DEV: Add deprecation warning of non-header based API auth

This change adds a message to the admin panel if it detects an api requests that doesn't use the new header based authentication method. The message is to warn people to switch to header based auth and links to the api documention topic on meta for more info.
discourse · Nov 8, 2019 · 2db2003 · 2db2003 · discoursereviewbot · Nov 8, 2019
1 parent 99b0697
commit 2db2003
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/app/models/admin_dashboard_data.rb b/app/models/admin_dashboard_data.rb
@@ -84,7 +84,8 @@ def self.reset_problem_checks
     @problem_messages = [
       'dashboard.bad_favicon_url',
       'dashboard.poll_pop3_timeout',
-      'dashboard.poll_pop3_auth_error'
+      'dashboard.poll_pop3_auth_error',
+      'dashboard.deprecated_api_usage'
     ]
 
     add_problem_check :rails_env_check, :host_names_check, :force_https_check,

diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
@@ -1338,6 +1338,7 @@ en:
       other: "Email polling has generated %{count} errors in the past 24 hours. Look at <a href='%{base_path}/logs' target='_blank'>the logs</a> for more details."
     missing_mailgun_api_key: "The server is configured to send emails via Mailgun but you haven't provided an API key used to verify the webhook messages."
     bad_favicon_url: "The favicon is failing to load. Check your favicon setting in <a href='%{base_path}/admin/site_settings'>Site Settings</a>."
+    deprecated_api_usage: "We detected an API request using a deprecated authentication method. Please update it to use <a href='https://meta.discourse.org/t/discourse-api-documentation/22706'>header based auth</a>."
     poll_pop3_timeout: "Connection to the POP3 server is timing out. Incoming email could not be retrieved. Please check your <a href='%{base_path}/admin/site_settings/category/email'>POP3 settings</a> and service provider."
     poll_pop3_auth_error: "Connection to the POP3 server is failing with an authentication error. Please check your <a href='%{base_path}/admin/site_settings/category/email'>POP3 settings</a>."
     force_https_warning: "Your website is using SSL. But `<a href='%{base_path}/admin/site_settings/category/all_results?filter=force_https'>force_https</a>` is not yet enabled in your site settings."

diff --git a/lib/auth/default_current_user_provider.rb b/lib/auth/default_current_user_provider.rb
@@ -283,6 +283,10 @@ def lookup_user_api_user_and_update_key(user_api_key, client_id)
   def lookup_api_user(api_key_value, request)
     if api_key = ApiKey.active.where(key: api_key_value).includes(:user).first
       api_username = header_api_key? ? @env[HEADER_API_USERNAME] : request[API_USERNAME]
+      if !header_api_key?
+        # Notify admins of deprecated auth method
+        AdminDashboardData.add_problem_message('dashboard.deprecated_api_usage', 1.day)
+      end
 
       if api_key.allowed_ips.present? && !api_key.allowed_ips.any? { |ip| ip.include?(request.ip) }
         Rails.logger.warn("[Unauthorized API Access] username: #{api_username}, IP address: #{request.ip}")