Use scoped API Keys

Discourse · September 22, 2020, 9:29pm

API Keys let us integrate Discourse with other systems or automate different actions. However, great power comes with great responsibility. If a malicious actor has access to an API Key, they could have access to sensitive data or make changes to your site. To mitigate this and add an extra layer of security, you can now limit what an API key can do using scopes.

Scopes and allowed parameters

When creating a new API Key, you can select which scopes you want. If you hover over the icon, you’ll see a brief description of what it does. The button will show you the URLs associated with that scope.

Optionally, you could also specify which parameters are accepted. Use commas to separate multiple values.

Migrating existing keys

When we added this feature, existing keys turned into “global” keys. To migrate them to scopes, you’ll have to revoke them and create new ones.

Adding custom scopes

Plugins can add custom scopes using by calling the add_api_key_scope method:

github.com

discourse/discourse/blob/main/lib/plugin/instance.rb#L830


      
            end
          end
          
          
def javascript_includes
            assets
              .map do |asset, opts|
                next if opts == :vendored_core_pretty_text
                next unless asset =~ DiscoursePluginRegistry::JS_REGEX
                asset
              end
              .compact
          end
          
          
def register_reviewable_type(reviewable_type_class)
            extend_list_method Reviewable, :types, [reviewable_type_class.name]
          end
          
          
def extend_list_method(klass, method, new_attributes)
            current_list = klass.public_send(method)
            current_list.concat(new_attributes)

resource is a symbol used to group related scopes, while action is a hash which the following attributes:

action: A list containing the allowed controller actions. The format is controller_name#method_name.
params: A list containing the name of the allowed parameters.
aliases: A hash containing a different name for an allowed parameter.

If you want to know how the base scopes are defined see:

github.com

discourse/discourse/blob/main/app/models/api_key_scope.rb#L23


      
            actions
          end
          
          
def default_mappings
            return @default_mappings unless @default_mappings.nil?
          
          
  mappings = {
              global: {
                read: {
                  methods: %i[get],
                },
              },
              topics: {
                write: {
                  actions: %w[posts#create],
                  params: %i[topic_id],
                },
                update: {
                  actions: %w[topics#update topics#status],
                  params: %i[topic_id category_id],
                },

Last edited by @JammyDodger 2024-05-26T06:45:37Z

Check document
Perform check on document:

nickhingston · September 23, 2020, 7:43am

It seems I get 403 response for getting categories with a read only API key

curl -X GET "https://mysite/categories.json" \
-H "Api-Key: mykey" \
-H "Api-Username: system"

where I have read & read_list permissions on topics for the API key. /top.json works with the same key for instance. The endpoint works when I use a ‘Global Key’

I’d like to put the API key in my client for reading the list of categories and topics, so important to have a read only key!

Any pointers?

nickhingston · September 23, 2020, 10:03am

Interestingly it works if no credentials are used at all!

k
i.e. curl -X GET "https://mysite/categories.json"

Roman_Rizzi · September 23, 2020, 2:32pm

Unfortunately, we only include a handful of scopes out of the box due to the high number of available endpoints. We may add new ones in the future, but in the meantime, you’ll have to extend them to suit your needs.

If you use a scoped API Key, calling endpoints not included by the scopes you choose won’t work. You can click the button to see which URLs are accepted.

This only works for public sites. Also, you won’t see things like private categories unless you are logged in and have enough permissions.

Dannii · September 26, 2020, 7:53am

Are you taking suggestions for further scopes?

One thing I’d be interested in using our site’s API for would be for another site to check if a user exists with an email address and add to a group if so. I trust the site (another site within our parent organisation) but tightening down access options to only what’s needed seems wise if it were an option.

fzngagan · September 26, 2020, 8:35am

I’m super happy that they have opened up an api for plugins. You can start with a plugin and see if it can be incorporated in core.

riking · September 26, 2020, 10:17am

I believe that pr-welcome for any generally useful scopes you can come up with. E.g. group_membership.edit ?

Topic		Replies	Views
What scopes exactly does the Wordpress API key need? WordPress	13	1572	May 24, 2022
Create and configure an API key Integrations rest-api , how-to	6	28374	May 10, 2024
User API keys specification Developer Guides rest-api , reference	65	31081	June 1, 2024
Get an API key's scopes and user level via the API Dev rest-api	0	488	November 16, 2023
Search API - Key Permissions Feature rest-api , completed	2	985	July 28, 2023

Use scoped API Keys

Scopes and allowed parameters

Migrating existing keys

Adding custom scopes

Related topics