement GetCurrentUserPAT RPC

[AmanGIT07]

Summary

• Add GetCurrentUserPAT RPC handler that retrieves a single PAT by ID for the authenticated user
• Service layer verifies PAT ownership (returns not-found if PAT belongs to a different user) and enriches the response with role_ids and project_ids
• Accepts both session and PAT authentication (checks principal.User != nil instead of principal type)

Manual Tests

• Call with valid PAT ID via session auth → returns PAT with role_ids/project_ids
• Call with another user's PAT ID → returns not found
• Call with PAT auth → works

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Mar 13, 2026 4:12pm

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added ability to retrieve and view personal access token (PAT) details by ID.
  • PATs now include role and project ID information for enhanced access control visibility.
  • Extended PAT endpoints to support scope enrichment and validation.

• Tests

  • Added comprehensive test coverage for PAT retrieval functionality.

Walkthrough

This PR adds a Get method to retrieve a specific Personal Access Token by user ID and PAT ID. Changes include service layer implementation with scope enrichment for RoleIDs and ProjectIDs from SpiceDB policies, API interface and handler updates with error mapping, and corresponding test coverage across layers.

Changes

Cohort / File(s)	Summary
Build Configuration Makefile	Updated PROTON_COMMIT hash from e5878c3 to 2416855, affecting protobuf artifact fetching during proto generation.
Mock Generation core/userpat/mocks/policy_service.go, internal/api/v1beta1connect/mocks/user_pat_service.go	Added mock methods (List and Get respectively) with testify mock infrastructure, including Call types, Expecter methods, and fluent configuration methods (Run, Return, RunAndReturn).
Model Updates core/userpat/models/pat.go	Added RoleIDs and ProjectIDs fields to PAT struct with JSON serialization tags.
Service Layer core/userpat/service.go, core/userpat/service_test.go	Implemented Service.Get method with ownership verification and scope enrichment via internal enrichWithScope helper; added PolicyService.List method; comprehensive test coverage for Get scenarios including disabled feature, not found, ownership checks, and enrichment failures.
API Interface & Handler internal/api/v1beta1connect/interfaces.go, internal/api/v1beta1connect/user_pat.go, internal/api/v1beta1connect/user_pat_test.go	Added UserPATService.Get interface method; implemented GetCurrentUserPAT handler with error mapping to Connect error codes (PermissionDenied, InvalidArgument, NotFound, FailedPrecondition, Internal); updated transformPATToPB to populate RoleIds and ProjectIds fields; added handler test suite covering authentication, permissions, and field transformation.
Authorization pkg/server/connect_interceptors/authorization.go	Added GetCurrentUserPAT to authorizationSkipEndpoints map to bypass authorization checks.
Generated Code proto/v1beta1/frontier.pb.validate.go, proto/v1beta1/frontierv1beta1connect/frontier.connect.go	Added validation methods (Validate and ValidateAll) for protobuf messages with error types and multi-error aggregation; wired ListCurrentUserPATs and GetCurrentUserPAT RPC procedures with client and handler implementations in Connect framework.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~35 minutes

Possibly related PRs

• feat: PAT authentication chain, token validation, and error handling #1442 — Directly related PAT codepath modifications including endpoint additions, model/validator changes, and Connect handler wiring.
• feat: CreateCurrentUserPAT RPC implementation #1401 — Implements PAT functionality across the same layers (RPC handlers, frontier.connect.go, API interfaces/mocks, core/userpat service and mocks).
• feat: enforce PAT scope on permission checks #1446 — Adds PAT Get/GetByID methods and wiring in core/userpat service and API handlers with mock support.

Suggested reviewers

• rohilsurana
• rsbh

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Pull Request Test Coverage Report for Build 23059772056

Details

• 71 of 77 (92.21%) changed or added relevant lines in 2 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.1%) to 40.855%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
internal/api/v1beta1connect/user_pat.go	36	38	94.74%
core/userpat/service.go	35	39	89.74%

Totals
Change from base Build 23039825042:	0.1%
Covered Lines:	14266
Relevant Lines:	34919

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

core/userpat/service_test.go (1)

1360-1362: Assert enriched scope fields in the success path.

The success case only verifies PAT ID. Please also assert RoleIDs/ProjectIDs so regressions in scope enrichment are caught.

internal/api/v1beta1connect/user_pat_test.go (1)

394-514: Add a PAT-auth happy-path test case.

Please add a case where principal type is PAT (or non-user) with principal.User populated, and assert success. That locks in the intended auth behavior for this RPC.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4f79baed-8949-4473-b27e-8d742413a559

📥 Commits

Reviewing files that changed from the base of the PR and between 79323c0 and 641988b.

⛔ Files ignored due to path filters (2)

• proto/v1beta1/frontier.pb.go is excluded by !**/*.pb.go
• proto/v1beta1/models.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (12)

• Makefile
• core/userpat/mocks/policy_service.go
• core/userpat/models/pat.go
• core/userpat/service.go
• core/userpat/service_test.go
• internal/api/v1beta1connect/interfaces.go
• internal/api/v1beta1connect/mocks/user_pat_service.go
• internal/api/v1beta1connect/user_pat.go
• internal/api/v1beta1connect/user_pat_test.go
• pkg/server/connect_interceptors/authorization.go
• proto/v1beta1/frontier.pb.validate.go
• proto/v1beta1/frontierv1beta1connect/frontier.connect.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Deduplicate ProjectIDs during scope enrichment.

RoleIDs are deduplicated, but ProjectIDs are not. Multiple project roles over the same project can return duplicate project IDs in the response.

💡 Proposed fix

 	pat.RoleIDs = pkgUtils.Deduplicate(roleIDs)
 	if !allProjects {
-		pat.ProjectIDs = projectIDs
+		pat.ProjectIDs = pkgUtils.Deduplicate(projectIDs)
 	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if !allProjects {
	pat.ProjectIDs = projectIDs
	}
	pat.RoleIDs = pkgUtils.Deduplicate(roleIDs)
	if !allProjects {
	pat.ProjectIDs = pkgUtils.Deduplicate(projectIDs)
	}