discourse/app/controllers/user_api_keys_controller.rb

class UserApiKeysController < ApplicationController

  layout 'no_ember'

  skip_before_filter :redirect_to_login_if_required, only: [:new]
  skip_before_filter :check_xhr, :preload_json
  before_filter :ensure_logged_in, only: [:create, :revoke, :undo_revoke]

  AUTH_API_VERSION ||= 2

  def new

    if request.head?
      head :ok, auth_api_version: AUTH_API_VERSION
      return
    end

    require_params
    validate_params

    unless current_user
      cookies[:destination_url] = request.fullpath

      if SiteSetting.enable_sso?
        redirect_to path('/session/sso')
      else
        redirect_to path('/login')
      end
      return
    end

    unless meets_tl?
      @no_trust_level = true
      return
    end

    @application_name = params[:application_name]
    @public_key = params[:public_key]
    @nonce = params[:nonce]
    @client_id = params[:client_id]
    @auth_redirect = params[:auth_redirect]
    @push_url = params[:push_url]
    @localized_scopes = params[:scopes].split(",").map{|s| I18n.t("user_api_key.scopes.#{s}")}
    @scopes = params[:scopes]

  rescue Discourse::InvalidAccess
    @generic_error = true
  end

  def create

    require_params

    unless SiteSetting.allowed_user_api_auth_redirects
                      .split('|')
                      .any?{|u| params[:auth_redirect] == u}

        raise Discourse::InvalidAccess
    end

    raise Discourse::InvalidAccess unless meets_tl?

    validate_params

    # destroy any old keys we had
    UserApiKey.where(user_id: current_user.id, client_id: params[:client_id]).destroy_all

    key = UserApiKey.create!(
      application_name: params[:application_name],
      client_id: params[:client_id],
      user_id: current_user.id,
      push_url: params[:push_url],
      key: SecureRandom.hex,
      scopes: params[:scopes].split(",")
    )

    # we keep the payload short so it encrypts easily with public key
    # it is often restricted to 128 chars
    payload = {
      key: key.key,
      nonce: params[:nonce],
      push: key.has_push?,
      api: AUTH_API_VERSION
    }.to_json

    public_key = OpenSSL::PKey::RSA.new(params[:public_key])
    payload = Base64.encode64(public_key.public_encrypt(payload))

    redirect_to "#{params[:auth_redirect]}?payload=#{CGI.escape(payload)}"
  end

  def revoke
    revoke_key = find_key if params[:id]

    if current_key = request.env['HTTP_USER_API_KEY']
      request_key = UserApiKey.find_by(key: current_key)
      revoke_key ||= request_key
      if request_key && request_key.id != revoke_key.id && !request_key.scopes.include?("write")
        raise Discourse::InvalidAccess
      end
    end

    raise Discourse::NotFound unless revoke_key

    revoke_key.update_columns(revoked_at: Time.zone.now)

    render json: success_json
  end

  def undo_revoke
    find_key.update_columns(revoked_at: nil)
    render json: success_json
  end

  def find_key
    key = UserApiKey.find(params[:id])
    raise Discourse::InvalidAccess unless current_user.admin || key.user_id = current_user.id
    key
  end

  def require_params
    [
     :public_key,
     :nonce,
     :scopes,
     :client_id,
     :auth_redirect,
     :application_name
    ].each{|p| params.require(p)}
  end

  def validate_params
    requested_scopes = Set.new(params[:scopes].split(","))

    raise Discourse::InvalidAccess unless UserApiKey.allowed_scopes.superset?(requested_scopes)

    # our pk has got to parse
    OpenSSL::PKey::RSA.new(params[:public_key])
  end

  def meets_tl?
    current_user.staff? || current_user.trust_level >= SiteSetting.min_trust_level_for_user_api_key
  end

end
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`class UserApiKeysController < ApplicationController`

FEATURE: more user API flow, support key creation 2016-08-16 01:10:32 -04:00			`layout 'no_ember'`

Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`skip_before_filter :redirect_to_login_if_required, only: [:new]`
FEATURE: more user API flow, support key creation 2016-08-16 01:10:32 -04:00			`skip_before_filter :check_xhr, :preload_json`
FEATURE: basic UI to view user api keys 2016-08-16 03:06:33 -04:00			`before_filter :ensure_logged_in, only: [:create, :revoke, :undo_revoke]`
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`AUTH_API_VERSION \|\|= 2`
FEATURE: support HEAD request to /user-api-key/new This allows us to cleanly sniff to find if it exists 2016-08-16 19:58:19 -04:00
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`def new`
FEATURE: support HEAD request to /user-api-key/new This allows us to cleanly sniff to find if it exists 2016-08-16 19:58:19 -04:00
			`if request.head?`
			`head :ok, auth_api_version: AUTH_API_VERSION`
			`return`
			`end`

FEATURE: more user API flow, support key creation 2016-08-16 01:10:32 -04:00			`require_params`
better error handling push notifications imply read access, no need for a special permission 2016-08-23 02:48:00 -04:00			`validate_params`
FEATURE: more user API flow, support key creation 2016-08-16 01:10:32 -04:00
			`unless current_user`
			`cookies[:destination_url] = request.fullpath`
FIX: redirects back to origin for SSO and omniauth login 2016-09-15 23:48:50 -04:00
			`if SiteSetting.enable_sso?`
			`redirect_to path('/session/sso')`
			`else`
			`redirect_to path('/login')`
			`end`
FEATURE: more user API flow, support key creation 2016-08-16 01:10:32 -04:00			`return`
			`end`

FIX: user api should always be available to staff 2016-09-12 01:42:06 -04:00			`unless meets_tl?`
better error handling push notifications imply read access, no need for a special permission 2016-08-23 02:48:00 -04:00			`@no_trust_level = true`
			`return`
			`end`

FEATURE: more user API flow, support key creation 2016-08-16 01:10:32 -04:00			`@application_name = params[:application_name]`
			`@public_key = params[:public_key]`
			`@nonce = params[:nonce]`
			`@client_id = params[:client_id]`
			`@auth_redirect = params[:auth_redirect]`
			`@push_url = params[:push_url]`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`@localized_scopes = params[:scopes].split(",").map{\|s\| I18n.t("user_api_key.scopes.#{s}")}`
			`@scopes = params[:scopes]`
Normalize away a requested push if for some reason we can not push there 2016-08-17 02:44:20 -04:00
better error handling push notifications imply read access, no need for a special permission 2016-08-23 02:48:00 -04:00			`rescue Discourse::InvalidAccess`
			`@generic_error = true`
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`end`

			`def create`

FEATURE: more user API flow, support key creation 2016-08-16 01:10:32 -04:00			`require_params`

Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`unless SiteSetting.allowed_user_api_auth_redirects`
			`.split('\|')`
			`.any?{\|u\| params[:auth_redirect] == u}`

			`raise Discourse::InvalidAccess`
			`end`

FIX: user api should always be available to staff 2016-09-12 01:42:06 -04:00			`raise Discourse::InvalidAccess unless meets_tl?`
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00
FEATURE: more user API flow, support key creation 2016-08-16 01:10:32 -04:00			`validate_params`
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00
FEATURE: basic UI to view user api keys 2016-08-16 03:06:33 -04:00			`# destroy any old keys we had`
			`UserApiKey.where(user_id: current_user.id, client_id: params[:client_id]).destroy_all`

Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`key = UserApiKey.create!(`
			`application_name: params[:application_name],`
			`client_id: params[:client_id],`
			`user_id: current_user.id,`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`push_url: params[:push_url],`
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`key: SecureRandom.hex,`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`scopes: params[:scopes].split(",")`
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`)`

			`# we keep the payload short so it encrypts easily with public key`
			`# it is often restricted to 128 chars`
			`payload = {`
			`key: key.key,`
			`nonce: params[:nonce],`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`push: key.has_push?,`
			`api: AUTH_API_VERSION`
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`}.to_json`

			`public_key = OpenSSL::PKey::RSA.new(params[:public_key])`
			`payload = Base64.encode64(public_key.public_encrypt(payload))`

			`redirect_to "#{params[:auth_redirect]}?payload=#{CGI.escape(payload)}"`
			`end`

FEATURE: basic UI to view user api keys 2016-08-16 03:06:33 -04:00			`def revoke`
id is optional if already specified in header 2016-09-02 03:08:46 -04:00			`revoke_key = find_key if params[:id]`

FEATURE: allow user api key revocation for read only keys 2016-09-02 02:57:41 -04:00			`if current_key = request.env['HTTP_USER_API_KEY']`
			`request_key = UserApiKey.find_by(key: current_key)`
id is optional if already specified in header 2016-09-02 03:08:46 -04:00			`revoke_key \|\|= request_key`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`if request_key && request_key.id != revoke_key.id && !request_key.scopes.include?("write")`
FEATURE: allow user api key revocation for read only keys 2016-09-02 02:57:41 -04:00			`raise Discourse::InvalidAccess`
			`end`
			`end`

id is optional if already specified in header 2016-09-02 03:08:46 -04:00			`raise Discourse::NotFound unless revoke_key`

FEATURE: allow user api key revocation for read only keys 2016-09-02 02:57:41 -04:00			`revoke_key.update_columns(revoked_at: Time.zone.now)`

FEATURE: basic UI to view user api keys 2016-08-16 03:06:33 -04:00			`render json: success_json`
			`end`

			`def undo_revoke`
			`find_key.update_columns(revoked_at: nil)`
			`render json: success_json`
			`end`

			`def find_key`
			`key = UserApiKey.find(params[:id])`
			`raise Discourse::InvalidAccess unless current_user.admin \|\| key.user_id = current_user.id`
			`key`
			`end`

FEATURE: more user API flow, support key creation 2016-08-16 01:10:32 -04:00			`def require_params`
			`[`
			`:public_key,`
			`:nonce,`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`:scopes,`
FEATURE: more user API flow, support key creation 2016-08-16 01:10:32 -04:00			`:client_id,`
			`:auth_redirect,`
			`:application_name`
			`].each{\|p\| params.require(p)}`
			`end`

stop eating up push_urls 2016-08-25 23:23:06 -04:00			`def validate_params`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`requested_scopes = Set.new(params[:scopes].split(","))`
FEATURE: more user API flow, support key creation 2016-08-16 01:10:32 -04:00
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`raise Discourse::InvalidAccess unless UserApiKey.allowed_scopes.superset?(requested_scopes)`
FEATURE: more user API flow, support key creation 2016-08-16 01:10:32 -04:00
			`# our pk has got to parse`
			`OpenSSL::PKey::RSA.new(params[:public_key])`
			`end`

FIX: user api should always be available to staff 2016-09-12 01:42:06 -04:00			`def meets_tl?`
			`current_user.staff? \|\| current_user.trust_level >= SiteSetting.min_trust_level_for_user_api_key`
			`end`

Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`end`