discourse/app/models/api_key.rb

# frozen_string_literal: true

class ApiKey < ActiveRecord::Base
  class KeyAccessError < StandardError
  end

  has_many :api_key_scopes
  belongs_to :user
  belongs_to :created_by, class_name: "User"

  scope :active, -> { where("revoked_at IS NULL") }
  scope :revoked, -> { where("revoked_at IS NOT NULL") }

  scope :with_key,
        ->(key) {
          hashed = self.hash_key(key)
          where(key_hash: hashed)
        }

  after_initialize :generate_key

  def generate_key
    if !self.key_hash
      @key ||= SecureRandom.hex(32) # Not saved to DB
      self.truncated_key = key[0..3]
      self.key_hash = ApiKey.hash_key(key)
    end
  end

  def key
    unless key_available?
      raise KeyAccessError.new "API key is only accessible immediately after creation"
    end
    @key
  end

  def key_available?
    @key.present?
  end

  def self.last_used_epoch
    SiteSetting.api_key_last_used_epoch.presence
  end

  def self.revoke_unused_keys!
    return if SiteSetting.revoke_api_keys_days == 0 # Never expire keys
    to_revoke =
      active.where(
        "GREATEST(last_used_at, created_at, updated_at, :epoch) < :threshold",
        epoch: last_used_epoch,
        threshold: SiteSetting.revoke_api_keys_days.days.ago,
      )

    to_revoke.find_each do |api_key|
      ApiKey.transaction do
        api_key.update!(revoked_at: Time.zone.now)

        StaffActionLogger.new(Discourse.system_user).log_api_key(
          api_key,
          UserHistory.actions[:api_key_update],
          changes: api_key.saved_changes,
          context:
            I18n.t(
              "staff_action_logs.api_key.automatic_revoked",
              count: SiteSetting.revoke_api_keys_days,
            ),
        )
      end
    end
  end

  def self.hash_key(key)
    Digest::SHA256.hexdigest key
  end

  def request_allowed?(env)
    if allowed_ips.present? && allowed_ips.none? { |ip| ip.include?(Rack::Request.new(env).ip) }
      return false
    end
    return true if RouteMatcher.new(methods: :get, actions: "session#scopes").match?(env: env)

    api_key_scopes.blank? || api_key_scopes.any? { |s| s.permits?(env) }
  end

  def update_last_used!(now = Time.zone.now)
    return if last_used_at && (last_used_at > 1.minute.ago)

    # using update_column to avoid the AR transaction
    update_column(:last_used_at, now)
  end
end

# == Schema Information
#
# Table name: api_keys
#
#  id            :integer          not null, primary key
#  user_id       :integer
#  created_by_id :integer
#  created_at    :datetime         not null
#  updated_at    :datetime         not null
#  allowed_ips   :inet             is an Array
#  hidden        :boolean          default(FALSE), not null
#  last_used_at  :datetime
#  revoked_at    :datetime
#  description   :text
#  key_hash      :string           not null
#  truncated_key :string           not null
#
# Indexes
#
#  index_api_keys_on_key_hash  (key_hash)
#  index_api_keys_on_user_id   (user_id)
#
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

Support for per-user API keys 2013-10-22 15:53:08 -04:00			`class ApiKey < ActiveRecord::Base`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`class KeyAccessError < StandardError`
			`end`
FEATURE: Hash API keys in the database (#8438) API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak. This makes the merge lower risk, because we have some time to revert if needed. Once the change is confirmed to be working, we will add a second commit to drop the `key` column. 2019-12-12 06:45:00 -05:00
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00			`has_many :api_key_scopes`
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`belongs_to :user`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`belongs_to :created_by, class_name: "User"`
Support for per-user API keys 2013-10-22 15:53:08 -04:00
FEATURE: Overhaul of admin API key system (#8284) - Allow revoking keys without deleting them - Auto-revoke keys after a period of no use (default 6 months) - Allow multiple keys per user - Allow attaching a description to each key, for easier auditing - Log changes to keys in the staff action log - Move all key management to one place, and improve the UI 2019-11-05 09:10:23 -05:00			`scope :active, -> { where("revoked_at IS NULL") }`
			`scope :revoked, -> { where("revoked_at IS NOT NULL") }`

DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`scope :with_key,`
			`->(key) {`
			`hashed = self.hash_key(key)`
			`where(key_hash: hashed)`
			`}`
Support for per-user API keys 2013-10-22 15:53:08 -04:00
FEATURE: Overhaul of admin API key system (#8284) - Allow revoking keys without deleting them - Auto-revoke keys after a period of no use (default 6 months) - Allow multiple keys per user - Allow attaching a description to each key, for easier auditing - Log changes to keys in the staff action log - Move all key management to one place, and improve the UI 2019-11-05 09:10:23 -05:00			`after_initialize :generate_key`

			`def generate_key`
FEATURE: Hash API keys in the database (#8438) API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak. This makes the merge lower risk, because we have some time to revert if needed. Once the change is confirmed to be working, we will add a second commit to drop the `key` column. 2019-12-12 06:45:00 -05:00			`if !self.key_hash`
			`@key \|\|= SecureRandom.hex(32) # Not saved to DB`
			`self.truncated_key = key[0..3]`
			`self.key_hash = ApiKey.hash_key(key)`
			`end`
			`end`

			`def key`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`unless key_available?`
			`raise KeyAccessError.new "API key is only accessible immediately after creation"`
			`end`
FEATURE: Hash API keys in the database (#8438) API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak. This makes the merge lower risk, because we have some time to revert if needed. Once the change is confirmed to be working, we will add a second commit to drop the `key` column. 2019-12-12 06:45:00 -05:00			`@key`
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`end`

FEATURE: Hash API keys in the database (#8438) API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak. This makes the merge lower risk, because we have some time to revert if needed. Once the change is confirmed to be working, we will add a second commit to drop the `key` column. 2019-12-12 06:45:00 -05:00			`def key_available?`
			`@key.present?`
FEATURE: Overhaul of admin API key system (#8284) - Allow revoking keys without deleting them - Auto-revoke keys after a period of no use (default 6 months) - Allow multiple keys per user - Allow attaching a description to each key, for easier auditing - Log changes to keys in the staff action log - Move all key management to one place, and improve the UI 2019-11-05 09:10:23 -05:00			`end`

			`def self.last_used_epoch`
			`SiteSetting.api_key_last_used_epoch.presence`
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`end`

FEATURE: Overhaul of admin API key system (#8284) - Allow revoking keys without deleting them - Auto-revoke keys after a period of no use (default 6 months) - Allow multiple keys per user - Allow attaching a description to each key, for easier auditing - Log changes to keys in the staff action log - Move all key management to one place, and improve the UI 2019-11-05 09:10:23 -05:00			`def self.revoke_unused_keys!`
			`return if SiteSetting.revoke_api_keys_days == 0 # Never expire keys`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`to_revoke =`
			`active.where(`
			`"GREATEST(last_used_at, created_at, updated_at, :epoch) < :threshold",`
			`epoch: last_used_epoch,`
			`threshold: SiteSetting.revoke_api_keys_days.days.ago,`
			`)`
FEATURE: Overhaul of admin API key system (#8284) - Allow revoking keys without deleting them - Auto-revoke keys after a period of no use (default 6 months) - Allow multiple keys per user - Allow attaching a description to each key, for easier auditing - Log changes to keys in the staff action log - Move all key management to one place, and improve the UI 2019-11-05 09:10:23 -05:00
			`to_revoke.find_each do \|api_key\|`
			`ApiKey.transaction do`
			`api_key.update!(revoked_at: Time.zone.now)`

			`StaffActionLogger.new(Discourse.system_user).log_api_key(`
			`api_key,`
			`UserHistory.actions[:api_key_update],`
			`changes: api_key.saved_changes,`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`context:`
			`I18n.t(`
			`"staff_action_logs.api_key.automatic_revoked",`
			`count: SiteSetting.revoke_api_keys_days,`
			`),`
			`)`
FEATURE: Overhaul of admin API key system (#8284) - Allow revoking keys without deleting them - Auto-revoke keys after a period of no use (default 6 months) - Allow multiple keys per user - Allow attaching a description to each key, for easier auditing - Log changes to keys in the staff action log - Move all key management to one place, and improve the UI 2019-11-05 09:10:23 -05:00			`end`
			`end`
			`end`
FEATURE: Hash API keys in the database (#8438) API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak. This makes the merge lower risk, because we have some time to revert if needed. Once the change is confirmed to be working, we will add a second commit to drop the `key` column. 2019-12-12 06:45:00 -05:00
			`def self.hash_key(key)`
			`Digest::SHA256.hexdigest key`
			`end`
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope 2020-10-06 12:20:15 -04:00			`def request_allowed?(env)`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`if allowed_ips.present? && allowed_ips.none? { \|ip\| ip.include?(Rack::Request.new(env).ip) }`
			`return false`
			`end`
Update wordpress scopes and add ``session/scopes`` endpoint (#15366) * Update wordpress scopes && add ``session/scopes`` endpointt * Fix failing spec * Add users#show scope to discourse_connect * Update app/controllers/session_controller.rb Co-authored-by: Roman Rizzi <rizziromanalejandro@gmail.com> Co-authored-by: Roman Rizzi <rizziromanalejandro@gmail.com> 2022-05-02 11:15:32 -04:00			`return true if RouteMatcher.new(methods: :get, actions: "session#scopes").match?(env: env)`
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope 2020-10-06 12:20:15 -04:00			`api_key_scopes.blank? \|\| api_key_scopes.any? { \|s\| s.permits?(env) }`
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00			`end`
PERF: Throttle updates to API key last_used_at (#16390) Co-authored-by: David Taylor <david@taylorhq.com> 2022-04-06 10:01:52 -04:00
			`def update_last_used!(now = Time.zone.now)`
			`return if last_used_at && (last_used_at > 1.minute.ago)`

			`# using update_column to avoid the AR transaction`
			`update_column(:last_used_at, now)`
			`end`
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`end`
annotate models 2013-12-05 01:40:35 -05:00
			`# == Schema Information`
			`#`
			`# Table name: api_keys`
			`#`
			`# id :integer not null, primary key`
			`# user_id :integer`
			`# created_by_id :integer`
FIX: remove nullable dates post upgrade to Rails 4 2014-08-27 01:19:25 -04:00			`# created_at :datetime not null`
			`# updated_at :datetime not null`
add allowed_ips to api_keys update annotations 2014-11-19 22:53:15 -05:00			`# allowed_ips :inet is an Array`
create a new table to maintain csv export log 2014-12-24 04:11:41 -05:00			`# hidden :boolean default(FALSE), not null`
FEATURE: track date api key was last used Start tracking the date an api key was last used. This has already been the case for user_api_keys. This information can provide us with the ability to automatically expire unused api keys after N days. 2019-09-03 04:10:29 -04:00			`# last_used_at :datetime`
DEV: Update annotations 2019-11-19 05:20:14 -05:00			`# revoked_at :datetime`
			`# description :text`
FEATURE: Hash API keys in the database (#8438) API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak. This makes the merge lower risk, because we have some time to revert if needed. Once the change is confirmed to be working, we will add a second commit to drop the `key` column. 2019-12-12 06:45:00 -05:00			`# key_hash :string not null`
			`# truncated_key :string not null`
annotate models 2013-12-05 01:40:35 -05:00			`#`
			`# Indexes`
			`#`
FEATURE: Hash API keys in the database (#8438) API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak. This makes the merge lower risk, because we have some time to revert if needed. Once the change is confirmed to be working, we will add a second commit to drop the `key` column. 2019-12-12 06:45:00 -05:00			`# index_api_keys_on_key_hash (key_hash)`
			`# index_api_keys_on_user_id (user_id)`
annotate models 2013-12-05 01:40:35 -05:00			`#`