pelican-dev
[PROPOSAL] feat: add user api management via application api
This PR adds API functionality to manage user API keys via application API.
Caveats:
- this feature has partial functional implementation for livewire (ability to view and delete user api keys from admin panel, but not create them
Motivation: idk, this allows to use pelican headless. Also someone on Discord wanted to use pelican for hosting but not giving users full panel access: Link to Message
📝 Walkthrough
Walkthrough
Introduces a complete API endpoint system for managing user API keys, including listing, creating, and deleting keys. Adds a new controller with validation request classes, a response transformer, routes, and integration tests for user API key operations.
Changes
| Cohort / File(s) | Change Summary |
|---|---|
API Controller app/Http/Controllers/Api/Application/Users/UserApiKeyController.php |
New controller with three methods: index() fetches user's API keys ordered by id desc; store() creates new token with validation and activity logging, enforcing per-user limit; delete() removes API key by identifier with activity logging. |
Request Validation app/Http/Requests/Api/Application/Users/ApiKeys/GetUserApiKeysRequest.php, StoreUserApiKeyRequest.php, DeleteUserApiKeyRequest.php |
Three new form request classes extending ApplicationApiRequest. GetUserApiKeysRequest binds to User resource with READ permission. StoreUserApiKeyRequest adds custom validation rules for memo and allowed_ips with IPTools parsing for IP/CIDR validation. DeleteUserApiKeyRequest requires WRITE permission. |
Response Transformer app/Transformers/Api/Application/ApiKeyTransformer.php |
New transformer extending BaseTransformer, serializes ApiKey model attributes including id, user_id, key_type, identifier, memo, allowed_ips, permissions, timestamps, and last_used_at with null-safe access. |
Routing routes/api-application.php |
New nested route group for API keys under user routes: /{user:id}/api-keys with GET (index), POST (store), and DELETE /{identifier} (delete) operations. |
Integration Tests tests/Integration/Api/Application/Users/UserApiKeyControllerTest.php |
New test suite covering listing, creation, deletion of API keys; validates response structure, activity logging, API key limit enforcement, and permission-denied scenarios. |
Pre-merge checks
❌ Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Docstring Coverage | ⚠️ Warning | Docstring coverage is 41.67% which is insufficient. The required threshold is 80.00%. | You can run @coderabbitai generate docstrings to improve docstring coverage. |
✅ Passed checks (2 passed)
| Check name | Status | Explanation |
|---|---|---|
| Title check | ✅ Passed | The title accurately reflects the main feature added: API management for user API keys via the application API endpoint. |
| Description check | ✅ Passed | The description is related to the changeset and explains the purpose, motivation, and notes limitations of the feature implementation. |
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
✅ Actions performed
Review triggered.
Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.