Can non-admin user issue their own API key?

KengoTODA · December 14, 2020, 9:31am

Hello ,

I’m making a GitHub action posting to the Discourse forum.
I found the post API, however, the document says Discourse users need to create an API Key from the admin panel, even though non-admin users have no admin panel. Here I have several questions:

Is the API key designed even for non-admin users?
- I hope so due to User API key instead of Admin API key?
If so, how non-admin users can create their API key?
If so, to enable the API key for non-admin users, is there any necessary settings?
- The forum’s preferences page has no interface to create an API key. So I guess that there are some settings that let users issue their API keys.

Thanks in advance!

osioke · December 14, 2020, 10:14am

Hello @KengoTODA, welcome here!

User API keys specification will be helpful for what you have described.

KengoTODA · December 14, 2020, 12:35pm

Thank you! I’ve checked the ‘API key generation flow’ part.

I understood that it’s for web applications that can provide auth_redirect URL.
Is there any recommended way for CLI or GitHub Actions?

blake · December 14, 2020, 6:03pm

If this is for a GitHub Action you will probably be better off creating a scoped api key, that only allows the actions you need, but yes you will need to be an admin to create this key.

riking · December 14, 2020, 8:53pm

For CLI programs, if this is necessary, you can launch a local web server and use a http://localhost:XXXXX/callback URL. The app does something similar.

KengoTODA · December 14, 2020, 9:11pm

OK I’ll have a try, thanks for your support!

Falco · December 14, 2020, 9:25pm

You can create an user API following Generating User API Keys for testing

KengoTODA · December 15, 2020, 1:12am

I’m working in this branch, and successfully run the command using localhost as redirect URL. However, after I click the button to authorize, the page https://meta.discourse.org/user-api-key reported a JS error and it could not proceed the operation. The ruby script works but it also fails when I add auth_redirect parameter.

Here is the exception reported in the browser console:

Uncaught TypeError: Cannot set property 'isReadOnly' of undefined
    at Function.createCurrent (_application-42d4413fabab7a4b12e0c25fb01f736af560aa283089071a8493f37c9b042a4a.js:44867)
    at Function.current (_application-42d4413fabab7a4b12e0c25fb01f736af560aa283089071a8493f37c9b042a4a.js:8816)
    at Object.initialize (_application-42d4413fabab7a4b12e0c25fb01f736af560aa283089071a8493f37c9b042a4a.js:70403)
    at Object.i.initialize (_application-42d4413fabab7a4b12e0c25fb01f736af560aa283089071a8493f37c9b042a4a.js:7001)
    at _ember_jquery-189e46ebcb33594b835e782fd1ce916ec750bc0cf980ebc4fb7796649161a18d.js:49660
    at i.each (_ember_jquery-189e46ebcb33594b835e782fd1ce916ec750bc0cf980ebc4fb7796649161a18d.js:67904)
    at i.walk (_ember_jquery-189e46ebcb33594b835e782fd1ce916ec750bc0cf980ebc4fb7796649161a18d.js:67891)
    at n.each (_ember_jquery-189e46ebcb33594b835e782fd1ce916ec750bc0cf980ebc4fb7796649161a18d.js:67858)
    at n.topsort (_ember_jquery-189e46ebcb33594b835e782fd1ce916ec750bc0cf980ebc4fb7796649161a18d.js:67758)
    at t._runInitializer (_ember_jquery-189e46ebcb33594b835e782fd1ce916ec750bc0cf980ebc4fb7796649161a18d.js:49667)

I will attach the screenshot from JS code analysis. it seems that the siteAttribtues is expected to be proper value, but it’s undefined. If you have any suggestion to me, please let me know. Thank you!

スクリーンショット 2020-12-15 085706

KengoTODA · December 18, 2020, 10:20am

I’m investigating this issue.

The JS throws an error, because the POST method for /user-api-key returns 403 and build_not_found_page method in the controller does not invoke the preload_anonymous_data method that stores preloaded value.

It’s not sure why the server responded 403 with <h1 class="title">Oops! That page is private.</h1> when I added auth_redirect param. I tried to use the same domain for callback URL (to verify cross-site scripting issue) and HTTPS protocol, but no luck.

riking · December 18, 2020, 11:41pm

You need to add the domain (and path) to the allowed user api auth redirects site setting.

If you’re manually issuing HTTP requests, then discourse://auth_redirect should work.

KengoTODA · December 20, 2020, 11:30am

Thanks, I found the config in the site_settings.yml and understood why my request met 403.

The discourse://auth_redirect does not work as expected to me, so I’ll try to ask users to input the encrypted token manually, just like the ruby code.

KengoTODA · December 20, 2020, 1:39pm

Note for other users: I created a node module which can invoked via npx command. It’ll create an API key with write scope. Hope that it helps set-up process of systems which needs Discourse API token.
https://github.com/KengoTODA/discourse-api-key-generator

JQ331 · July 29, 2021, 11:47am

Edit: Hi @KengoTODA. Your github code was helpful in pointing me in the right direction. Still working out a few things, then I’ll write up a bit of how I got things working.

JQ331 · September 2, 2021, 4:27pm

@KengoTODA 's github code helped me a lot. I now have a working version of authenticating users on a per user basis to make api calls to discourse. I wrote up my steps here: User API keys specification - #45 by JQ331

Topic		Replies	Views
Generating User Api Keys with REST API Dev rest-api	20	8402	April 8, 2018
API key creation Dev rest-api	3	677	March 5, 2023
Access via Discourse API, key and/or user rejected Dev rest-api	2	657	December 1, 2023
Allow API use by regular users, not just admins Dev rest-api	7	1034	April 29, 2023
User API keys specification Developer Guides rest-api , reference	65	31043	June 1, 2024

Can non-admin user issue their own API key?

Related topics