Could you please add a feature to get all workspaces for the given API/Secret ?

[alexey-aurea]

Need to get a list of available workspaces for the given API/Secret from the rest api. Could you please add this into the next release?

[simonbrowndotje]

Unless you're using the on-premises installation (and manually changing configuration files), the workspace IDs you'll get back from such a call would be a set of one (i.e. each workspace has a unique combination of API key and secret). I'm not sure that I'm comfortable adding this into the service API, as it potentially allows enumeration attacks. What is it that you're trying to do?

[alexey-aurea]

Why enumeration attacks if I still have to provide API key/secret. I want to build a dropdown for available workspaces within an account. My understanding is paid accounts can have multiple workspaces, right ? Also, even if there is just one workspace I want a user just register his key/secret within our app and then simply get a visual representation of available workspace(s) without any additional movement (like also entering workspace id and such)

[simonbrowndotje]

Correct, yes, paid accounts can have multiple workspaces. However, the API key/secret pairs are unique for every workspace, rather than being defined at the user level.

[alexey-aurea]

Then why do you even need a workspaceId in your get request if authentication is mandatory and you always know which workspace the given key/secret belongs to ?

[simonbrowndotje]

Given that the API key and secret are two randomly generated UUIDs, it's incredibly unlikely but, there's a very tiny possibility two workspaces have the same API key/secret. More than that though, explicitly specifying the workspace ID makes it easier for people to see which workspace they are uploading content to.

[alexey-aurea]

then again easier would be to GET/workspaces for all possible workspaces for the given API and secret. not sure how it can be used for enum attack ?

[simonbrowndotje]

If there was an API endpoint that allowed somebody to provide an API key/secret pair, it's then possible to enumerate all possible combinations of key/secret pairs to find matching workspaces. But, in any case, since each workspace has a unique API key/secret pair, I don't see much value in adding an API call. Can I close this issue?

[alexey-aurea]

But I just mention the value, which exactly that - get a workspaceid(s) by key/secret. Otherwise I would have to write an enum attack to get the worksapceId knowing the key/secret so that our users would not have to manually log onto the the structurizr to get that.. I wonder how your own UI is working then, clearly you do not use exactly same API as there is no need to enter workspaceId ever.. Why not grant 3rd parties same simplicity ?

[simonbrowndotje]

The server-side of the UI (a Java/Spring MVC app) has direct access to the Amazon RDS MySQL instance, where workspace metadata is being stored -> https://structurizr.com/share/38000/diagrams#Containers

[alexey-aurea]

yeah, so there wont be same level of interaction through any thirdparty tool if you wont allow us to get meta info. as I understand your app still uses user credentials to get a list of available workspaces.. Can you extend API with the similar method then ? Basically, any method to get a list of available worksapces. To be on par with the UI ?

[simonbrowndotje]

We can certainly add that to the backlog ... what's your preference to supplying credentials?

1. Username and password
2. Username and another (user-based) API key

And are you looking to get the set of workspaces owned, or the set of workspaces that user has access to? For the latter, read-only users don't get access to the API key/secret pair ... so there are a few things to think about here.

[simonbrowndotje]

Actually, thinking about this more, we’ll need to use a different API key for user authentication.

[alexey-aurea]

I also think username and api key is better.

[iowaz]

Hey @simonbrowndotje , we got any updates or roadmap for this?

We have a case here that may be useful for other organizations - we would like to embed Structurizr inside https://backstage.io/, without using the Structurizr native navigation (everything should be inside Backstage).

We also would like to use a Git-based monorepo for storing the DSLs (with an organization of shared software systems, containers, etc) - here would be useful to get the API/secret of all workspaces.

Do you see any way of doing this?

[simonbrowndotje]

we would like to embed Structurizr inside https://backstage.io/, without using the Structurizr native navigation

Can you explain what this means?

[simonbrowndotje]

Oh, the feature to get a list of workspaces already exists if you're using the cloud service.

1. Generate yourself an API key from your dashboard using the "Regenerate user API key" link.
2. Make a HTTP POST request to https://api.structurizr.com/user/workspaces with 2 parameters (username and apiKey).

Here's a curl example:

curl -d "username=...&apiKey=..." -X POST https://api.structurizr.com/user/workspaces

This will return a JSON document with the meta-data for all workspaces owned by the specified user.

[iowaz]

Oh, the feature to get a list of workspaces already exists if you're using the cloud service.

1. Generate yourself an API key from your dashboard using the "Regenerate user API key" link.
2. Make a HTTP POST request to https://api.structurizr.com/user/workspaces with 2 parameters (username and apiKey).

Here's a curl example:

curl -d "username=...&apiKey=..." -X POST https://api.structurizr.com/user/workspaces

This will return a JSON document with the meta-data for all workspaces owned by the specified user.

This would work perfectly. Is there any plans to make this available in the OnPremises version?