feat(api): manage keys without ids

dzervas · dzervas · commit d8c147a8e374 · 2025-08-27T11:47:41.000+01:00
diff --git a/hurl/api_key.hurl b/hurl/api_key.hurl
@@ -38,11 +38,11 @@ X-Api-Key: {{created_key}}
 HTTP 200
 
 # Rotate key
-POST http://localhost:8080/api_key/{{created_key}}/rotate
+POST http://localhost:8080/api_key/rotate
 [Cookies]
 session_id: {{session}}
 [Form]
-service: example
+key: {{created_key}}
 HTTP 200
 [Captures]
 rotated_key: xpath "//code[@id='api-key']/text()"
@@ -62,9 +62,11 @@ X-Api-Key: {{rotated_key}}
 HTTP 200
 
 # Delete new key
-POST http://localhost:8080/api_key/{{rotated_key}}/delete
+POST http://localhost:8080/api_key/delete
 [Cookies]
 session_id: {{session}}
+[Form]
+key: {{rotated_key}}
 HTTP 302
 Location: /
 
diff --git a/src/handle_api_key.rs b/src/handle_api_key.rs
@@ -2,11 +2,11 @@ use std::collections::BTreeMap;
 
 use actix_web::http::header::ContentType;
 use actix_web::{post, web, HttpResponse};
-use chrono::{Duration, Utc};
+use chrono::Duration;
 use serde::Deserialize;
 
 use crate::database::Database;
-use crate::error::{AppErrorKind, Response};
+use crate::error::Response;
 use crate::secret::{ApiKeySecret, BrowserSessionSecret};
 use crate::utils::get_partial;
 
@@ -36,61 +36,40 @@ async fn create(
 	.await?;
 	let mut data = BTreeMap::new();
 	data.insert("key", key.code().to_str_that_i_wont_print().to_string());
-	data.insert("id", key.code().to_str_that_i_wont_print().to_string());
 	let page = get_partial::<()>("api_key", data, None)?;
 	Ok(HttpResponse::Ok()
 		.content_type(ContentType::html())
 		.body(page))
 }
 
 #[derive(Deserialize)]
-struct IdPath {
-	id: String,
+struct KeyForm {
+	key: String,
 }
 
-#[post("/api_key/{id}/delete")]
+#[post("/api_key/delete")]
 async fn delete(
 	browser_session: BrowserSessionSecret,
-	path: web::Path<IdPath>,
+	form: web::Form<KeyForm>,
 	db: web::Data<Database>,
 ) -> Response {
-	let key = ApiKeySecret::try_from_string(path.id.clone(), db.get_ref()).await?;
-	if key.user() != browser_session.user() {
-		return Err(AppErrorKind::Unauthorized.into());
-	}
-	key.delete(db.get_ref()).await?;
+	ApiKeySecret::delete_with_user(form.key.clone(), browser_session.user(), db.get_ref()).await?;
 	Ok(HttpResponse::Found()
 		.append_header(("Location", "/"))
 		.finish())
 }
 
-#[post("/api_key/{id}/rotate")]
+#[post("/api_key/rotate")]
 async fn rotate(
 	browser_session: BrowserSessionSecret,
-	path: web::Path<IdPath>,
-	form: web::Form<CreateForm>,
+	form: web::Form<KeyForm>,
 	db: web::Data<Database>,
 ) -> Response {
-	let old = ApiKeySecret::try_from_string(path.id.clone(), db.get_ref()).await?;
-	if old.user() != browser_session.user() {
-		return Err(AppErrorKind::Unauthorized.into());
-	}
-	let remaining = if old.expires_at() == chrono::NaiveDateTime::MAX {
-		chrono::Duration::seconds(0)
-	} else {
-		old.expires_at() - Utc::now().naive_utc()
-	};
-	let new_key = ApiKeySecret::new_with_expiration(
-		browser_session.user().clone(),
-		form.service.clone(),
-		remaining,
-		db.get_ref(),
-	)
-	.await?;
-	old.delete(db.get_ref()).await?;
+	let new_key =
+		ApiKeySecret::rotate_with_user(form.key.clone(), browser_session.user(), db.get_ref())
+			.await?;
 	let mut data = BTreeMap::new();
 	data.insert("key", new_key.code().to_str_that_i_wont_print().to_string());
-	data.insert("id", new_key.code().to_str_that_i_wont_print().to_string());
 	let page = get_partial::<()>("api_key", data, None)?;
 	Ok(HttpResponse::Ok()
 		.content_type(ContentType::html())
diff --git a/src/handle_index.rs b/src/handle_index.rs
@@ -29,6 +29,10 @@ async fn index(browser_session: BrowserSessionSecret, db: web::Data<Database>) -
 	let mut index_data = BTreeMap::new();
 	index_data.insert("email", browser_session.user().email.clone());
 	let realmed_services = config.services.from_user(&browser_session.user());
+	let auth_email_header = config.auth_url_email_header.clone();
+	let auth_user_header = config.auth_url_user_header.clone();
+	let auth_name_header = config.auth_url_name_header.clone();
+	let auth_realms_header = config.auth_url_realms_header.clone();
 	drop(config);
 
 	let mut services_with_keys = Vec::new();
@@ -45,19 +49,19 @@ async fn index(browser_session: BrowserSessionSecret, db: web::Data<Database>) -
 	// Respond with the index page and set the X-Remote headers as configured
 	Ok(HttpResponse::Ok()
 		.append_header((
-			config.auth_url_email_header.as_str(),
+			auth_email_header.as_str(),
 			browser_session.user().email.clone(),
 		))
 		.append_header((
-			config.auth_url_user_header.as_str(),
+			auth_user_header.as_str(),
 			browser_session.user().username.clone(),
 		))
 		.append_header((
-			config.auth_url_name_header.as_str(),
+			auth_name_header.as_str(),
 			browser_session.user().name.clone(),
 		))
 		.append_header((
-			config.auth_url_realms_header.as_str(),
+			auth_realms_header.as_str(),
 			browser_session.user().realms.join(","),
 		))
 		.content_type(ContentType::html())
diff --git a/src/secret/api_key.rs b/src/secret/api_key.rs
@@ -6,7 +6,7 @@ use crate::error::{AppErrorKind, Result};
 use crate::user::User;
 use crate::{CONFIG, PROXY_ORIGIN_HEADER};
 
-use super::primitive::{InternalUserSecret, UserSecret, UserSecretKind};
+use super::primitive::{UserSecret, UserSecretKind};
 use super::{MetadataKind, SecretString};
 use crate::database::{Database, UserSecretRow};
 
@@ -64,14 +64,20 @@ impl ApiKeySecret {
 				.checked_add_signed(final_duration)
 				.ok_or(AppErrorKind::InvalidDuration)?
 		};
-		let internal = InternalUserSecret {
-			code: SecretString::new(ApiKeySecretKind::PREFIX),
-			user,
+		let code = SecretString::new(ApiKeySecretKind::PREFIX);
+		let metadata = ApiKeyMetadata { service };
+		let user_str = serde_json::to_string(&user)?;
+		let metadata_str = serde_json::to_string(&metadata)?;
+		let row = UserSecretRow {
+			id: code.to_str_that_i_wont_print().to_string(),
+			secret_type: ApiKeySecretKind::PREFIX.to_string(),
+			user_data: user_str,
 			expires_at,
-			metadata: ApiKeyMetadata { service },
+			metadata: metadata_str,
+			created_at: None,
 		};
-		internal.save(db).await?;
-		Ok(Self(internal))
+		row.save(db).await?;
+		ApiKeySecret::try_from_string(row.id, db).await
 	}
 
 	/// List API keys for a user and service.
@@ -91,14 +97,20 @@ impl ApiKeySecret {
 			if meta.service != service {
 				continue;
 			}
-			let display = format!("{}…", &row.id[..row.id.len().min(8)]);
+			let prefix = crate::secret::get_prefix(ApiKeySecretKind::PREFIX);
+			let bare = row.id.strip_prefix(&prefix).unwrap_or(&row.id);
+			let display = if bare.len() <= 8 {
+				bare.to_string()
+			} else {
+				format!("{}…{}", &bare[..4], &bare[bare.len().saturating_sub(4)..],)
+			};
 			let expires_at = if row.expires_at == NaiveDateTime::MAX {
 				None
 			} else {
 				Some(row.expires_at)
 			};
 			keys.push(ApiKeyInfo {
-				id: row.id,
+				key: row.id,
 				display,
 				expires_at,
 			});
@@ -108,14 +120,41 @@ impl ApiKeySecret {
 
 	/// Get the associated service name.
 	pub fn service(&self) -> &str {
-		&self.0.metadata.service
+		&self.metadata().service
+	}
+
+	/// Rotate an API key if it belongs to `user`.
+	pub async fn rotate_with_user(code: String, user: &User, db: &Database) -> Result<Self> {
+		let old = Self::try_from_string(code, db).await?;
+		if old.user() != user {
+			return Err(AppErrorKind::Unauthorized.into());
+		}
+		let remaining = if old.expires_at() == NaiveDateTime::MAX {
+			Duration::seconds(0)
+		} else {
+			old.expires_at() - Utc::now().naive_utc()
+		};
+		let new_key =
+			Self::new_with_expiration(user.clone(), old.service().to_string(), remaining, db)
+				.await?;
+		old.delete(db).await?;
+		Ok(new_key)
+	}
+
+	/// Delete an API key if it belongs to `user`.
+	pub async fn delete_with_user(code: String, user: &User, db: &Database) -> Result<()> {
+		let key = Self::try_from_string(code, db).await?;
+		if key.user() != user {
+			return Err(AppErrorKind::Unauthorized.into());
+		}
+		key.delete(db).await
 	}
 }
 
 /// Public representation of an API key for listing purposes.
 #[derive(Debug, Clone, Serialize)]
 pub struct ApiKeyInfo {
-	pub id: String,
+	pub key: String,
 	pub display: String,
 	pub expires_at: Option<NaiveDateTime>,
 }
@@ -174,25 +213,16 @@ mod tests {
 		let id = key.code().to_str_that_i_wont_print().to_string();
 		let list = ApiKeySecret::list(&user, "example", &db).await.unwrap();
 		assert_eq!(list.len(), 1);
-		let fetched = ApiKeySecret::try_from_string(id.clone(), &db)
+		let rotated = ApiKeySecret::rotate_with_user(id.clone(), &user, &db)
 			.await
 			.unwrap();
-		let new_key = ApiKeySecret::new_with_expiration(
-			user.clone(),
-			"example".to_string(),
-			Duration::try_seconds(60).unwrap(),
+		ApiKeySecret::delete_with_user(
+			rotated.code().to_str_that_i_wont_print().to_string(),
+			&user,
 			&db,
 		)
 		.await
 		.unwrap();
-		fetched.delete(&db).await.unwrap();
-		let new_id = new_key.code().to_str_that_i_wont_print().to_string();
-		let list = ApiKeySecret::list(&user, "example", &db).await.unwrap();
-		assert_eq!(list.len(), 1);
-		let fetched_new = ApiKeySecret::try_from_string(new_id.clone(), &db)
-			.await
-			.unwrap();
-		fetched_new.delete(&db).await.unwrap();
 		let list = ApiKeySecret::list(&user, "example", &db).await.unwrap();
 		assert!(list.is_empty());
 	}
diff --git a/static/templates/index.html.hbs b/static/templates/index.html.hbs
@@ -51,11 +51,12 @@
 {{#each api_keys}}
 <li class="my-2">
 {{this.display}} - {{#if this.expires_at}}{{this.expires_at}}{{else}}never{{/if}}
-<form method="post" action="/api_key/{{this.id}}/rotate" class="inline">
-<input type="hidden" name="service" value="{{../name}}" />
+<form method="post" action="/api_key/rotate" class="inline">
+<input type="hidden" name="key" value="{{this.key}}" />
 <button class="text-sm">Rotate</button>
 </form>
-<form method="post" action="/api_key/{{this.id}}/delete" class="inline">
+<form method="post" action="/api_key/delete" class="inline">
+<input type="hidden" name="key" value="{{this.key}}" />
 <button class="text-sm">Delete</button>
 </form>
 </li>
