General API Keys #124

ro-tex · 2022-02-02T11:59:01Z

PULL REQUEST

Overview

This PR implements the generic version of API keys:

created by the user on their dashboard
do not expire
revocable
valid as an authentication mechanism (via a header or a get parameter)
give full access to all user actions
private

Example for Visual Changes

Checklist

Review and complete the checklist to ensure that the PR is complete before assigned to an approver.

All new methods or updated methods have clear docstrings
Testing added or updated for new methods
Verify if any changes impact the WebPortal Health Checks
Approriate documentation updated
Changelog file created

Issues Closed

…e64url-encoded []byte.

test/api/handlers_test.go

api/apikeys.go

api/handlers.go

peterjan

Great start I think. Is there an API keys spec? I think the current format is quite loose? It doesn't really consider future extensions, like permissions for example. Should we think about stuff like that already? I don't mind it being loosely defined, I'm just asking.

test/api/apikeys_test.go

test/api/handlers_test.go

test/api/apikeys_test.go

database/apikeys.go

api/routes.go

api/apikeys.go

api/routes.go

api/routes_test.go

MSevey

Generally lgtm

ro-tex · 2022-02-04T08:53:02Z

Great start I think. Is there an API keys spec? I think the current format is quite loose? It doesn't really consider future extensions, like permissions for example. Should we think about stuff like that already? I don't mind it being loosely defined, I'm just asking.

This is the spec: https://hackmd.io/tB6WDA73Q7iQGSFTqinVZg

My intention was to get the simple case going first and then build on top of it. We agreed that there won't be any permissions for the moment, as that would expand the scope a lot.

We want to have the so-called "sponsor" api keys which allow anyone to download a skylink with the owner of the api key paying for the traffic. I see those as a separate PR because there will be quite some code around them as well and I don't want this to be a 2000 lines PR. I'd rather iterate over the idea in 2, 3, even 5 PRs.

userLimitsGET returns anonymous limits and logs an error if the given API key is not valid. Endpoints renamed from `/user/apikey` to `/user/apikeys`. testAPIKeysUsage now validates user stats values.

…t the `db` prefix.

api/apikeys.go

api/handlers.go

database/user.go

database/database.go

database/apikeys.go

Change the DELETE endpoint to work by ID.

ChrisSchinnerl

Approved with some f/u comments.

api/routes_test.go

cmd/crdb_transition/main.go

database/apikeys.go

test/api/apikeys_test.go

peterjan

LGTM, but we should def. make sure to F/U with all of the F/U's

Initial API keys implementation. No tests, yet.

8a4fbb2

ro-tex self-assigned this Feb 2, 2022

ro-tex added 4 commits February 3, 2022 12:22

Switch from []byte api keys to string ones, where the string is a bas…

900a723

…e64url-encoded []byte.

Cleanup: unused methods, rename vars to avoid warnings, etc.

5156574

More cleanup.

360110e

Add tests.

cbb161c

ro-tex requested review from peterjan and ChrisSchinnerl February 3, 2022 14:54

ro-tex marked this pull request as ready for review February 3, 2022 14:54

peterjan reviewed Feb 3, 2022

View reviewed changes

test/api/handlers_test.go Outdated Show resolved Hide resolved