discourse/app/models/api_key.rb

# frozen_string_literal: true

class ApiKey < ActiveRecord::Base
  belongs_to :user
  belongs_to :created_by, class_name: 'User'

  scope :active, -> { where("revoked_at IS NULL") }
  scope :revoked, -> { where("revoked_at IS NOT NULL") }

  validates_presence_of :key

  after_initialize :generate_key

  def generate_key
    self.key ||= SecureRandom.hex(32)
  end

  def truncated_key
    self.key[0..3]
  end

  def self.last_used_epoch
    SiteSetting.api_key_last_used_epoch.presence
  end

  def self.revoke_unused_keys!
    return if SiteSetting.revoke_api_keys_days == 0 # Never expire keys
    to_revoke = active.where("GREATEST(last_used_at, created_at, updated_at, :epoch) < :threshold",
                  epoch: last_used_epoch,
                  threshold: SiteSetting.revoke_api_keys_days.days.ago
                )

    to_revoke.find_each do |api_key|
      ApiKey.transaction do
        api_key.update!(revoked_at: Time.zone.now)

        StaffActionLogger.new(Discourse.system_user).log_api_key(
          api_key,
          UserHistory.actions[:api_key_update],
          changes: api_key.saved_changes,
          context: I18n.t("staff_action_logs.api_key.automatic_revoked", count: SiteSetting.revoke_api_keys_days))
      end
    end
  end
end

# == Schema Information
#
# Table name: api_keys
#
#  id            :integer          not null, primary key
#  key           :string(64)       not null
#  user_id       :integer
#  created_by_id :integer
#  created_at    :datetime         not null
#  updated_at    :datetime         not null
#  allowed_ips   :inet             is an Array
#  hidden        :boolean          default(FALSE), not null
#  last_used_at  :datetime
#  revoked_at    :datetime
#  description   :text
#
# Indexes
#
#  index_api_keys_on_key      (key)
#  index_api_keys_on_user_id  (user_id)
#
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

Support for per-user API keys 2013-10-22 15:53:08 -04:00			`class ApiKey < ActiveRecord::Base`
			`belongs_to :user`
Fix all the errors to get our tests green on Rails 5.1. 2017-08-31 00:06:56 -04:00			`belongs_to :created_by, class_name: 'User'`
Support for per-user API keys 2013-10-22 15:53:08 -04:00
FEATURE: Overhaul of admin API key system (#8284) - Allow revoking keys without deleting them - Auto-revoke keys after a period of no use (default 6 months) - Allow multiple keys per user - Allow attaching a description to each key, for easier auditing - Log changes to keys in the staff action log - Move all key management to one place, and improve the UI 2019-11-05 09:10:23 -05:00			`scope :active, -> { where("revoked_at IS NULL") }`
			`scope :revoked, -> { where("revoked_at IS NOT NULL") }`

Support for per-user API keys 2013-10-22 15:53:08 -04:00			`validates_presence_of :key`

FEATURE: Overhaul of admin API key system (#8284) - Allow revoking keys without deleting them - Auto-revoke keys after a period of no use (default 6 months) - Allow multiple keys per user - Allow attaching a description to each key, for easier auditing - Log changes to keys in the staff action log - Move all key management to one place, and improve the UI 2019-11-05 09:10:23 -05:00			`after_initialize :generate_key`

			`def generate_key`
			`self.key \|\|= SecureRandom.hex(32)`
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`end`

FEATURE: Overhaul of admin API key system (#8284) - Allow revoking keys without deleting them - Auto-revoke keys after a period of no use (default 6 months) - Allow multiple keys per user - Allow attaching a description to each key, for easier auditing - Log changes to keys in the staff action log - Move all key management to one place, and improve the UI 2019-11-05 09:10:23 -05:00			`def truncated_key`
			`self.key[0..3]`
			`end`

			`def self.last_used_epoch`
			`SiteSetting.api_key_last_used_epoch.presence`
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`end`

FEATURE: Overhaul of admin API key system (#8284) - Allow revoking keys without deleting them - Auto-revoke keys after a period of no use (default 6 months) - Allow multiple keys per user - Allow attaching a description to each key, for easier auditing - Log changes to keys in the staff action log - Move all key management to one place, and improve the UI 2019-11-05 09:10:23 -05:00			`def self.revoke_unused_keys!`
			`return if SiteSetting.revoke_api_keys_days == 0 # Never expire keys`
			`to_revoke = active.where("GREATEST(last_used_at, created_at, updated_at, :epoch) < :threshold",`
			`epoch: last_used_epoch,`
			`threshold: SiteSetting.revoke_api_keys_days.days.ago`
			`)`

			`to_revoke.find_each do \|api_key\|`
			`ApiKey.transaction do`
			`api_key.update!(revoked_at: Time.zone.now)`

			`StaffActionLogger.new(Discourse.system_user).log_api_key(`
			`api_key,`
			`UserHistory.actions[:api_key_update],`
			`changes: api_key.saved_changes,`
			`context: I18n.t("staff_action_logs.api_key.automatic_revoked", count: SiteSetting.revoke_api_keys_days))`
			`end`
			`end`
			`end`
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`end`
annotate models 2013-12-05 01:40:35 -05:00
			`# == Schema Information`
			`#`
			`# Table name: api_keys`
			`#`
			`# id :integer not null, primary key`
			`# key :string(64) not null`
			`# user_id :integer`
			`# created_by_id :integer`
FIX: remove nullable dates post upgrade to Rails 4 2014-08-27 01:19:25 -04:00			`# created_at :datetime not null`
			`# updated_at :datetime not null`
add allowed_ips to api_keys update annotations 2014-11-19 22:53:15 -05:00			`# allowed_ips :inet is an Array`
create a new table to maintain csv export log 2014-12-24 04:11:41 -05:00			`# hidden :boolean default(FALSE), not null`
FEATURE: track date api key was last used Start tracking the date an api key was last used. This has already been the case for user_api_keys. This information can provide us with the ability to automatically expire unused api keys after N days. 2019-09-03 04:10:29 -04:00			`# last_used_at :datetime`
DEV: Update annotations 2019-11-19 05:20:14 -05:00			`# revoked_at :datetime`
			`# description :text`
annotate models 2013-12-05 01:40:35 -05:00			`#`
			`# Indexes`
			`#`
			`# index_api_keys_on_key (key)`
DEV: Update annotations 2019-11-19 05:20:14 -05:00			`# index_api_keys_on_user_id (user_id)`
annotate models 2013-12-05 01:40:35 -05:00			`#`