chirpstack-application-server icon indicating copy to clipboard operation
chirpstack-application-server copied to clipboard

Published 20 hours ago verified publisher icon brocaar

Allow API keys to create other API keys through the API

Open guillaumejchauveau opened this issue 3 years ago • 3 comments

  • [x] I have searched the issues of this repository and believe that this is not a duplicate.

Summary

Currently, only API tokens retrieved with login can create a new API key. Trying to do so with an API key yields unauthorized. I propose that global admin keys be allowed to create new global keys, as well as organization keys for new organization keys.

What is the use-case?

I'm currently creating a Terraform provider for the Application server, but can't create new API keys. This feature will allow me to represent API keys as resources.

Implementation description

I believe this just needs to change some permissions. Looking at the code, I noticed the API keys endpoints are the only one that do not authorize API keys (except for profil and search but those ones make sense). If this was on purpose for security reasons, I'd like to point out that a key can create an admin user, log in with this user, and then create a new key.

Can you implement this by yourself and make a pull request?

Seems easy enough, I'll make one asap.

guillaumejchauveau avatar Oct 29 '21 09:10 guillaumejchauveau

From a security perspective, would this be a good idea? API keys can be revoked by deleting these (e.g. in case these are exploited). Enabling creating new API keys using an API key could mean you would have to revoke possibly many API keys to stop an exploit.

brocaar avatar Oct 29 '21 10:10 brocaar

I understand the concern, however as I said it's already possible to do so, given an admin key:

  • create a global admin user
  • get a user token with login
  • create a global admin key

So if this is something you really don't want, there is a vulnerability. Also, if you revoke access to an admin user, all the keys they could have created will remain. If you plan to fix this vulnerability by saving the relationship between a key and the user who created it, you might as well do the same for API keys. Knowing this, this feature request doesn't seem unreasonable.

guillaumejchauveau avatar Oct 29 '21 12:10 guillaumejchauveau

So what's the final take on this, should I go ahead with the PR or close this issue ? Sorry to take some of your time, I need the feature for a project 😅

guillaumejchauveau avatar Nov 01 '21 23:11 guillaumejchauveau