Can users create their own API Key?

(Peter N Lewis) #1

Can ordinary users create their own API key? Or even see their API key?

I just created a dummy unprivileged user and I don’t see any way to generate or see the API key, but perhaps I am missing something.

(Kane York) #2

Nope, only admins are able to do that.

Unsanctioned bots must use cookie-based authentication, if that’s what you’re curious about. Just one more thing for the malicious actors to worry about ;); and it’s a small requirement for the legit bots (on top of respecting rate-limiting, the message bus protocol, basic robot etiquette, etc…)

Oooh, now there’s an idea… “you must be on the message bus to submit a post”

(Peter N Lewis) #3

Ahh. That’s a nuisance.

My usage case is I want to be able to post from my Mac application (well, actually only upload files in preparation for a post, the post I’ll do by sending the user to the web site with a pre-filled form).

I can’t include an API key within the application (crackers could get hold of it that way). But I also don’t want to require my users to create an API key (and now it turns out they can’t anyway!). So in order to ensure security, I am writing my own mini server for my app to talk to. The application will need some way to authenticate so I am putting the password/key in a logged-in-user-visible topic on the forum. That’s fine as far as it goes, but it’s possible that wont be secure enough, so I wanted to allow the users to use their forum key,

But that was on the assumption that the users could create a forum key, its pointless if the users can’t create their own key.

If the forum has no support for that, then I might as well just generate random keys myself and manually hand them out to users, which is a royal pain and not very practical.

Hmm. Bother. Oh well.

(Kane York) #4

Just use your language’s “cookie jar” support and show a webview to sign in.

(Robin Ward) #5

Is there a good reason we don’t allow users to generate their own API keys?

I suspect there is not, except that we don’t have an interface set up to do so.

(Michael Downey) #6

Yes, admins (only) can create per-user API keys. (But users can’t.)

Now, of course, it would still be nice to allow for multiple generic API keys…

(Kane York) #7

Currently, requests with an API key are not subject to rate-limiting, so that will need to be removed first.

(Robin Ward) #8

Well that is not good! It should only do that with an admin key. So this does complicate it quite a bit.

(Peter N Lewis) #9

It seems like that would be on the “to fix” list regardless, since otherwise handing out API keys to users (even if done by the admin) would be hazardous.

OK, well, for the moment I have an alternate solution which should be sufficient to ward off the bad guys for the time being, but it would be nice to have the option of the user creating their own API Key and validating that at some point. Preferably before the bad guys catch up with what I’m doing anyway.

(Dean Taylor) #10

This isn’t 100% true, with the default standalone.yml Discourse Docker install this includes templates/web.ratelimited.template.yml which rate limits all requests.