expressa icon indicating copy to clipboard operation
expressa copied to clipboard
verified publisher icon thomas4019

Access via API Key

Open kane-mason opened this issue 2 years ago • 13 comments

A solution that uses existing permissions model and updates token model to allow access via stored api keys.

Not my area of expertise but i could quite easilly see expressa being able to seemlessly offer this. @thomas4019 looking for some guidance

There could also be a listener that consumers implement as their own 'post signing' security layer

kane-mason avatar Sep 04 '23 08:09 kane-mason

Can you explain more what your use case is? As long as the JWTs have no expiration, they're very similar to an API key. You can think of the password as a way to generate a JWT (API key).

thomas4019 avatar Sep 04 '23 18:09 thomas4019

The use case is exposing parts of the api to third party developers. Where we issue them an api key to use when making requests to us.. Seems to be a standard practise these days?

kane-mason avatar Sep 04 '23 18:09 kane-mason

Hmm, what makes a request from these 3rd party developers different than from any other API request? If they're getting more access than a normal user, maybe this can be solved by giving them a custom role?

It is pretty common for websites to have a page where users who are also developers can create & label, view and revoke api keys. GitHub, Discord, DataDog etc provide this. Is this kind of what you're thinking?

thomas4019 avatar Sep 05 '23 05:09 thomas4019

That is exactly what i am thinking. But the api keys dont really look like a token generally? Also will need to persist they keys to a database if they are revocable i assume?

kane-mason avatar Sep 05 '23 08:09 kane-mason

for my use case, you need to be able to grant view/edit access for specific documents.. So maybe like "users: view specific": [ids of docs] maybe. in which case, role could no longer be type: file as needs to be updated and shared amongst processes, unless cacheInMemory: false works?

kane-mason avatar Sep 06 '23 12:09 kane-mason

I'd propose a new access_token collection with a schema like this:

Column Name Type
_id string
creator_user_id string
token string
expires_at string (timestamp)

And then also an access_token_access collection

Column Name Type
token_id string
collection_id string
doc_id string
view boolean
edit boolean
delete boolean

Some things I'm not sure about is if these token requests should have a user_id set on the req object.

thomas4019 avatar Sep 15 '23 21:09 thomas4019

Mmm i like it, is this inspired by Drupal?

kane-mason avatar Sep 16 '23 11:09 kane-mason

Yep! The access_token_access table is inspired by Drupal. It attaches these permissions directly to users though.

thomas4019 avatar Sep 17 '23 22:09 thomas4019

Do you see this as something that could/should replace exisiting permissions model?

kane-mason avatar Sep 19 '23 12:09 kane-mason

Rather than replacing, I see this as more of an optional, more advanced permissions model.

thomas4019 avatar Sep 21 '23 19:09 thomas4019

@thomas4019 i may need some assistance here. Do you have any capacity?

kane-mason avatar Oct 13 '23 07:10 kane-mason

Yeah, I currently do have capacity to work on this, but I’d need a bit more about your requirements. Like some concrete examples. Can you add that here or email me?

thomas4019 avatar Oct 17 '23 18:10 thomas4019

I will send you an email today and maybe we should set up a meeting too

kane-mason avatar Oct 18 '23 05:10 kane-mason