Unable to create "Single User" level API key, always defaults to "All Users"

joshfriend · February 18, 2020, 3:23pm

Replication steps:

open https://yourdiscoursedomain.com/admin/api/keys
select new key
choose “single user” as the user level
Create the key
Open key details after creation
The user level will be “All Users”

It is very unclear to me what the difference between the two user level options is, but this seems to pretty clearly be a bug.

(I am using the hosted discourse service)

pfaffman · February 18, 2020, 4:56pm

Did you also select a user to create the API key for?

Mostly an “all-user” api key is what you want. For some things, most notably using discourse_theme, a user key is required.

What are you trying to do with the API?

simon · February 18, 2020, 5:44pm

I can reproduce the issue if I follow the steps you have listed. When creating an API key for a single user, Discourse expects a username to be added to the form’s User field:

If ‘Single User’ is selected as the User Level, but no username is added to the User field, an All Users API key is created. I would expect an error message to be displayed instead. Similar to what happens when the form is submitted without a description.

joshfriend · February 18, 2020, 7:20pm

I wanted to create a sort of “bot” user for retrieving posts from specific categories. This discourse instance has authentication from GSuite only, so there isn’t a way of creating arbitrary users anymore. I had hoped that for a “Single User” key it would let me enter the new username I wanted to assign bot, but now I see that the username must be an existing user. The username form field has no validation so it was not clear that I could not enter in just any name (like I would do for slack incoming webhooks for example). It then silently fails on submission when looking up the username I entered and creates an All Users key instead.

I suppose this is more of a usability bug than functional. I found the documentation here confusing as it did not explain the User Level field at all and there was no mention of an “All Users” type besides one instance in a comment farther down the thread.

pfaffman · February 18, 2020, 7:24pm

An all user API key would work unless you want the “bot” not to be able to read some categories.

codinghorror · February 19, 2020, 5:27am

Is this your username selector component @joffreyjaffeux?

joffreyjaffeux · February 19, 2020, 7:15am

No this is not a select-kit component. The issue is that we check only on description being present not on username. The userMode (single/all) is only a client side value, so when the model is validated server side, all it knows is that we requested a key and that we provided a user or not.

That should make it better, will ask david to review:
https://github.com/discourse/discourse/pull/9000

Topic		Replies	Views
Create and configure an API key admins rest-api , how-to	2	20884	October 23, 2023
404 Error returned when using DiscourseAPI Gem to Generate User API Key dev rest-api	3	795	March 8, 2020
How to create an api key on the admin panel dev rest-api	12	7404	March 15, 2024
Discourse + Facebook Pages integration with Zapier not working support	6	869	May 29, 2020
User API keys specification developers rest-api , reference	60	28412	April 19, 2024

Unable to create "Single User" level API key, always defaults to "All Users"

Related Topics