FEATURE: Add scopes to API keys (#9844)

* Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma
2025-05-24 03:36:18 +08:00 · 2020-07-16 15:51:24 -03:00
parent 766cb24989
commit f13ec11c64
20 changed files with 423 additions and 6 deletions
--- a/spec/requests/admin/api_controller_spec.rb
+++ b/spec/requests/admin/api_controller_spec.rb
@ -131,6 +131,67 @@ describe Admin::ApiController do
        expect(UserHistory.last.action).to eq(UserHistory.actions[:api_key_create])
        expect(UserHistory.last.subject).to eq(key.truncated_key)
      end
+
+      describe 'Scopes' do
+        it 'creates an scope with allowed parameters' do
+          post "/admin/api/keys.json", params: {
+            key: {
+              description: "master key description",
+              scopes: [{ id: 'topics:write', topic_id: '55' }]
+            }
+          }
+          expect(response.status).to eq(200)
+
+          data = response.parsed_body
+          scope = ApiKeyScope.find_by(api_key_id: data.dig('key', 'id'))
+
+          expect(scope.resource).to eq('topics')
+          expect(scope.action).to eq('write')
+          expect(scope.allowed_parameters['topic_id']).to contain_exactly('55')
+        end
+
+        it 'allows multiple parameters separated by a comma' do
+          post "/admin/api/keys.json", params: {
+            key: {
+              description: "master key description",
+              scopes: [{ id: 'topics:write', topic_id: '55,33' }]
+            }
+          }
+          expect(response.status).to eq(200)
+
+          data = response.parsed_body
+          scope = ApiKeyScope.find_by(api_key_id: data.dig('key', 'id'))
+
+          expect(scope.allowed_parameters['topic_id']).to contain_exactly('55', '33')
+        end
+      end
+
+      it 'ignores invalid parameters' do
+        post "/admin/api/keys.json", params: {
+          key: {
+            description: "master key description",
+            scopes: [{ id: 'topics:write', fake_id: '55' }]
+          }
+        }
+
+        expect(response.status).to eq(200)
+
+        data = response.parsed_body
+        scope = ApiKeyScope.find_by(api_key_id: data.dig('key', 'id'))
+
+        expect(scope.allowed_parameters['fake_id']).to be_nil
+      end
+
+      it 'fails when the scope is invalid' do
+        post "/admin/api/keys.json", params: {
+          key: {
+            description: "master key description",
+            scopes: [{ id: 'something:else' }]
+          }
+        }
+
+        expect(response.status).to eq(400)
+      end
    end

    describe "#revoke and #undo_revoke" do
@ -154,6 +215,16 @@ describe Admin::ApiController do
        expect(UserHistory.last.details).to eq(I18n.t("staff_action_logs.api_key.restored"))
      end
    end
+
+    describe '#scopes' do
+      it 'includes scopes' do
+        get '/admin/api/keys/scopes.json'
+
+        scopes = response.parsed_body['scopes']
+
+        expect(scopes.keys).to contain_exactly('topics')
+      end
+    end
  end

  context "as a moderator" do