Change of the API key resource

[curquiza]

Specificiation

• API management behavior: API Keys - Determinist API Keys + Security changes specifications#148
• Pagination of the keys resources: API Guideline - Return list of API resources under a results array specifications#138 in the text/0085-api-keys.md file (moved Pagination of the /keys ressources #2442)

Changes

Refine keys API

• Update test
• It is possible to create a deterministic key value by specifying an uid field at creation. uid is a uuidv4. If omitted, Meilisearch generates it.
• Error message when uid is invalid
• Error message when uid already exists
• /get of a key only possible specifying the uid (/GET - /keys/:uid).
• Adds a name field to give a human-readable name to ease API key retrieval in a list at the convenience of the user.
• The master key is only dedicated to API keys management, it can't be used for other endpoints. Making Meilisearch more secure by design and thus preventing users from introducing a security vulnerability.
• Updating a key only allows the name and description fields.
• Add keys.get, keys.create, keys.update and keys.delete.
• /get of a key possible specifying the complete key (?) (/GET - /keys/:uid_or_key)
• Replace sha256 by a better hash function sha256 is now wrapped in an HMAC algorithm.
• Manage dump patch for API keys

[curquiza]

Pinging @meilisearch/docs-team and @meilisearch/integration-team
The spec is still in progress regarding some points, I will keep you informed here about any changes. I also encourage everyone following the spec which is the source of truth 😇

[curquiza]

Pinging @meilisearch/cloud-team 😇

[curquiza]

Pinging @mdubus for the mini-dashboard! 😇

[curquiza]

Hello everyone here!
Finally, the master key will NOT be restricted, nothing will change. More info here.

@ManyTheFish I let you update the issue accordingly to this decision 😇

Guillaume wrote:

In the meantime, a suggestion would be to push the guide on securing a Meilisearch instance in the documentation quick-start to let users know more easily that the master key should absolutely not be used on the client-side, and as little as possible.

@meilisearch/docs-team WDYT? We indeed got multiple issues where the users use the master key in front-end. We cannot prevent 100% of the cases, but maybe could we do more?

[curquiza]

Also @meilisearch/integration-team, maybe the README could be changed to not use the master key in the getting started, see here

[brunoocasali]

@curquiza I think we can remove the item The master key is only dedicated to API keys management, it can't be used for other endpoints. Making Meilisearch more secure by design and thus preventing users from introducing a security vulnerability. or just make it The master key is only dedicated to API keys management, it can't be used for other endpoints. Making Meilisearch more secure by design and thus preventing users from introducing a security vulnerability.

in the issue description :)

[curquiza]

Thank you @brunoocasali! I changed this