8000 Add permissions for API keys by justinclift · Pull Request #156 · sqlitebrowser/dbhub.io · GitHub
[go: up one dir, main page]
Skip to content
This repository was archived by the owner on Mar 4, 2025. It is now read-only.

Add permissions for API keys #156

Draft
wants to merge 23 commits into
base: master
Choose a base branch
from
Draft

Add permissions for API keys #156

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
2ae5b5e
Add initial API function call permission toggles to setting page
justinclift May 31, 2021
f56b156
Initial code to send api permission button toggles to the server
justinclift Jun 1, 2021
d482e34
Save point. Start working out the right PG table structure
justinclift Jun 2, 2021
046e861
Early stage code for saving the permissions in the database
justinclift Jun 5, 2021
0f3a233
Save point. Working function to save API permissions in the database
justinclift Jun 6, 2021
9871e8d
Save point. Initial working code to save api key database change to …
justinclift Jun 6, 2021
6bf5532
Display list of user databases to choose from
justinclift Jun 6, 2021
ca26fb4
Add extra validation of user supplied api keys
justinclift Jun 7, 2021
f06b1c2
Add some further input validation and similar
justinclift Jun 7, 2021
5052d6d
Save point. Adding db and perms to existing API key structures
justinclift Jun 8, 2021
98e8d0e
Save point. Start moving the API key DB and permissions changing to a…
justinclift Jun 10, 2021
2ea5683
Save point. Changed perms from uint to string, added initial api per…
justinclift Jun 11, 2021
a37f257
Save point. Returning a map of api keys instead of a string slice
justinclift Jun 12, 2021
fd821eb
Permission toggles now reflect their saved database values
justinclift Jun 12, 2021
872b542
Select the "All databases" option in the webUI correctly
justinclift Jun 12, 2021
81f9160
Default api keys to all permissions enabled.
justinclift Jun 12, 2021
24f056e
No need for a separate api permissions page yet
justinclift Jun 12, 2021
74bf0b2
Initial concept code adding permission checks to the api end point
justinclift Jun 13, 2021
f9b4a3f
Trivial wording tweak
justinclift Jun 13, 2021
376ebb4
WIP. Fix SQL query for retrieving permission data
justinclift Jun 19, 2021
9df8d5e
WIP. Remove some code duplication, make progress with fetching API ke…
justinclift Jun 19, 2021
d71bb03
WIP. Stub test go file, for fleshing out once we have the Docker bit …
justinclift Jun 24, 2021
a1a8af3
WIP. Some database schema updates.
justinclift Jul 10, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Initial code to send api permission button toggles to the server 
This is just the initial browser webUI to backend data sending.
No validation, nor storage of the values, in the backend yet.
  • Loading branch information
@justinclift
justinclift committed Jun 1, 2021
commit f56b156dd3d4d05333b52cd8b2cc84d038f4fe6e
88 changes: 88 additions & 0 deletions webui/main.go
View file
Open in desktop
< 7B8D td id="diff-e906a6e57d6278e969e910705660d2fc8e8413e9c503c6eb65365df8fac1da13R124" data-line-number="124" class="blob-num blob-num-addition js-linkable-line-number js-blob-rnum">
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,93 @@ var (
store *gsm.MemcacheStore
)

// apiPermissionsUpdateHandler handles updating API permissions as requested from the User's Settings page
func apiPermissionsUpdateHandler(w http.ResponseWriter, r *http.Request) {
// Retrieve session data (if any)
loggedInUser, validSession, err := checkLogin(r)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}

// Ensure we have a valid logged in user
if validSession != true {
w.WriteHeader(http.StatusUnauthorized)
return
}

// FIXME: General dev/debug output
d := fmt.Sprintf("Setting received for user: %v", loggedInUser)
fmt.Println(d)

// TODO
// * Validate the input
// * ksuid.Parse() seems like it'll be useful for API keys
// * Should this function also receive the change in selected database for the api key? probably yes
// * Save the new values to a database table
// * So, figure out an appropriate structure. Maybe:
// * apikey_id or similar name : maybe bigint?
// * database_id : whatever we use for database ids
// * permissions : jsonb structure with name/value pairs for the API permissions

// Retrieve API key
a := r.PostFormValue("apikey")
apiKey, err := url.QueryUnescape(a)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
fmt.Fprint(w, err.Error())
return
}
fmt.Printf("API key: %v\n", apiKey)

// Retrieve permission name
// TODO: Validation for the permission name could just be a big case statement
p := r.PostFormValue("perm")
perm, err := url.QueryUnescape(p)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
fmt.Fprint(w, err.Error())
return
}
fmt.Printf("Permission name: %v\n", perm)

// Retrieve new permission value
// TODO: Validation
v := r.PostFormValue("value")
value, err := url.QueryUnescape(v)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
fmt.Fprint(w, err.Error())
return
}
fmt.Printf("New value: %v\n", value)

// TODO: From the docs, it seems like we could use ksuid.Parse() as a reasonable validator for provided api keys.
// But, we definitely need to test with some wrong values to see what happens (eg empty string, null, words, etc)
// Whatever we use, we should create a validator function for api keys using it, and apply that to our api end point
// as well. It doesn't validate them as well as I'd like. :/
_, err = ksuid.Parse(apiKey)
if err != nil {
log.Printf("Validation failed for API key: '%s'- %s", apiKey, err)
w.WriteHeader(http.StatusBadRequest)
fmt.Fprint(w, err.Error())
return
}

// TODO: Return some kind of success flag to the caller
//d := com.APIKey{
// Key: key,
// DateCreated: creationTime,
//}
data, err := json.Marshal(d)
if err != nil {
log.Println(err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
fmt.Fprint(w, string(data))
}

// apiKeyGenHandler generates a new API key, stores it in the PG database, and returns the details to the caller
func apiKeyGenHandler(w http.ResponseWriter, r *http.Request) {
// Retrieve session data (if any)
Expand Down Expand Up @@ -3097,6 +3184,7 @@ func main() {
http.Handle("/vis/", gz.GzipHandler(logReq(visualisePage)))
http.Handle("/watchers/", gz.GzipHandler(logReq(watchersPage)))
http.Handle("/x/apikeygen", gz.GzipHandler(logReq(apiKeyGenHandler)))
http.Handle("/x/apipermupdate", gz.GzipHandler(logReq(apiPermissionsUpdateHandler)))
http.Handle("/x/branchnames", gz.GzipHandler(logReq(branchNamesHandler)))
http.Handle("/x/callback", gz.GzipHandler(logReq(auth0CallbackHandler)))
http.Handle("/x/checkname", gz.GzipHandler(logReq(checkNameHandler)))
Expand Down
Loading
0