From 37f35271607fec755e28d4eaafac710deacb6d05 Mon Sep 17 00:00:00 2001
From: DecDuck <declanahofmeyr@gmail.com>
Date: Thu, 29 Jan 2026 20:47:58 +1100
Subject: [PATCH] fix: client webtoken fix

---
 server/api/v1/client/user/webtoken.post.ts | 20 ++--------------
 server/plugins/04.auth-init.ts             | 28 ++++++++++++++++++++++
 2 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/server/api/v1/client/user/webtoken.post.ts b/server/api/v1/client/user/webtoken.post.ts
index 8914f9c..1bed8a0 100644
--- a/server/api/v1/client/user/webtoken.post.ts
+++ b/server/api/v1/client/user/webtoken.post.ts
@@ -1,37 +1,21 @@
 import { APITokenMode } from "~/prisma/client/enums";
 import { DateTime } from "luxon";
-import type { UserACL } from "~/server/internal/acls";
 import { defineClientEventHandler } from "~/server/internal/clients/event-handler";
 import prisma from "~/server/internal/db/database";
+import { CLIENT_WEBTOKEN_ACLS } from "~/server/plugins/04.auth-init";
 
 export default defineClientEventHandler(
   async (h3, { fetchUser, fetchClient, clientId }) => {
     const user = await fetchUser();
     const client = await fetchClient();
 
-    const acls: UserACL = [
-      "read",
-      "store:read",
-      "object:read",
-      "settings:read",
-
-      "collections:read",
-      "collections:new",
-      "collections:add",
-      "collections:remove",
-      "collections:delete",
-
-      "library:add",
-      "library:remove"
-    ];
-
     const token = await prisma.aPIToken.create({
       data: {
         name: `${client.name} Web Access Token ${DateTime.now().toISO()}`,
         clientId,
         userId: user.id,
         mode: APITokenMode.Client,
-        acls,
+        acls: CLIENT_WEBTOKEN_ACLS,
       },
     });
 
diff --git a/server/plugins/04.auth-init.ts b/server/plugins/04.auth-init.ts
index a2f3e5b..b085143 100644
--- a/server/plugins/04.auth-init.ts
+++ b/server/plugins/04.auth-init.ts
@@ -1,5 +1,33 @@
 import authManager from "~/server/internal/auth";
+import prisma from "../internal/db/database";
+import { APITokenMode } from "~/prisma/client/enums";
+import type { UserACL } from "../internal/acls";
+
+export const CLIENT_WEBTOKEN_ACLS: UserACL = [
+  "read",
+  "store:read",
+  "object:read",
+  "settings:read",
+
+  "collections:read",
+  "collections:new",
+  "collections:add",
+  "collections:remove",
+  "collections:delete",
+
+  "library:add",
+  "library:remove",
+];
 
 export default defineNitroPlugin(async () => {
   await authManager.init();
+
+  await prisma.aPIToken.updateMany({
+    where: {
+      mode: APITokenMode.Client,
+    },
+    data: {
+      acls: CLIENT_WEBTOKEN_ACLS,
+    },
+  });
 });