-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API Keys for users - giving other apps access to users data securely #360
Comments
Hi @stephaje, thanks for making the issue! This should be possible currently by doing a GET request to the following endpoint:
Though you will have to provide the Authorization header set as the users auth token. That request should return all the information you'd need though, it returns the users whole watched list, which includes the status, rating, thoughts, content info, activity, etc. Do you think a page where users can generate API Keys for this would be better? Then keys could have limited scope and be revoked at a later date. |
I agree API keys would be better here, as well as the ability for an admin to pull all data. |
I'd like to work on this issue. Can you please assign ? |
Hi @titanventura, thanks for commenting, you sure can, I will assign you. Just to clarify, since the issue title is different, this task would be to create a way for users to make API Keys for their account. The user should be able to create, remove and view their active api keys in their profile page. The API keys should also have a limited scope, to start we can make them only have access to the watched routes for the user. It's a complex task, so it may be beneficial if we came up with a plan for tackling it. My basic thoughts are a new table and module for managing user api keys and to extend the auth middleware to differentiate auth tokens vs api keys (and somehow restrict their scope here). To differentiate, we could simply make api keys use a different http header for auth and ensure they wont successfully pass as a user token. Let me know of any questions/thoughts you have |
Hey @IRHM , the approach you suggested seems valid IMO. Here are some questions
I guess we are clear that we need a new middleware to authenticate the routes using API keys. Please feel free to add your opinions. |
Hey @titanventura, thanks for looking into it! I don't see any reason to hash the api keys, I think we can just simply store them plaintext in the database. If we can allow the user to make as many keys as they want, that would probably be the best. I'm thinking the new table could store, the user id (foreign key), the api key (we generate) and a name/note that the user can give it (to remember what they used it for). For the middleware, I'm guessing we could add a check to the top of the existing one (if is api key, by checking if api key header is present?), if it looks like an api key, we can move on to the api key middleware. The simplest way for now, If possible, the api key middleware could also look at the route requested and only continue if it's a GET /watched (or any other routes you think should be allowed too). Feel free to add your opinions too! |
Sure, let me factor in all these inputs and submit a draft PR. |
It should be possible to access a user's data programmatically. This would allow for up to date data to be used by other systems such as recommenders.
The text was updated successfully, but these errors were encountered: