HiUser API keys specification https://unityforum.discoursehosting.net/api_key/generate?redirect_url=www.google.com.pk&client_id=2&access_level=read
Can someone please show me how my url should look like with the paramters. I am also confused what exactly is client_id here? Is it the id of the user whose api needs to created or is the username? Also can I use any url as redirect_url? For the record I have added this redirect url in my admin settings.
1 Like
I am also looking for same solution, can anyone help in this?
j.jaffeux
June 26, 2017, 9:51am
3
Hello,
to generate an api key for a user:
curl -X "POST" "http://localhost:4000/admin/users/1/generate_api_key?api_key=10efbf2c9a84dfb3b6f60ffa117c029bda7fc9fb8f861ccd0dc8e8fbfa86968d&api_username=joffreyjaffeux"
Learn more about it:
3 Likes
djensen47
November 9, 2017, 6:29am
4
@j.jaffeux That’s not the same “API” that @Umer_Mirza was asking about. I put “API” in quote because it may not exist?
The User API keys specification RFC talks about the use case of allowing users themselves the ability to request and API key so that a third party developed app may perform actions on their behalf. You would never want to give a third party your site API key because they would have full access.
I would ask this question in User API keys specification but that topic is closed. Does the API that @sam proposed in that post actually exist or not?
sam
November 9, 2017, 6:31am
5
Yes user api keys exists and are consumed by the mobile app, look at the source code of the mobile app for exact specifications for now.
I would love to have this better documented so if you want to take that project on
4 Likes
djensen47
November 9, 2017, 6:34am
7
Awesome, thanks for the quick response.
Well, maybe I can get something started for documentation. I have to do something on this front anyway so I can post what I come up with here.
2 Likes
j.jaffeux
November 9, 2017, 4:25pm
8
This is the endpoint sam is talking about I think:
application_name: this.deviceName,
public_key: this.rsaKeys.public,
};
}
return this.serializeParams(params);
});
}
async requestAuth(url) {
try {
const authRequest = await SafariWebAuth.requestAuth(
url,
this.customScheme,
false,
// third parameter sets prefersEphemeralWebBrowserSession in ASWebAuthenticationSession,
// when true, it skips iOS dialog prompt but uses incognito mode (i.e. user always has to log in)
);
if (authRequest) {
const urlParams = this.parseURLparameters(authRequest);
:constraints => {
username: RouteFormat.username,
}
get "#{root_path}/:username.json" => "users#show",
:constraints => {
username: RouteFormat.username,
},
:defaults => {
format: :json,
}
get(
{
"#{root_path}/:username" => "users#show",
:constraints => {
username: RouteFormat.username,
},
}.merge(index == 1 ? { as: "user" } : {}),
)
put "#{root_path}/:username" => "users#update",
:constraints => {
username: RouteFormat.username,
# frozen_string_literal: true
class UserApiKeysController < ApplicationController
layout "no_ember"
requires_login only: %i[create create_otp revoke undo_revoke]
skip_before_action :redirect_to_login_if_required,
:redirect_to_profile_if_required,
only: %i[new otp]
skip_before_action :check_xhr, :preload_json
AUTH_API_VERSION = 4
ALLOWED_PADDING_MODES = %w[pkcs1 oaep].freeze
def new
if request.head?
head :ok, auth_api_version: AUTH_API_VERSION
return
end
show original
2 Likes
djensen47
November 9, 2017, 6:35pm
9
Thanks @j.jaffeux . I was drafting a similar message but I only had the code from the mobile app. These other code snippets are very useful.
When I tried this API against my own server using Postman, I kept getting a 400 error with no details. My Ruby is a little rusty but I’ll dig into the code more but if you happen to know why a 400 might happen that would be helpful.
djensen47
November 9, 2017, 11:12pm
10
I just tried adding my site to the official Discourse app, and it worked so I must be doing something wrong with regard to using the API in Postman.
Aside : I thought the app only worked for officially hosted Discourse sites.
sajattack
December 28, 2017, 10:18pm
11
3 Likes
sajattack
January 12, 2018, 8:17pm
12
Can I get some assistance on this @sam ?
Did you want to purchase a hosting contract with us?
sajattack
January 13, 2018, 3:09am
14
No, but if you can point me in the right direction I’d be happy to document it for others.
sajattack
April 2, 2018, 1:01am
15
By looking at the URL generated by the discourse android app, I’ve uncovered the fields required for
scopes - these are the permissions of the api key, in the case of the official app, to read notifications and to read session info
client-id - hex string, dunno
nonce - another hex string, used as a cryptographic nonce
auth_redirect - url to redirect to after permission is given
application_name - the name to display to the user of the application using the api
public_key - a public RSA key
Still a few questions:
What are all the valid values for scopes?
Where does the client-id come from?
Are all api responses encrypted with the public key or what is it’s purpose?
2 Likes
sajattack
April 2, 2018, 4:21am
16
So, looking at the source code, client-id is 32 random bytes and nonce is 16 random bytes.
sajattack
April 2, 2018, 11:23pm
18
I’ve written a program that generates URLs of this specification, enough to get me to this screen:
sam
April 2, 2018, 11:26pm
19
After authorize you will be redirected, so the redirect URL needs to go somewhere where you can handle decrypting the payload it redirects with.
Also there is a site setting that lists where the redirect is allowed to go.
4 Likes
sajattack
April 3, 2018, 7:29am
20
Ok, got my api key. Is this a different API than the admin one documented at http://docs.discourse.org ?
sajattack
April 8, 2018, 11:41pm
21
When I try to make a post with the api documented at http://docs.discourse.org using a user api key, it says
You are not permitted to view the requested resource. The API username or key is invalid.
So I think it’s a different API or needs different fields (client_id?) for authentication.
