Discourse/discourse
Discourse/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2026-03-04 01:15:08 +08:00
Code Packages Activity Actions
discourse/app/controllers/user_api_keys_controller.rb
Penar Musaraj e47c03d223
DEV: Do not show auth_redirect note for discourse://auth_redirect (#37212) 
This is an internal protocol used by the Discourse mobile app, and
showing the note with host/port info is not useful in this case.
2026-01-20 09:29:38 -05:00

287 lines
8.2 KiB
Ruby
Raw Permalink Blame History

# frozen_string_literal: true
class UserApiKeysController < ApplicationController
layout "no_ember"
requires_login only: %i[create create_otp revoke undo_revoke]
skip_before_action :redirect_to_login_if_required,
:redirect_to_profile_if_required,
only: %i[new otp]
skip_before_action :check_xhr, :preload_json
AUTH_API_VERSION = 4
ALLOWED_PADDING_MODES = %w[pkcs1 oaep].freeze
def new
if request.head?
head :ok, auth_api_version: AUTH_API_VERSION
return
end
require_params
find_client
require_client_params
validate_params
unless current_user
cookies[:destination_url] = request.fullpath
if SiteSetting.enable_discourse_connect?
redirect_to path("/session/sso")
else
redirect_to path("/login")
end
return
end
unless meets_tl?
@no_trust_level = true
return
end
@application_name = params[:application_name] || @client&.application_name
@public_key = params[:public_key] || @client&.public_key
@nonce = params[:nonce]
@client_id = params[:client_id]
@auth_redirect = params[:auth_redirect]
@redirect_uri =
if @auth_redirect.present?
begin
if @auth_redirect == "discourse://auth_redirect"
nil
else
uri = URI.parse(@auth_redirect)
if [80, 443].include?(uri.port)
uri.host
else
uri.host + ":" + uri.port.to_s
end
end
rescue StandardError
nil
end
else
nil
end
@push_url = params[:push_url]
@localized_scopes = params[:scopes].split(",").map { |s| I18n.t("user_api_key.scopes.#{s}") }
@scopes = params[:scopes]
@padding = params[:padding]
rescue Discourse::InvalidAccess
@generic_error = true
end
def create
require_params
find_client
require_client_params
validate_params
validate_auth_redirect
raise Discourse::InvalidAccess unless meets_tl?
scopes = params[:scopes].split(",")
@client = UserApiKeyClient.new(client_id: params[:client_id]) if @client.blank?
@client.application_name = params[:application_name] if params[:application_name].present?
@client.save! if @client.new_record? || @client.changed?
# destroy any old keys the user had with the client
@client.keys.where(user_id: current_user.id).destroy_all
key =
@client.keys.create!(
user_id: current_user.id,
push_url: params[:push_url],
scopes: scopes.map { |name| UserApiKeyScope.new(name: name) },
)
# we keep the payload short so it encrypts easily with public key
# it is often restricted to 128 chars
@payload = {
key: key.key,
nonce: params[:nonce],
push: key.has_push?,
api: AUTH_API_VERSION,
}.to_json
validate_payload_size_for_oaep!(@payload, parsed_public_key)
@payload = Base64.encode64(rsa_encrypt(parsed_public_key, @payload))
if scopes.include?("one_time_password")
# encrypt one_time_password separately to bypass 128 chars encryption limit
otp_payload = one_time_password(parsed_public_key, current_user.username)
end
if params[:auth_redirect]
uri = URI.parse(params[:auth_redirect])
query_attributes = [uri.query, "payload=#{CGI.escape(@payload)}"]
if scopes.include?("one_time_password")
query_attributes << "oneTimePassword=#{CGI.escape(otp_payload)}"
end
uri.query = query_attributes.compact.join("&")
redirect_to(uri.to_s, allow_other_host: true)
else
respond_to do |format|
format.html { render :show }
format.json do
instructions =
I18n.t("user_api_key.instructions", application_name: @client.application_name)
render json: { payload: @payload, instructions: instructions }
end
end
end
end
def otp
require_params_otp
validate_params_otp
unless current_user
cookies[:destination_url] = request.fullpath
if SiteSetting.enable_discourse_connect?
redirect_to path("/session/sso")
else
redirect_to path("/login")
end
return
end
@application_name = params[:application_name]
@public_key = params[:public_key]
@auth_redirect = params[:auth_redirect]
@padding = params[:padding]
end
def create_otp
require_params_otp
validate_params_otp
validate_auth_redirect
raise Discourse::InvalidAccess unless meets_tl?
otp_payload = one_time_password(parsed_public_key, current_user.username)
redirect_path = "#{params[:auth_redirect]}?oneTimePassword=#{CGI.escape(otp_payload)}"
redirect_to(redirect_path, allow_other_host: true)
end
def revoke
current_key = request.env["HTTP_USER_API_KEY"]
revoke_key = find_key if params[:id]
revoke_key ||= UserApiKey.with_key(current_key).first if current_key.present?
raise Discourse::NotFound unless revoke_key
revoke_key.update_columns(revoked_at: Time.zone.now)
render json: success_json
end
def undo_revoke
find_key.update_columns(revoked_at: nil)
render json: success_json
end
def find_key
key = UserApiKey.find(params[:id])
raise Discourse::InvalidAccess unless current_user.admin || key.user_id == current_user.id
key
end
def find_client
@client = UserApiKeyClient.find_by(client_id: params[:client_id])
end
def require_params
%i[nonce scopes client_id].each { |p| params.require(p) }
end
def require_client_params
params.require(:public_key) if @client&.public_key.blank?
params.require(:application_name) if @client&.application_name.blank?
end
def validate_params
requested_scopes = Set.new(params[:scopes].split(","))
raise Discourse::InvalidAccess unless UserApiKey.allowed_scopes.superset?(requested_scopes)
if @client&.scopes.present? && !@client.allowed_scopes.superset?(requested_scopes)
raise Discourse::InvalidAccess
end
parsed_public_key if public_key_str.present?
validate_padding
end
def require_params_otp
%i[public_key auth_redirect application_name].each { |p| params.require(p) }
end
def validate_params_otp
parsed_public_key
validate_padding
end
def validate_padding
return if params[:padding].blank?
return if ALLOWED_PADDING_MODES.include?(params[:padding])
raise Discourse::InvalidParameters.new(:padding)
end
def validate_auth_redirect
return unless params.key?(:auth_redirect)
if UserApiKeyClient.invalid_auth_redirect?(params[:auth_redirect], client: @client)
raise Discourse::InvalidAccess
end
end
def public_key_str
@client&.public_key.presence || params[:public_key]
end
def parsed_public_key
@parsed_public_key ||= OpenSSL::PKey::RSA.new(public_key_str)
end
def meets_tl?
current_user.staff? || current_user.in_any_groups?(SiteSetting.user_api_key_allowed_groups_map)
end
def one_time_password(public_key, username)
unless UserApiKey.allowed_scopes.superset?(Set.new(["one_time_password"]))
raise Discourse::InvalidAccess
end
otp = SecureRandom.hex
Discourse.redis.setex "otp_#{otp}", 10.minutes, username
Base64.encode64(rsa_encrypt(public_key, otp))
end
def rsa_encrypt(public_key, data)
# OAEP padding is recommended for new applications and required for FIPS 140-3 compliance.
# PKCS1 padding is kept as default for backwards compatibility with existing clients.
padding_mode = params[:padding] == "oaep" ? "oaep" : "pkcs1"
public_key.encrypt(data, { "rsa_padding_mode" => padding_mode })
end
def validate_payload_size_for_oaep!(payload, public_key)
return unless params[:padding] == "oaep"
# RSA-OAEP max payload = key_size_bytes - 2*hash_size_bytes - 2
# OpenSSL uses SHA-1 (20 bytes) by default for OAEP
key_size_bytes = public_key.n.num_bytes
max_payload_size = key_size_bytes - 2 * 20 - 2
if payload.bytesize > max_payload_size
raise Discourse::InvalidParameters.new(
"Payload too large for OAEP encryption with this key size. " \
"Maximum: #{max_payload_size} bytes, got: #{payload.bytesize} bytes. " \
"Try using a shorter nonce or a larger RSA key (minimum 2048-bit recommended).",
)
end
end
end
View git blame Copy permalink