BaGet icon indicating copy to clipboard operation
BaGet copied to clipboard
verified publisher icon loic-sharma

Support multiple API keys

Open chucker opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe.

Currently, the recommended approach to authentication is an API key. However, this only enables you to set one API key for your entire staff. This requires key rotation as soon as one staffer leaks the key and/or leaves the team.

Describe the solution you'd like

Therefore, what I would like is simply the — optional — ability to define multiple API keys, e.g.:

  "ApiKeys": [
    {
      "User": "Frank",
      "Key": "asd"
    },
    {
      "User": "Sarah",
      "Key": "qwe"
    },
    {
      "User": "Kim",
      "Key": "zxc"
    },
  ]

On a technical level,

  • ApiKeys has precedence over ApiKey, if present.
  • The code only really cares about the Key property. The User property is human metadata.

Describe alternatives you've considered

What we do now instead is use IIS to setup HTTP basic auth, but unfortunately, NuGet (whether through dotnet, VS, or Rider) handles HTTP auth very poorly. The recommended path for them, too, appears to be API keys.

chucker avatar Jul 19 '24 08:07 chucker

This is now possible using BaGetter 1.5.0 with https://github.com/bagetter/BaGetter/pull/156 merged. It does only support this simple use case for now, but may be extended with scopes or permissions in the future. The creator has had it running for some time now, but more people testing this big of a feature are always welcome.

Regenhardt avatar Oct 24 '24 15:10 Regenhardt

this is a very useful private feature for a small team. regarding the issue of key leakage, I think you can add some features to protect it, such as the key protection method implemented eg.Nuget. i think this feature can meet the needs of many teams.

chenzuo avatar Oct 24 '24 18:10 chenzuo