feat: manage / create API keys (#1516)

* fix: admin api UI update * feat: admin api - create dialog UI * feat: admin api - create + list keys * feat: admin api localization (wip) * feat: admin api localization * feat: admin api - toggle state * feat: process API keys + format gql request errors to json
2020-02-22 17:38:06 -05:00
parent f6b048f148
commit f72cf664eb
14 changed files with 712 additions and 120 deletions
--- a/server/app/data.yml
+++ b/server/app/data.yml
@@ -29,6 +29,8 @@ defaults:
      maxFiles: 10
    offline: false
    # DB defaults
+    api:
+      isEnabled: false
    graphEndpoint: 'https://graph.requarks.io'
    lang:
      code: en
--- a/server/core/auth.js
+++ b/server/core/auth.js
@@ -17,6 +17,7 @@ module.exports = {
    cacheExpiration: moment.utc().subtract(1, 'd')
  },
  groups: {},
+  validApiKeys: [],

  /**
   * Initialize the authentication module
@@ -44,6 +45,7 @@ module.exports = {
    })

    this.reloadGroups()
+    this.reloadApiKeys()

    return this
  },
@@ -64,7 +66,8 @@ module.exports = {
        jwtFromRequest: securityHelper.extractJWT,
        secretOrKey: WIKI.config.certs.public,
        audience: WIKI.config.auth.audience,
-        issuer: 'urn:wiki.js'
+        issuer: 'urn:wiki.js',
+        algorithms: ['RS256']
      }, (jwtPayload, cb) => {
        cb(null, jwtPayload)
      }))
@@ -135,6 +138,31 @@ module.exports = {
        return next()
      }

+      // Process API tokens
+      if (_.has(user, 'api')) {
+        if (_.includes(WIKI.auth.validApiKeys, user.api)) {
+          req.user = {
+            id: 1,
+            email: 'api@localhost',
+            name: 'API',
+            pictureUrl: null,
+            timezone: 'America/New_York',
+            localeCode: 'en',
+            permissions: _.get(WIKI.auth.groups, `${user.grp}.permissions`, []),
+            groups: [user.grp],
+            getGlobalPermissions () {
+              return req.user.permissions
+            },
+            getGroups () {
+              return req.user.groups
+            }
+          }
+          return next()
+        } else {
+          return next(new Error('API Key is invalid or was revoked.'))
+        }
+      }
+
      // JWT is valid
      req.logIn(user, { session: false }, (errc) => {
        if (errc) { return next(errc) }
@@ -248,15 +276,23 @@ module.exports = {
  /**
   * Reload Groups from DB
   */
-  async reloadGroups() {
+  async reloadGroups () {
    const groupsArray = await WIKI.models.groups.query()
    this.groups = _.keyBy(groupsArray, 'id')
  },

+  /**
+   * Reload valid API Keys from DB
+   */
+  async reloadApiKeys () {
+    const keys = await WIKI.models.apiKeys.query().select('id').where('isRevoked', false).andWhere('expiration', '>', moment.utc().toISOString())
+    this.validApiKeys = _.map(keys, 'id')
+  },
+
  /**
   * Generate New Authentication Public / Private Key Certificates
   */
-  async regenerateCertificates() {
+  async regenerateCertificates () {
    WIKI.logger.info('Regenerating certificates...')

    _.set(WIKI.config, 'sessionSecret', (await crypto.randomBytesAsync(32)).toString('hex'))
--- a/server/db/migrations-sqlite/2.2.3.js
+++ b/server/db/migrations-sqlite/2.2.3.js
@@ -0,0 +1,14 @@
+exports.up = knex => {
+  return knex.schema
+    .createTable('apiKeys', table => {
+      table.increments('id').primary()
+      table.string('name').notNullable()
+      table.text('key').notNullable()
+      table.string('expiration').notNullable()
+      table.boolean('isRevoked').notNullable().defaultTo(false)
+      table.string('createdAt').notNullable()
+      table.string('updatedAt').notNullable()
+    })
+}
+
+exports.down = knex => { }
--- a/server/db/migrations/2.2.3.js
+++ b/server/db/migrations/2.2.3.js
@@ -0,0 +1,20 @@
+/* global WIKI */
+
+exports.up = knex => {
+  const dbCompat = {
+    charset: (WIKI.config.db.type === `mysql` || WIKI.config.db.type === `mariadb`)
+  }
+  return knex.schema
+    .createTable('apiKeys', table => {
+      if (dbCompat.charset) { table.charset('utf8mb4') }
+      table.increments('id').primary()
+      table.string('name').notNullable()
+      table.text('key').notNullable()
+      table.string('expiration').notNullable()
+      table.boolean('isRevoked').notNullable().defaultTo(false)
+      table.string('createdAt').notNullable()
+      table.string('updatedAt').notNullable()
+    })
+}
+
+exports.down = knex => { }
--- a/server/graph/resolvers/authentication.js
+++ b/server/graph/resolvers/authentication.js
@@ -13,6 +13,27 @@ module.exports = {
    async authentication () { return {} }
  },
  AuthenticationQuery: {
+    /**
+     * List of API Keys
+     */
+    async apiKeys (obj, args, context) {
+      const keys = await WIKI.models.apiKeys.query().orderBy(['isRevoked', 'name'])
+      return keys.map(k => ({
+        id: k.id,
+        name: k.name,
+        keyShort: '...' + k.key.substring(k.key.length - 20),
+        isRevoked: k.isRevoked,
+        expiration: k.expiration,
+        createdAt: k.createdAt,
+        updatedAt: k.updatedAt
+      }))
+    },
+    /**
+     * Current API State
+     */
+    apiState () {
+      return WIKI.config.api.isEnabled
+    },
    /**
     * Fetch active authentication strategies
     */
@@ -41,6 +62,19 @@ module.exports = {
    }
  },
  AuthenticationMutation: {
+    /**
+     * Create New API Key
+     */
+    async createApiKey (obj, args, context) {
+      try {
+        return {
+          key: await WIKI.models.apiKeys.createNewKey(args),
+          responseResult: graphHelper.generateSuccess('API Key created successfully')
+        }
+      } catch (err) {
+        return graphHelper.generateError(err)
+      }
+    },
    /**
     * Perform Login
     */
@@ -101,6 +135,36 @@ module.exports = {
        return graphHelper.generateError(err)
      }
    },
+    /**
+     * Set API state
+     */
+    async setApiState (obj, args, context) {
+      try {
+        WIKI.config.api.isEnabled = args.enabled
+        await WIKI.configSvc.saveToDb(['api'])
+        return {
+          responseResult: graphHelper.generateSuccess('API State changed successfully')
+        }
+      } catch (err) {
+        return graphHelper.generateError(err)
+      }
+    },
+    /**
+     * Revoke an API key
+     */
+    async revokeApiKey (obj, args, context) {
+      try {
+        await WIKI.models.apiKeys.query().findById(args.id).patch({
+          isRevoked: true
+        })
+        await WIKI.auth.reloadApiKeys()
+        return {
+          responseResult: graphHelper.generateSuccess('API Key revoked successfully')
+        }
+      } catch (err) {
+        return graphHelper.generateError(err)
+      }
+    },
    /**
     * Update Authentication Strategies
     */
--- a/server/graph/schemas/authentication.graphql
+++ b/server/graph/schemas/authentication.graphql
@@ -15,6 +15,10 @@ extend type Mutation {
 # -----------------------------------------------

 type AuthenticationQuery {
+  apiKeys: [AuthenticationApiKey] @auth(requires: ["manage:system", "manage:api"])
+
+  apiState: Boolean! @auth(requires: ["manage:system", "manage:api"])
+
  strategies(
    isEnabled: Boolean
  ): [AuthenticationStrategy]
@@ -25,6 +29,13 @@ type AuthenticationQuery {
 # -----------------------------------------------

 type AuthenticationMutation {
+  createApiKey(
+    name: String!
+    expiration: String!
+    fullAccess: Boolean!
+    group: Int
+  ): AuthenticationCreateApiKeyResponse @auth(requires: ["manage:system", "manage:api"])
+
  login(
    username: String!
    password: String!
@@ -47,12 +58,21 @@ type AuthenticationMutation {
    name: String!
  ): AuthenticationRegisterResponse

+  revokeApiKey(
+    id: Int!
+  ): DefaultResponse @auth(requires: ["manage:system", "manage:api"])
+
+  setApiState(
+    enabled: Boolean!
+  ): DefaultResponse @auth(requires: ["manage:system", "manage:api"])
+
  updateStrategies(
    strategies: [AuthenticationStrategyInput]!
    config: AuthenticationConfigInput
  ): DefaultResponse @auth(requires: ["manage:system"])

  regenerateCertificates: DefaultResponse @auth(requires: ["manage:system"])
+
  resetGuestUser: DefaultResponse @auth(requires: ["manage:system"])
 }

@@ -105,3 +125,18 @@ input AuthenticationConfigInput {
  tokenExpiration: String!
  tokenRenewal: String!
 }
+
+type AuthenticationApiKey {
+  id: Int!
+  name: String!
+  keyShort: String!
+  expiration: Date!
+  createdAt: Date!
+  updatedAt: Date!
+  isRevoked: Boolean!
+}
+
+type AuthenticationCreateApiKeyResponse {
+  responseResult: ResponseStatus
+  key: String
+}
--- a/server/master.js
+++ b/server/master.js
@@ -167,12 +167,22 @@ module.exports = async () => {
  })

  app.use((err, req, res, next) => {
-    res.status(err.status || 500)
-    _.set(res.locals, 'pageMeta.title', 'Error')
-    res.render('error', {
-      message: err.message,
-      error: WIKI.IS_DEBUG ? err : {}
-    })
+    if (req.path === '/graphql') {
+      res.status(err.status || 500).json({
+        data: {},
+        errors: [{
+          message: err.message,
+          path: []
+        }]
+      })
+    } else {
+      res.status(err.status || 500)
+      _.set(res.locals, 'pageMeta.title', 'Error')
+      res.render('error', {
+        message: err.message,
+        error: WIKI.IS_DEBUG ? err : {}
+      })
+    }
  })

  // ----------------------------------------
--- a/server/models/apiKeys.js
+++ b/server/models/apiKeys.js
@@ -0,0 +1,71 @@
+/* global WIKI */
+
+const Model = require('objection').Model
+const moment = require('moment')
+const ms = require('ms')
+const jwt = require('jsonwebtoken')
+
+/**
+ * Users model
+ */
+module.exports = class ApiKey extends Model {
+  static get tableName() { return 'apiKeys' }
+
+  static get jsonSchema () {
+    return {
+      type: 'object',
+      required: ['name', 'key'],
+
+      properties: {
+        id: {type: 'integer'},
+        name: {type: 'string'},
+        key: {type: 'string'},
+        expiration: {type: 'string'},
+        isRevoked: {type: 'boolean'},
+        createdAt: {type: 'string'},
+        validUntil: {type: 'string'}
+      }
+    }
+  }
+
+  async $beforeUpdate(opt, context) {
+    await super.$beforeUpdate(opt, context)
+
+    this.updatedAt = moment.utc().toISOString()
+  }
+  async $beforeInsert(context) {
+    await super.$beforeInsert(context)
+
+    this.createdAt = moment.utc().toISOString()
+    this.updatedAt = moment.utc().toISOString()
+  }
+
+  static async createNewKey ({ name, expiration, fullAccess, group }) {
+    const entry = await WIKI.models.apiKeys.query().insert({
+      name,
+      key: 'pending',
+      expiration: moment.utc().add(ms(expiration), 'ms').toISOString(),
+      isRevoked: true
+    })
+
+    const key = jwt.sign({
+      api: entry.id,
+      grp: fullAccess ? 1 : group
+    }, {
+      key: WIKI.config.certs.private,
+      passphrase: WIKI.config.sessionSecret
+    }, {
+      algorithm: 'RS256',
+      expiresIn: expiration,
+      audience: WIKI.config.auth.audience,
+      issuer: 'urn:wiki.js'
+    })
+
+    await WIKI.models.apiKeys.query().findById(entry.id).patch({
+      key,
+      isRevoked: false
+    })
+
+    return key
+  }
+}
--- a/server/models/users.js
+++ b/server/models/users.js
@@ -26,7 +26,6 @@ module.exports = class User extends Model {
        name: {type: 'string', minLength: 1, maxLength: 255},
        providerId: {type: 'string'},
        password: {type: 'string'},
-        role: {type: 'string', enum: ['admin', 'guest', 'user']},
        tfaIsActive: {type: 'boolean', default: false},
        tfaSecret: {type: 'string'},
        jobTitle: {type: 'string'},