server/src/services/api-key.service.ts

import { BadRequestException, ForbiddenException, Injectable } from '@nestjs/common';
import { ApiKey } from 'src/database';
import { APIKeyCreateDto, APIKeyCreateResponseDto, APIKeyResponseDto, APIKeyUpdateDto } from 'src/dtos/api-key.dto';
import { AuthDto } from 'src/dtos/auth.dto';
import { Permission } from 'src/enum';
import { BaseService } from 'src/services/base.service';
import { isGranted } from 'src/utils/access';

@Injectable()
export class ApiKeyService extends BaseService {
  async create(auth: AuthDto, dto: APIKeyCreateDto): Promise<APIKeyCreateResponseDto> {
    const token = this.cryptoRepository.randomBytesAsText(32);
    const tokenHashed = this.cryptoRepository.hashSha256(token);

    if (auth.apiKey && !isGranted({ requested: dto.permissions, current: auth.apiKey.permissions })) {
      throw new BadRequestException('Cannot grant permissions you do not have');
    }

    const entity = await this.apiKeyRepository.create({
      key: tokenHashed,
      name: dto.name || 'API Key',
      userId: auth.user.id,
      permissions: dto.permissions,
    });

    return { secret: token, apiKey: this.map(entity) };
  }

  async update(auth: AuthDto, id: string, dto: APIKeyUpdateDto): Promise<APIKeyResponseDto> {
    const exists = await this.apiKeyRepository.getById(auth.user.id, id);
    if (!exists) {
      throw new BadRequestException('API Key not found');
    }

    const key = await this.apiKeyRepository.update(auth.user.id, id, { name: dto.name, permissions: dto.permissions });

    return this.map(key);
  }

  async delete(auth: AuthDto, id: string): Promise<void> {
    const exists = await this.apiKeyRepository.getById(auth.user.id, id);
    if (!exists) {
      throw new BadRequestException('API Key not found');
    }

    await this.apiKeyRepository.delete(auth.user.id, id);
  }

  async getMine(auth: AuthDto): Promise<APIKeyResponseDto> {
    if (!auth.apiKey) {
      throw new ForbiddenException('Not authenticated with an API Key');
    }

    const key = await this.apiKeyRepository.getById(auth.user.id, auth.apiKey.id);
    if (!key) {
      throw new BadRequestException('API Key not found');
    }

    return this.map(key);
  }

  async getById(auth: AuthDto, id: string): Promise<APIKeyResponseDto> {
    const key = await this.apiKeyRepository.getById(auth.user.id, id);
    if (!key) {
      throw new BadRequestException('API Key not found');
    }
    return this.map(key);
  }

  async getAll(auth: AuthDto): Promise<APIKeyResponseDto[]> {
    const keys = await this.apiKeyRepository.getByUserId(auth.user.id);
    return keys.map((key) => this.map(key));
  }

  private map(entity: ApiKey): APIKeyResponseDto {
    return {
      id: entity.id,
      name: entity.name,
      createdAt: entity.createdAt,
      updatedAt: entity.updatedAt,
      permissions: entity.permissions as Permission[],
    };
  }
}
feat: get metadata about the current api key (#21027) 2025-08-18 19:15:03 -04:00			`import { BadRequestException, ForbiddenException, Injectable } from '@nestjs/common';`
refactor: database types (#17468) 2025-04-08 12:40:03 -04:00			`import { ApiKey } from 'src/database';`
feat(server): granular permissions for api keys (#11824) feat(server): api auth permissions 2024-08-16 09:48:43 -04:00			`import { APIKeyCreateDto, APIKeyCreateResponseDto, APIKeyResponseDto, APIKeyUpdateDto } from 'src/dtos/api-key.dto';`
chore(server): move dtos (#8131) move dtos 2024-03-20 23:53:07 +01:00			`import { AuthDto } from 'src/dtos/auth.dto';`
refactor: api key repository (#15491) 2025-01-21 11:45:59 -05:00			`import { Permission } from 'src/enum';`
refactor: service dependencies (#13108) refactor(server): simplify service dependency management 2024-10-02 10:54:35 -04:00			`import { BaseService } from 'src/services/base.service';`
feat(server): granular permissions for api keys (#11824) feat(server): api auth permissions 2024-08-16 09:48:43 -04:00			`import { isGranted } from 'src/utils/access';`
feat(web,server): api keys (#1244) * feat(server): api keys * chore: open-api * feat(web): api keys * fix: remove keys when deleting a user 2023-01-02 15:22:33 -05:00
			`@Injectable()`
refactor: api key spec to use factories (#16776) 2025-03-10 12:04:35 -04:00			`export class ApiKeyService extends BaseService {`
refactor(server): auth dto (#5593) * refactor: AuthUserDto => AuthDto * refactor: reorganize auth-dto * refactor: AuthUser() => Auth() 2023-12-09 23:34:12 -05:00			`async create(auth: AuthDto, dto: APIKeyCreateDto): Promise<APIKeyCreateResponseDto> {`
feat: add session creation endpoint (#18295) 2025-05-15 13:34:33 -05:00			`const token = this.cryptoRepository.randomBytesAsText(32);`
			`const tokenHashed = this.cryptoRepository.hashSha256(token);`
feat(server): granular permissions for api keys (#11824) feat(server): api auth permissions 2024-08-16 09:48:43 -04:00
			`if (auth.apiKey && !isGranted({ requested: dto.permissions, current: auth.apiKey.permissions })) {`
			`throw new BadRequestException('Cannot grant permissions you do not have');`
			`}`

refactor: test utils (#16588) 2025-03-04 11:15:41 -05:00			`const entity = await this.apiKeyRepository.create({`
feat: add session creation endpoint (#18295) 2025-05-15 13:34:33 -05:00			`key: tokenHashed,`
feat(web,server): api keys (#1244) * feat(server): api keys * chore: open-api * feat(web): api keys * fix: remove keys when deleting a user 2023-01-02 15:22:33 -05:00			`name: dto.name \|\| 'API Key',`
refactor(server): auth dto (#5593) * refactor: AuthUserDto => AuthDto * refactor: reorganize auth-dto * refactor: AuthUser() => Auth() 2023-12-09 23:34:12 -05:00			`userId: auth.user.id,`
feat(server): granular permissions for api keys (#11824) feat(server): api auth permissions 2024-08-16 09:48:43 -04:00			`permissions: dto.permissions,`
feat(web,server): api keys (#1244) * feat(server): api keys * chore: open-api * feat(web): api keys * fix: remove keys when deleting a user 2023-01-02 15:22:33 -05:00			`});`

feat: add session creation endpoint (#18295) 2025-05-15 13:34:33 -05:00			`return { secret: token, apiKey: this.map(entity) };`
feat(web,server): api keys (#1244) * feat(server): api keys * chore: open-api * feat(web): api keys * fix: remove keys when deleting a user 2023-01-02 15:22:33 -05:00			`}`

feat(server): granular permissions for api keys (#11824) feat(server): api auth permissions 2024-08-16 09:48:43 -04:00			`async update(auth: AuthDto, id: string, dto: APIKeyUpdateDto): Promise<APIKeyResponseDto> {`
refactor: test utils (#16588) 2025-03-04 11:15:41 -05:00			`const exists = await this.apiKeyRepository.getById(auth.user.id, id);`
feat(web,server): api keys (#1244) * feat(server): api keys * chore: open-api * feat(web): api keys * fix: remove keys when deleting a user 2023-01-02 15:22:33 -05:00			`if (!exists) {`
			`throw new BadRequestException('API Key not found');`
			`}`

feat(web): granular api access controls (#18179) * feat: api access control * feat(web): granular api access controls * fix test * fix e2e test * fix: lint * pr feedback * merge main + new design * finalize styling --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2025-05-29 02:16:43 +08:00			`const key = await this.apiKeyRepository.update(auth.user.id, id, { name: dto.name, permissions: dto.permissions });`
refactor(server): api key auth (#3054) 2023-06-30 21:49:30 -04:00
			`return this.map(key);`
feat(web,server): api keys (#1244) * feat(server): api keys * chore: open-api * feat(web): api keys * fix: remove keys when deleting a user 2023-01-02 15:22:33 -05:00			`}`

refactor(server): auth dto (#5593) * refactor: AuthUserDto => AuthDto * refactor: reorganize auth-dto * refactor: AuthUser() => Auth() 2023-12-09 23:34:12 -05:00			`async delete(auth: AuthDto, id: string): Promise<void> {`
refactor: test utils (#16588) 2025-03-04 11:15:41 -05:00			`const exists = await this.apiKeyRepository.getById(auth.user.id, id);`
feat(web,server): api keys (#1244) * feat(server): api keys * chore: open-api * feat(web): api keys * fix: remove keys when deleting a user 2023-01-02 15:22:33 -05:00			`if (!exists) {`
			`throw new BadRequestException('API Key not found');`
			`}`

refactor: test utils (#16588) 2025-03-04 11:15:41 -05:00			`await this.apiKeyRepository.delete(auth.user.id, id);`
feat(web,server): api keys (#1244) * feat(server): api keys * chore: open-api * feat(web): api keys * fix: remove keys when deleting a user 2023-01-02 15:22:33 -05:00			`}`

feat: get metadata about the current api key (#21027) 2025-08-18 19:15:03 -04:00			`async getMine(auth: AuthDto): Promise<APIKeyResponseDto> {`
			`if (!auth.apiKey) {`
			`throw new ForbiddenException('Not authenticated with an API Key');`
			`}`

			`const key = await this.apiKeyRepository.getById(auth.user.id, auth.apiKey.id);`
			`if (!key) {`
			`throw new BadRequestException('API Key not found');`
			`}`

			`return this.map(key);`
			`}`

refactor(server): auth dto (#5593) * refactor: AuthUserDto => AuthDto * refactor: reorganize auth-dto * refactor: AuthUser() => Auth() 2023-12-09 23:34:12 -05:00			`async getById(auth: AuthDto, id: string): Promise<APIKeyResponseDto> {`
refactor: test utils (#16588) 2025-03-04 11:15:41 -05:00			`const key = await this.apiKeyRepository.getById(auth.user.id, id);`
feat(web,server): api keys (#1244) * feat(server): api keys * chore: open-api * feat(web): api keys * fix: remove keys when deleting a user 2023-01-02 15:22:33 -05:00			`if (!key) {`
			`throw new BadRequestException('API Key not found');`
			`}`
refactor(server): api key auth (#3054) 2023-06-30 21:49:30 -04:00			`return this.map(key);`
feat(web,server): api keys (#1244) * feat(server): api keys * chore: open-api * feat(web): api keys * fix: remove keys when deleting a user 2023-01-02 15:22:33 -05:00			`}`

refactor(server): auth dto (#5593) * refactor: AuthUserDto => AuthDto * refactor: reorganize auth-dto * refactor: AuthUser() => Auth() 2023-12-09 23:34:12 -05:00			`async getAll(auth: AuthDto): Promise<APIKeyResponseDto[]> {`
refactor: test utils (#16588) 2025-03-04 11:15:41 -05:00			`const keys = await this.apiKeyRepository.getByUserId(auth.user.id);`
refactor(server): api key auth (#3054) 2023-06-30 21:49:30 -04:00			`return keys.map((key) => this.map(key));`
			`}`

refactor: database types (#17468) 2025-04-08 12:40:03 -04:00			`private map(entity: ApiKey): APIKeyResponseDto {`
refactor(server): api key auth (#3054) 2023-06-30 21:49:30 -04:00			`return {`
			`id: entity.id,`
			`name: entity.name,`
			`createdAt: entity.createdAt,`
			`updatedAt: entity.updatedAt,`
refactor: api key repository (#15491) 2025-01-21 11:45:59 -05:00			`permissions: entity.permissions as Permission[],`
refactor(server): api key auth (#3054) 2023-06-30 21:49:30 -04:00			`};`
feat(web,server): api keys (#1244) * feat(server): api keys * chore: open-api * feat(web): api keys * fix: remove keys when deleting a user 2023-01-02 15:22:33 -05:00			`}`
			`}`