feat: per-user API key for REST API authentication#252
Draft
coopernetes wants to merge 1 commit into
Draft
Conversation
- Add api_key_hash column to proxy_users (V6 migration) - Add setApiKey/revokeApiKey/findByApiKey/hasApiKey to UserStore (JDBC, Mongo, and Composite implementations) - Add UserApiKeyAuthFilter: resolves X-Api-Key header to a DB user via SHA-256 hash, sets full Spring Authentication with actual roles - Register filter before UsernamePasswordAuthenticationFilter so it works with local, LDAP, and OIDC auth providers - Add POST /api/me/api-key and DELETE /api/me/api-key endpoints (key generation gated on ROLE_SELF_CERTIFY; shown once on creation) - Add hasApiKey flag to GET /api/me response - Rename operator-key principal from "api-key" to "operator-api-key" for clearer audit records - Resolve reviewerEmail server-side in PushController: prefer locked (IdP-sourced) email, fall back to any registered email, null for local-auth-no-email and operator key - Frontend: API key section in Profile, visible only to SELF_CERTIFY users; three states: no key, just generated (show once), key active closes #185 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
coopernetes
force-pushed
the
feat/api-key-auth
branch
from
cbc9cf4 to
0e98bb8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SELF_CERTIFYcan authenticate REST API calls (e.g. self-certify endpoint) from automated pipelines without a browser sessionX-Api-Keyheader — the same header as the existing operator break-glass key, now resolved per-userproxy_users.api_key_hashWhat this is: REST API credential for automation (self-certify, etc.)
What this is not: git push authentication — pushes continue to use SCM PATs as before
Changes
V6__api_key.sql: adds nullableapi_key_hashcolumn toproxy_usersUserStore/JdbcUserStore/MongoUserStore/CompositeUserStore:setApiKey,revokeApiKey,findByApiKey,hasApiKeyUserApiKeyAuthFilter: SpringOncePerRequestFilterthat resolvesX-Api-Keyto a fullAuthenticationwith the user's actual DB roles; wired after the operatorApiKeyAuthFilterinSecurityConfigProfileController:POST /api/me/api-key(SELF_CERTIFY gated) andDELETE /api/me/api-keyAuthController:hasApiKeyboolean in/api/meresponseProfile.tsx: API key section visible to SELF_CERTIFY users — generate, copy-once display, revokeTest plan
JdbcUserStoreIntegrationTestcases covering set/find/revoke/replace/no-opX-Api-Key: <key>to callPOST /api/push/{id}/authorise— verify it resolves the correct user and rolesX-Api-Keyrequests return 401Closes #185