I just noticed that I’m seeing thousands of user API requests per day starting April this year in the dashboard security reports.
This is very odd and off by a factor of 100 to 1000 from my expectations.
How do I get more detailed reports about the high users are requesting keys and which users are making how many and which API requests? If a key has read/write request access I’m assuming that someone can remotely read and write topics / posts. Could it be a remote site scraping posts?
Also is there a way to globally invalidate/expire all user api keys?
Just to confirm, you are asking about User API requests and not API requests that have been run with an API key that you have generated for users on your Discourse site’s Admin / API page. User API requests are highlighted in green in the screenshot below:
This doesn’t answer all of your questions, but you can get a general overview of how the User API keys are being used with the following Data Explorer query:
SELECT * FROM user_api_keys
To get a list of applications that are making User API key requests to your site, and a count of the number of users who are making requests with each application:
SELECT
application_name,
COUNT(application_name) AS user_count
FROM user_api_keys
GROUP BY application_name
User API keys that are being used to connect from the DiscourseHub app will have their application_name set to “Discourse - unknown”.
If a user makes use of a User API key to interact with the site, an Apps entry will be added to the Security tab of their preferences page:
The entry shows the scopes that have been granted to the app. It also allows you to revoke access to the app.
I am not seeing any way of expiring or revoking all User API keys from the Discourse UI. There is only the option to revoke one key at a time from users preferences pages. It would be possible to revoke all User API keys from the Rails console, but it’s probably worth investigating how the keys are being used first.
That seems like too many requests to be coming from the DiscourseHub app. If you have the Data Explorer installed on your site, I’d be curious about the results of this query:
SELECT
application_name,
COUNT(application_name) AS user_count
FROM user_api_keys
GROUP BY application_name
I tested that query on my own test site, but it only has one user_api_request from the DiscourseHub app. I think I’ve structured the query correctly for dealing with multiple users connecting to Discourse from multiple apps, but let me know if anything in the results seems off.
Took some time to get data explorer installed, my rebuild failed for some reason.
This is what I see:
application_name
user_count
Discourse - xhanse's iPhone X
1
Discourse - iPhone
1
Discourse - xrett's iPhone
2
Discourse - xave's iPhone
1
Discourse - xixu's iPhone
1
Discourse - xevin's GS8
1
I’ve masked some the names, this looks like just a few users. Is the query returning information for a specific period of time? Thousands of API requests for a few users look excessive to me. Also one users seems to have 2 user_count, does that mean (s)he has 2 API keys (i.e. 2 apps)?
There’s two possibilities on that one. Either the user has two iPhones with the same device name OR they uninstalled the app and reinstalled it at some point. In both cases they would have multiple API keys.
No, it’s returning details about all active user api keys.
Try running the query below:
SELECT * FROM user_api_keys
I’m assuming it will only return 7 rows. Let me know if that’s not the case.
Not necessarily. When users access the site via the DiscourseHub app, their requests to the site count as User API requests. If a few of the users are actively reading the site, they could generate 2k requests in a day.
It all seems reasonable to me. For context, I briefly logged into my test site today through the DiscourseHub app. The site has almost no content. I browsed around it for a few minutes and generated 36 User API requests. On a site with lots of content to scroll through, it wouldn’t be unreasonable for a single user to generate a lot of requests over a day.
If you’re still concerned about this, it would be possible to use the Data Explorer plugin to look at user activity for the users whose user_id were returned from this request:
Curiosity got the better of me, so I checked a site I almost exclusively use via the DiscourseHub app. I have just shy of 1100 user api key requesrs for the past 24 hours from that site and I’m the only user with an active key.
