feat: Add API key authentication (#1254)

Closes #945
2025-12-21 09:15:51 +03:00 · 2025-11-06 20:56:48 +01:00
parent 5a2564f575
commit b4cbd32bf2
75 changed files with 1501 additions and 94 deletions
--- a/server/api/controllers/access-tokens/delete.js
+++ b/server/api/controllers/access-tokens/delete.js
@@ -28,6 +28,8 @@
 *                   example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ4...
 *       401:
 *         $ref: '#/components/responses/Unauthorized'
+ *     security:
+ *       - bearerAuth: []
 */

 module.exports = {
--- a/server/api/controllers/users/create-api-key.js
+++ b/server/api/controllers/users/create-api-key.js
@@ -0,0 +1,103 @@
+/*!
+ * Copyright (c) 2025 PLANKA Software GmbH
+ * Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
+ */
+
+/**
+ * @swagger
+ * /users/{id}/api-key:
+ *   post:
+ *     summary: Create user API key
+ *     description: Generates a user's API key. The full API key is returned only once and cannot be retrieved again.
+ *     tags:
+ *       - Users
+ *     operationId: createUserApiKey
+ *     parameters:
+ *       - name: id
+ *         in: path
+ *         required: true
+ *         description: ID of the user to create API key for
+ *         schema:
+ *           type: string
+ *           example: "1357158568008091264"
+ *     responses:
+ *       200:
+ *         description: API key created successfully
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: object
+ *               required:
+ *                 - item
+ *                 - included
+ *               properties:
+ *                 item:
+ *                   $ref: '#/components/schemas/User'
+ *                 included:
+ *                   type: object
+ *                   required:
+ *                     - apiKey
+ *                   properties:
+ *                     apiKey:
+ *                       type: string
+ *                       description: API key of the user (returned only once)
+ *                       example: D89VszVs_oSS6TdDtYmi0j1LhugOioY40dDVssESO
+ *       400:
+ *         $ref: '#/components/responses/ValidationError'
+ *       401:
+ *         $ref: '#/components/responses/Unauthorized'
+ *       404:
+ *         $ref: '#/components/responses/NotFound'
+ */
+
+const { idInput } = require('../../../utils/inputs');
+
+const Errors = {
+  USER_NOT_FOUND: {
+    userNotFound: 'User not found',
+  },
+};
+
+module.exports = {
+  inputs: {
+    id: {
+      ...idInput,
+      required: true,
+    },
+  },
+
+  exits: {
+    userNotFound: {
+      responseType: 'notFound',
+    },
+  },
+
+  async fn(inputs) {
+    const { currentUser } = this.req;
+
+    let user = await User.qm.getOneById(inputs.id);
+
+    if (!user) {
+      throw Errors.USER_NOT_FOUND;
+    }
+
+    const { key: apiKey, prefix: apiKeyPrefix } = sails.helpers.utils.generateApiKey();
+
+    user = await sails.helpers.users.updateOne.with({
+      record: user,
+      values: {
+        apiKeyPrefix,
+        apiKeyHash: sails.helpers.utils.hash(apiKey),
+      },
+      actorUser: currentUser,
+      request: this.req,
+    });
+
+    return {
+      item: sails.helpers.users.presentOne(user, currentUser),
+      included: {
+        apiKey,
+      },
+    };
+  },
+};
--- a/server/api/controllers/users/update-password.js
+++ b/server/api/controllers/users/update-password.js
@@ -161,7 +161,7 @@ module.exports = {
      throw Errors.USER_NOT_FOUND;
    }

-    if (user.id === currentUser.id) {
+    if (currentSession && user.id === currentUser.id) {
      const { token: accessToken } = sails.helpers.utils.createJwtToken(
        user.id,
        user.passwordChangedAt,
--- a/server/api/controllers/users/update.js
+++ b/server/api/controllers/users/update.js
@@ -59,6 +59,11 @@
 *                 enum: [ar-YE, bg-BG, cs-CZ, da-DK, de-DE, el-GR, en-GB, en-US, es-ES, et-EE, fa-IR, fi-FI, fr-FR, hu-HU, id-ID, it-IT, ja-JP, ko-KR, nl-NL, pl-PL, pt-BR, pt-PT, ro-RO, ru-RU, sk-SK, sr-Cyrl-RS, sr-Latn-RS, sv-SE, tr-TR, uk-UA, uz-UZ, zh-CN, zh-TW]
 *                 description: Preferred language for user interface and notifications
 *                 example: en-US
+ *               apiKey:
+ *                 type: object
+ *                 nullable: true
+ *                 description: API key of the user (only null value to remove API key)
+ *                 example: null
 *               subscribeToOwnCards:
 *                 type: boolean
 *                 description: Whether the user subscribes to their own cards
@@ -167,6 +172,10 @@ module.exports = {
      type: 'string',
      isIn: User.LANGUAGES,
    },
+    apiKey: {
+      type: 'json',
+      custom: _.isNull,
+    },
    subscribeToOwnCards: {
      type: 'boolean',
    },
@@ -220,6 +229,10 @@ module.exports = {
      throw Errors.USER_NOT_FOUND; // Forbidden
    }

+    if (currentUser.role === User.Roles.ADMIN) {
+      availableInputKeys.push('apiKey');
+    }
+
    if (_.difference(Object.keys(inputs), availableInputKeys).length > 0) {
      throw Errors.NOT_ENOUGH_RIGHTS;
    }
@@ -253,6 +266,7 @@ module.exports = {
        'phone',
        'organization',
        'language',
+        'apiKey',
        'subscribeToOwnCards',
        'subscribeToCardWhenCommenting',
        'turnOffRecentCardHighlighting',