FEATURE: Add scopes to API keys (#9844)

* Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma
2025-05-22 20:11:11 +08:00 · 2020-07-16 15:51:24 -03:00
parent 766cb24989
commit f13ec11c64
20 changed files with 423 additions and 6 deletions
--- a/app/controllers/admin/api_controller.rb
+++ b/app/controllers/admin/api_controller.rb
@ -18,10 +18,20 @@ class Admin::ApiController < Admin::AdminController
  end

  def show
-    api_key = ApiKey.find_by!(id: params[:id])
+    api_key = ApiKey.includes(:api_key_scopes).find_by!(id: params[:id])
    render_serialized(api_key, ApiKeySerializer, root: 'key')
  end

+  def scopes
+    scopes = ApiKeyScope.scope_mappings.reduce({}) do |memo, (resource, actions)|
+      memo.tap do |m|
+        m[resource] = actions.map { |k, v| { id: "#{resource}:#{k}", name: k, params: v[:params] } }
+      end
+    end
+
+    render json: { scopes: scopes }
+  end
+
  def update
    api_key = ApiKey.find_by!(id: params[:id])
    ApiKey.transaction do
@ -44,6 +54,7 @@ class Admin::ApiController < Admin::AdminController
    api_key = ApiKey.new(update_params)
    ApiKey.transaction do
      api_key.created_by = current_user
+      api_key.api_key_scopes = build_scopes
      if username = params.require(:key).permit(:username)[:username].presence
        api_key.user = User.find_by_username(username)
        raise Discourse::NotFound unless api_key.user
@ -78,6 +89,31 @@ class Admin::ApiController < Admin::AdminController

  private

+  def build_scopes
+    params.require(:key)[:scopes].to_a.map do |scope_params|
+      resource, action = scope_params[:id].split(':')
+
+      mapping = ApiKeyScope.scope_mappings.dig(resource.to_sym, action.to_sym)
+      raise Discourse::InvalidParameters if mapping.nil? # invalid mapping
+
+      ApiKeyScope.new(
+        resource: resource,
+        action: action,
+        allowed_parameters: build_params(scope_params, mapping[:params])
+      )
+    end
+  end
+
+  def build_params(scope_params, params)
+    return if params.nil?
+
+    scope_params.slice(*params).tap do |allowed_params|
+      allowed_params.each do |k, v|
+        v.blank? ? allowed_params.delete(k) : allowed_params[k] = v.split(',')
+      end
+    end
+  end
+
  def update_params
    editable_fields = [:description]
    permitted_params = params.permit(key: [*editable_fields])[:key]