discourse/app/models/api_key.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

102 lines
2.8 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
2013-10-23 03:53:08 +08:00
class ApiKey < ActiveRecord::Base
class KeyAccessError < StandardError; end
has_many :api_key_scopes
2013-10-23 03:53:08 +08:00
belongs_to :user
belongs_to :created_by, class_name: 'User'
2013-10-23 03:53:08 +08:00
scope :active, -> { where("revoked_at IS NULL") }
scope :revoked, -> { where("revoked_at IS NOT NULL") }
scope :with_key, ->(key) {
hashed = self.hash_key(key)
where(key_hash: hashed)
}
2013-10-23 03:53:08 +08:00
after_initialize :generate_key
def generate_key
if !self.key_hash
@key ||= SecureRandom.hex(32) # Not saved to DB
self.truncated_key = key[0..3]
self.key_hash = ApiKey.hash_key(key)
end
end
def key
raise KeyAccessError.new "API key is only accessible immediately after creation" unless key_available?
@key
2013-10-23 03:53:08 +08:00
end
def key_available?
@key.present?
end
def self.last_used_epoch
SiteSetting.api_key_last_used_epoch.presence
2013-10-23 03:53:08 +08:00
end
def self.revoke_unused_keys!
return if SiteSetting.revoke_api_keys_days == 0 # Never expire keys
to_revoke = active.where("GREATEST(last_used_at, created_at, updated_at, :epoch) < :threshold",
epoch: last_used_epoch,
threshold: SiteSetting.revoke_api_keys_days.days.ago
)
to_revoke.find_each do |api_key|
ApiKey.transaction do
api_key.update!(revoked_at: Time.zone.now)
StaffActionLogger.new(Discourse.system_user).log_api_key(
api_key,
UserHistory.actions[:api_key_update],
changes: api_key.saved_changes,
context: I18n.t("staff_action_logs.api_key.automatic_revoked", count: SiteSetting.revoke_api_keys_days))
end
end
end
def self.hash_key(key)
Digest::SHA256.hexdigest key
end
def request_allowed?(env)
return false if allowed_ips.present? && allowed_ips.none? { |ip| ip.include?(Rack::Request.new(env).ip) }
return true if RouteMatcher.new(methods: :get, actions: "session#scopes").match?(env: env)
api_key_scopes.blank? || api_key_scopes.any? { |s| s.permits?(env) }
end
def update_last_used!(now = Time.zone.now)
return if last_used_at && (last_used_at > 1.minute.ago)
# using update_column to avoid the AR transaction
update_column(:last_used_at, now)
end
2013-10-23 03:53:08 +08:00
end
2013-12-05 14:40:35 +08:00
# == Schema Information
#
# Table name: api_keys
#
# id :integer not null, primary key
# user_id :integer
# created_by_id :integer
# created_at :datetime not null
# updated_at :datetime not null
# allowed_ips :inet is an Array
# hidden :boolean default(FALSE), not null
# last_used_at :datetime
2019-11-19 18:20:14 +08:00
# revoked_at :datetime
# description :text
# key_hash :string not null
# truncated_key :string not null
2013-12-05 14:40:35 +08:00
#
# Indexes
#
# index_api_keys_on_key_hash (key_hash)
# index_api_keys_on_user_id (user_id)
2013-12-05 14:40:35 +08:00
#