Users can access their items via API. Authentication via API token. No public access to items.

lib/generic_rest_server/accounts.ex

@@ -281,6 +281,32 @@ defmodule GenericRestServer.Accounts do
     :ok
   end
 
+  ## API
+
+  @doc """
+  Creates a new api token for a user.
+
+  The token returned must be saved somewhere safe.
+  This token cannot be recovered from the database.
+  """
+  def create_user_api_token(user) do
+    {encoded_token, user_token} = UserToken.build_email_token(user, "api-token")
+    Repo.insert!(user_token)
+    encoded_token
+  end
+
+  @doc """
+  Fetches the user by API token.
+  """
+  def fetch_user_by_api_token(token) do
+    with {:ok, query} <- UserToken.verify_api_token_query(token),
+         %User{} = user <- Repo.one(query) do
+      {:ok, user}
+    else
+      _ -> :error
+    end
+  end
+
   ## Token helper
 
   defp update_user_and_delete_all_tokens(changeset) do