HiUser API keys specification https://unityforum.discoursehosting.net/api_key/generate?redirect_url=www.google.com.pk&client_id=2&access_level=read
Can someone please show me how my url should look like with the paramters. I am also confused what exactly is client_id here? Is it the id of the user whose api needs to created or is the username? Also can I use any url as redirect_url? For the record I have added this redirect url in my admin settings.
「いいね!」 1
I am also looking for same solution, can anyone help in this?
j.jaffeux
2017 年 6 月 26 日午前 9:51
3
Hello,
to generate an api key for a user:
curl -X "POST" "http://localhost:4000/admin/users/1/generate_api_key?api_key=10efbf2c9a84dfb3b6f60ffa117c029bda7fc9fb8f861ccd0dc8e8fbfa86968d&api_username=joffreyjaffeux"
Learn more about it:
「いいね!」 3
djensen47
2017 年 11 月 9 日午前 6:29
4
@j.jaffeux That’s not the same “API” that @Umer_Mirza was asking about. I put “API” in quote because it may not exist?
The User API keys specification RFC talks about the use case of allowing users themselves the ability to request and API key so that a third party developed app may perform actions on their behalf. You would never want to give a third party your site API key because they would have full access.
I would ask this question in User API keys specification but that topic is closed. Does the API that @sam proposed in that post actually exist or not?
sam
2017 年 11 月 9 日午前 6:31
5
Yes user api keys exists and are consumed by the mobile app, look at the source code of the mobile app for exact specifications for now.
I would love to have this better documented so if you want to take that project on
「いいね!」 4
djensen47
2017 年 11 月 9 日午前 6:34
7
Awesome, thanks for the quick response.
Well, maybe I can get something started for documentation. I have to do something on this front anyway so I can post what I come up with here.
「いいね!」 2
j.jaffeux
2017 年 11 月 9 日午後 4:25
8
This is the endpoint sam is talking about I think:
application_name: this.deviceName,
public_key: this.rsaKeys.public,
};
}
return this.serializeParams(params);
});
}
async requestAuth(url) {
try {
const authRequest = await SafariWebAuth.requestAuth(
url,
this.customScheme,
false,
// third parameter sets prefersEphemeralWebBrowserSession in ASWebAuthenticationSession,
// when true, it skips iOS dialog prompt but uses incognito mode (i.e. user always has to log in)
);
if (authRequest) {
const urlParams = this.parseURLparameters(authRequest);
:constraints => {
username: RouteFormat.username,
}
get "#{root_path}/:username.json" => "users#show",
:constraints => {
username: RouteFormat.username,
},
:defaults => {
format: :json,
}
get(
{
"#{root_path}/:username" => "users#show",
:constraints => {
username: RouteFormat.username,
},
}.merge(index == 1 ? { as: "user" } : {}),
)
put "#{root_path}/:username" => "users#update",
:constraints => {
username: RouteFormat.username,
# frozen_string_literal: true
class UserApiKeysController < ApplicationController
layout "no_ember"
requires_login only: %i[create create_otp revoke undo_revoke]
skip_before_action :redirect_to_login_if_required,
:redirect_to_profile_if_required,
only: %i[new otp]
skip_before_action :check_xhr, :preload_json
AUTH_API_VERSION = 4
ALLOWED_PADDING_MODES = %w[pkcs1 oaep].freeze
def new
if request.head?
head :ok, auth_api_version: AUTH_API_VERSION
return
end
show original
「いいね!」 2
djensen47
2017 年 11 月 9 日午後 6:35
9
Thanks @j.jaffeux . I was drafting a similar message but I only had the code from the mobile app. These other code snippets are very useful.
When I tried this API against my own server using Postman, I kept getting a 400 error with no details. My Ruby is a little rusty but I’ll dig into the code more but if you happen to know why a 400 might happen that would be helpful.
djensen47
2017 年 11 月 9 日午後 11:12
10
I just tried adding my site to the official Discourse app, and it worked so I must be doing something wrong with regard to using the API in Postman.
Aside : I thought the app only worked for officially hosted Discourse sites.
sajattack
2017 年 12 月 28 日午後 10:18
11
「いいね!」 3
sajattack
2018 年 1 月 12 日午後 8:17
12
Can I get some assistance on this @sam ?
Did you want to purchase a hosting contract with us?
sajattack
2018 年 1 月 13 日午前 3:09
14
No, but if you can point me in the right direction I’d be happy to document it for others.
sajattack
2018 年 4 月 2 日午前 1:01
15
By looking at the URL generated by the discourse android app, I’ve uncovered the fields required for
scopes - these are the permissions of the api key, in the case of the official app, to read notifications and to read session info
client-id - hex string, dunno
nonce - another hex string, used as a cryptographic nonce
auth_redirect - url to redirect to after permission is given
application_name - the name to display to the user of the application using the api
public_key - a public RSA key
Still a few questions:
What are all the valid values for scopes?
Where does the client-id come from?
Are all api responses encrypted with the public key or what is it’s purpose?
「いいね!」 2
sajattack
2018 年 4 月 2 日午前 4:21
16
So, looking at the source code, client-id is 32 random bytes and nonce is 16 random bytes.
sajattack
2018 年 4 月 2 日午後 11:23
18
I’ve written a program that generates URLs of this specification, enough to get me to this screen:
sam
2018 年 4 月 2 日午後 11:26
19
After authorize you will be redirected, so the redirect URL needs to go somewhere where you can handle decrypting the payload it redirects with.
Also there is a site setting that lists where the redirect is allowed to go.
「いいね!」 4
sajattack
2018 年 4 月 3 日午前 7:29
20
Ok, got my api key. Is this a different API than the admin one documented at http://docs.discourse.org ?
sajattack
2018 年 4 月 8 日午後 11:41
21
When I try to make a post with the api documented at http://docs.discourse.org using a user api key, it says
You are not permitted to view the requested resource. The API username or key is invalid.
So I think it’s a different API or needs different fields (client_id?) for authentication.
