fd8785a43d
Some checks failed
Enables server-to-server authentication for forward auth applications (e.g., video players accessing WebDAV) where browser cookies aren't available. API keys use clk_ prefixed tokens stored as HMAC hashes. Bearer token auth is checked before cookie auth in /api/verify. Invalid tokens return 401 JSON (no redirect). Requests without bearer tokens fall through to existing cookie flow unchanged. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
52 lines
1.2 KiB
Ruby
52 lines
1.2 KiB
Ruby
class ApiKeysController < ApplicationController
|
|
before_action :set_api_key, only: :destroy
|
|
|
|
def index
|
|
@api_keys = Current.session.user.api_keys.includes(:application).order(created_at: :desc)
|
|
end
|
|
|
|
def new
|
|
@api_key = ApiKey.new
|
|
@applications = forward_auth_apps_for_user
|
|
end
|
|
|
|
def create
|
|
@api_key = Current.session.user.api_keys.build(api_key_params)
|
|
|
|
if @api_key.save
|
|
flash[:api_key_token] = @api_key.plaintext_token
|
|
redirect_to api_key_path(@api_key)
|
|
else
|
|
@applications = forward_auth_apps_for_user
|
|
render :new, status: :unprocessable_entity
|
|
end
|
|
end
|
|
|
|
def show
|
|
@api_key = Current.session.user.api_keys.find(params[:id])
|
|
@plaintext_token = flash[:api_key_token]
|
|
|
|
redirect_to api_keys_path unless @plaintext_token
|
|
end
|
|
|
|
def destroy
|
|
@api_key.revoke!
|
|
redirect_to api_keys_path, notice: "API key revoked."
|
|
end
|
|
|
|
private
|
|
|
|
def set_api_key
|
|
@api_key = Current.session.user.api_keys.find(params[:id])
|
|
end
|
|
|
|
def api_key_params
|
|
params.require(:api_key).permit(:name, :application_id, :expires_at)
|
|
end
|
|
|
|
def forward_auth_apps_for_user
|
|
user = Current.session.user
|
|
Application.forward_auth.active.select { |app| app.user_allowed?(user) }
|
|
end
|
|
end
|