apisix icon indicating copy to clipboard operation
apisix copied to clipboard
verified publisher icon apache

API KEY Unique

Open dvdieu opened this issue 1 year ago • 8 comments

Description

API KEY can be use for purpose Authentication, to do that API KEY need require to unique for all Consumer

dvdieu avatar Apr 24 '24 14:04 dvdieu

The API_KEY is already unique for different consumers. No two users have the same api_key.

nitishfy avatar Apr 24 '24 15:04 nitishfy

The API_KEY is already unique for different consumers. No two users have the same api_key.

Hi, I realy created 2 consumer with the same API KEY, you can try this

dvdieu avatar Apr 24 '24 16:04 dvdieu

The consumer username should be unique

kayx23 avatar Apr 25 '24 02:04 kayx23

username required unique but API Key also, because if API Key not unique for all user how about your detect user A with user B.

What happens when the username is unique but the API Key is duplicate, then determining which user is calling is impossible

dvdieu avatar Apr 25 '24 05:04 dvdieu

username required unique but API Key also, because if API Key not unique for all user how about your detect user A with user B.

What happens when the username is unique but the API Key is duplicate, then determining which user is calling is impossible

@dvdieu You are right, if there are duplicate API keys, it is impossible to identify different consumers. I don't have a good proposal on how to solve it yet, because Apache APISIX uses etcd as storage instead of a relational database, and it's not easy to determine if there are duplicates. What do you think?

moonming avatar Apr 26 '24 09:04 moonming

You are right, if there are duplicate API keys, it is impossible to identify different consumers. I don't have a good proposal on how to solve it yet, because Apache APISIX uses etcd as storage instead of a relational database, and it's not easy to determine if there are duplicates. What do you think?

i think local client = etcd.client({host = etcd_host, port = etcd_port}) local response, err = client:get(key) if err then return false end if response.count > 1 then return true else return false end

for scaling we can using redis for check before insert to ectd

dvdieu avatar Apr 27 '24 05:04 dvdieu

You are right, if there are duplicate API keys, it is impossible to identify different consumers. I don't have a good proposal on how to solve it yet, because Apache APISIX uses etcd as storage instead of a relational database, and it's not easy to determine if there are duplicates. What do you think?

i think local client = etcd.client({host = etcd_host, port = etcd_port}) local response, err = client:get(key) if err then return false end if response.count > 1 then return true else return false end

for scaling we can using redis for check before insert to ectd

If this judgment logic can be added when adding API key instead of processing client requests, it is good for me

moonming avatar Apr 28 '24 02:04 moonming

Please update this bug

dvdieu avatar Oct 09 '24 01:10 dvdieu