Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AY-7219 API keys for non-service users #450

Open
martastain opened this issue Dec 2, 2024 · 0 comments · May be fixed by #472
Open

AY-7219 API keys for non-service users #450

martastain opened this issue Dec 2, 2024 · 0 comments · May be fixed by #472
Assignees
@martastain
Labels
sponsored This is directly sponsored by a client or community member

Comments

@martastain
Copy link
Member

Currently only service users can use API keys. This is a limitation since service users are not subject to ACL checks.
Allowing normal users to use API keys would allow 3rd party services to access the API with ACL checks (limiting the access to the data).

Premises

  • Every user can have one or more API keys
  • API key can be created by the user
  • API key can be revoked at any time (no JWT :-()
  • Expiration date can be set for each API key
  • Monitor "last used" timestamp for each API key
  • Once saved, the API key is hashed and cannot be retrieved

Implementation

Add apiKeys: dict[identifier, definition] to the user data.

  • identifier is a unique string that is used for tracking

  • definition is a dictionary with the following keys:

    • key: the actual API key (hashed)
    • preview: beginning****end of the key
    • createdAt: timestamp when the key was created
    • expiresAt: timestamp when the key expires
    • lastUsedAt: timestamp when the key was last used
    • description: a short description of the key

Having an identifier allows the user to revoke the key by its identifier. The key itself is hashed to prevent accidental exposure.

The same mechanism (creating a temporary access token when the API key is used) as for service users can be used for normal users.
Keys are nested quite deep in the user data, so validation could be slightly trickier.

Eventually we could deprecate the current data.apiKey and data.apiKeyPreview fields.
@martastain martastain added type: feature Adding something new and exciting to the product and removed type: feature Adding something new and exciting to the product labels Dec 2, 2024
@antirotor antirotor added the sponsored This is directly sponsored by a client or community member label Dec 2, 2024
@martastain martastain self-assigned this Dec 3, 2024
@antirotor antirotor mentioned this issue Dec 6, 2024
Open
@martastain martastain changed the title Auth: API keys for non-service users AY-7219 API keys for non-service users Dec 19, 2024
@martastain martastain linked a pull request Dec 19, 2024 that will close this issue
Auth: API keys for users #472
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martastain martastain

Labels
sponsored This is directly sponsored by a client or community member
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Auth: API keys for users ynput/ayon-backend
2 participants
@martastain @antirotor