FEATURE: track date api key was last used

Start tracking the date an api key was last used. This has already been
the case for user_api_keys.

This information can provide us with the ability to automatically expire
unused api keys after N days.
This commit is contained in:
Sam Saffron 2019-09-03 18:10:29 +10:00
parent af9b08bed3
commit dc9110cc43
4 changed files with 31 additions and 10 deletions

View File

@ -35,6 +35,7 @@ end
# updated_at :datetime not null
# allowed_ips :inet is an Array
# hidden :boolean default(FALSE), not null
# last_used_at :datetime
#
# Indexes
#

View File

@ -0,0 +1,6 @@
# frozen_string_literal: true
class AddLastUsedAtToApiKey < ActiveRecord::Migration[5.2]
def change
add_column :api_keys, :last_used_at, :datetime
end
end

View File

@ -292,6 +292,7 @@ class Auth::DefaultCurrentUserProvider
return nil
end
user =
if api_key.user
api_key.user if !api_username || (api_key.user.username_lower == api_username.downcase)
elsif api_username
@ -301,6 +302,12 @@ class Auth::DefaultCurrentUserProvider
elsif external_id = header_api_key? ? @env[HEADER_API_USER_EXTERNAL_ID] : request["api_user_external_id"]
SingleSignOnRecord.find_by(external_id: external_id.to_s).try(:user)
end
if user
api_key.update_columns(last_used_at: Time.zone.now)
end
user
end
end

View File

@ -56,11 +56,14 @@ describe Auth::DefaultCurrentUserProvider do
it "raises for a user pretending" do
user = Fabricate(:user)
user2 = Fabricate(:user)
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1)
key = ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1)
expect {
provider("/?api_key=hello&api_username=#{user2.username.downcase}").current_user
}.to raise_error(Discourse::InvalidAccess)
key.reload
expect(key.last_used_at).to eq(nil)
end
it "raises for a user with a mismatching ip" do
@ -74,8 +77,10 @@ describe Auth::DefaultCurrentUserProvider do
end
it "allows a user with a matching ip" do
freeze_time
user = Fabricate(:user)
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['100.0.0.0/24'])
key = ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['100.0.0.0/24'])
found_user = provider("/?api_key=hello&api_username=#{user.username.downcase}",
"REMOTE_ADDR" => "100.0.0.22").current_user
@ -86,6 +91,8 @@ describe Auth::DefaultCurrentUserProvider do
"HTTP_X_FORWARDED_FOR" => "10.1.1.1, 100.0.0.22").current_user
expect(found_user.id).to eq(user.id)
key.reload
expect(key.last_used_at).to eq_time(Time.zone.now)
end
it "finds a user for a correct system api key" do