Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-06-19 06:23:51 +08:00
Code Packages Activity Actions
discourse/app/services/user_api_key/device_auth/deny.rb
Sam 5458a5f150
FEATURE: User API key device authorization flow (#40189) 
Adds an OAuth-style device authorization flow for user API keys so
applications that can't open a browser (CLIs, headless tools, IoT
clients) can request a key by displaying a short user-facing code.

The client POSTs to `/user-api-key/device` to obtain a device code,
a user code, and a verification URL. The user visits the URL,
authenticates, confirms the application and scopes, and either
approves or denies the request. Meanwhile the client polls
`/user-api-key/device/poll` until it receives the encrypted key
payload, a denial, or expiry.

The flow is implemented as a `UserApiKey::DeviceAuth` namespace of
service objects (`CreateRequest`, `Authorize`, `Deny`, `Poll`,
`Store`, `Crypto`, `ApprovalTokenStore`, `GrantPresenter`). Pending
grants live in Redis with a short TTL and are rate limited per IP
and per user code. Encrypted payload generation is shared with the
existing redirect-based flow.

Also adds first-class expiration for user API keys:

- New `expires_at` column on `user_api_keys`.
- New `max_user_api_key_expiry_days` site setting (default 365).
- Clients can request a key lifetime via `expires_in_seconds`, which
  is surfaced to the user on the authorization screen and serialized
  back to the client.
- A `user_api_key` rake task for listing, inspecting, expiring, and
  revoking keys from the console.

---------

Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
2026-06-10 16:09:44 -04:00

82 lines
2.1 KiB
Ruby
Vendored
Raw Permalink Blame History

# frozen_string_literal: true
class UserApiKey::DeviceAuth::Deny
include Service::Base
params do
attribute :device_code, :string
validates :device_code, presence: true
end
options { attribute :request_id, :string }
try Discourse::InvalidParameters, Discourse::InvalidAccess do
step :deny_grant
end
private
def deny_grant(params:, options:)
failure_reason = nil
grant_status = nil
client_id = nil
UserApiKey::DeviceAuth::GrantStore.with_lock!(
params.device_code,
operation: "device_auth.deny",
request_id: options.request_id,
) do
grant = UserApiKey::DeviceAuth::GrantStore.load(params.device_code)
grant_status = grant&.status
client_id = grant&.client_id
failure_reason =
if grant.blank?
"grant_missing"
elsif grant.pending?
grant.deny!
UserApiKey::DeviceAuth::GrantStore.save!(
grant,
ttl: UserApiKey::DeviceAuth::GrantStore.ttl_for_update(params.device_code),
)
UserApiKey::DeviceAuth::CodeRegistry.delete_indexes_for(grant)
grant_status = grant.status
nil
elsif grant.denied?
nil
else
"grant_not_pending"
end
end
if failure_reason.present?
UserApiKey::DeviceAuth.trace(
"device_auth.deny.failed",
request_id: options.request_id,
reason: failure_reason,
status: grant_status,
client_id: client_id,
device_code: params.device_code,
)
fail!(failure_reason)
end
UserApiKey::DeviceAuth.trace(
"device_auth.deny.succeeded",
request_id: options.request_id,
status: grant_status,
client_id: client_id,
device_code: params.device_code,
)
rescue Discourse::InvalidParameters, Discourse::InvalidAccess => exception
UserApiKey::DeviceAuth.trace(
"device_auth.deny.failed",
request_id: options.request_id,
reason: exception.class.name,
exception: exception,
device_code: params.device_code,
)
raise
end
end
View git blame Copy permalink