User API keys: duplicate client_id will lead to internal server error

Indra · April 7, 2023, 11:16pm

When calling user-api-key/new with a client_id that is already used by another user the forum will throw a RecordNotUnique error and silently fail on an internal server error.

ActiveRecord::RecordNotUnique (PG::UniqueViolation: ERROR:  duplicate key value violates unique constraint "index_user_api_keys_on_client_id"
DETAIL:  Key (client_id)=(893e0230d52455ea9b729334) already exists.
)
(eval):105:in `exec_params'
app/controllers/user_api_keys_controller.rb:66:in `create'

This might want to fail with something less silent informing the user that there already exists an API key with that client ID.

Though that brings me on the second question, are User API keys supposed to behave like that? Is the client ID supposed to be unique between all users?

blattersturm · June 7, 2023, 7:06pm

Quick nudge for visibility. We’re still seeing these show up in our /logs endpoint fairly frequently:

blake · September 13, 2023, 3:37pm

Thank you for reporting this, I have a couple of questions though in order to help me look into this.

Can you provide a basic repro for this so that I can debug this locally? What is your use case for user-api-keys? Are you using the discourse hub mobile app or something else?

Indra · September 16, 2023, 12:54pm

I’m not sure what you prefer as repro, but this bit of PHP code can repro it great.

Code

<?php

// openssl genrsa -out keypair.pem 2048
$keypair = openssl_pkey_get_private(file_get_contents("keypair.pem"));

// Obtain the public key
$public = openssl_pkey_get_details($keypair)["key"];

// Build the query
$query = http_build_query([
    "auth_redirect" => "https://localhost/redirect",
    "application_name" => "Test repro",
    "client_id" => "7624a5376b7f52eb403a",
    "scopes" => "session_info",
    "nonce" => bin2hex(random_bytes(16)),
    "public_key" => $public
]);

$url = "https://forum.cfx.re/user-api-key/new?" . $query;
header("Location: " . $url);

The first and repeating authorization will succeed as the first user, when using it again for another user without changing the client_id it will fail.

User API keys are used for allowing the user to use their forum account in the game client, so they’ll be able to post from ingame. We also have lot of users using them to authenticate with forum accounts to their own websites.

Whereas the client ID should be unique for the game clients, so each client is listed as seperate client in the apps screen. For website usecase you’d want to have one client ID so not each login is listed separately.

noornahas · February 15, 2024, 1:17am

Was wondering if this was resolved

Topic		Replies	Views
Generating User Api Keys with REST API dev rest-api	20	7980	April 8, 2018
Creating new User error after upgrade PG::UniqueViolation Duplicate Key sso rest-api	2	503	January 24, 2023
Generate/Regenerate api_key for a user API not working dev rest-api	5	761	January 5, 2020
404 Error returned when using DiscourseAPI Gem to Generate User API Key dev rest-api	3	794	March 8, 2020
Can't add forum in Discourse IOS/Android apps to not admin support	4	937	November 5, 2018

User API keys: duplicate client_id will lead to internal server error

Related Topics