Merged
Conversation
Implement user API keys that allow programmatic access to the API with
configurable permissions and network access restrictions.
User API key features:
- Create keys with permissions up to user's own level (Viewer/Member/Admin/Owner)
- Scope keys to specific networks (subset of user's network access)
- Key rotation endpoint (POST /api/auth/keys/{id}/rotate)
- Enable/disable keys without deletion
- Expiration dates for time-limited access
- Bearer token authentication (Authorization: Bearer scp_u_...)
OpenAPI documentation:
- Add user_api_key security scheme alongside session and daemon_api_key
- Document auth requirements per endpoint
Auth system refactoring:
- Replace legacy AuthenticatedUser with Authorized<IsUser>
- Replace legacy AuthenticatedDaemon with Authorized<IsDaemon>
- Add helper methods: daemon_id(), require_user_id(),
require_organization_id(), require_permissions()
- Add AuthMethod enum for audit logging
Integration tests:
- Permission escalation prevention
- Key rotation (old key invalidated, new key works)
- Expired/disabled key rejection
- Network access enforcement- Owner isolation (users can't access other users' keys)
Implement user API keys that allow programmatic access to the API with
configurable permissions and network access restrictions.
User API key features:
- Create keys with permissions up to user's own level (Viewer/Member/Admin/Owner)
- Scope keys to specific networks (subset of user's network access)
- Key rotation endpoint (POST /api/auth/keys/{id}/rotate)
- Enable/disable keys without deletion
- Expiration dates for time-limited access
- Bearer token authentication (Authorization: Bearer scp_u_...)
OpenAPI documentation:
- Add user_api_key security scheme alongside session and daemon_api_key
- Document auth requirements per endpoint
Auth system refactoring:
- Replace legacy AuthenticatedUser with Authorized<IsUser>
- Replace legacy AuthenticatedDaemon with Authorized<IsDaemon>
- Add helper methods: daemon_id(), require_user_id(),
require_organization_id(), require_permissions()
- Add AuthMethod enum for audit logging
Integration tests:
- Permission escalation prevention
- Key rotation (old key invalidated, new key works)
- Expired/disabled key rejection
- Network access enforcement- Owner isolation (users can't access other users' keys)
- Add X-Content-Type-Options: nosniff to prevent MIME type sniffing - Add Referrer-Policy: strict-origin-when-cross-origin to limit referrer leakage - Add CSP frame-ancestors 'self' globally to prevent clickjacking - Add HSTS header when use_secure_session_cookies is enabled (HTTPS mode) Update share embed handling to use CSP frame-ancestors instead of X-Frame-Options, allowing more granular control: - Orgs with embed feature: frame-ancestors based on allowed_domains - Orgs without embed feature: frame-ancestors 'none'
API Versioning: - Move all entity routes from /api/ to /api/v1/ - Keep auth routes unversioned at /api/auth (session management) - Add /api/version endpoint returning api_version and server_version - Include ApiMeta (api_version, server_version) in all API responses User API Key Billing: - Add ApiKeyFeature check requiring api_access plan feature - Gate all user API key endpoints behind RequireFeature<ApiKeyFeature> - Check organization has API access during user API key authentication - Move from macro-generated handlers to explicit handlers Auth Middleware Cleanup: - Remove unused has_min_permission() and auth_method() methods - Remove email field from ApiKey variant (not needed for API key auth) Other: - Remove daemon compatibility tests and fixtures (v0.12.8) - Update UI API client to handle new meta field in responses - Update all UI components for /api/v1/ route changes
…_id caching
- Add HTTP client timeouts (10s connect, 30s request) to fail fast on
unreachable servers instead of hanging indefinitely
- Add clear error messages for connection failures:
- Connection refused: suggests checking server URL
- Connect timeout: suggests checking firewall
- Response timeout: suggests switching to Pull mode
- Refactor registration to use daemon_id via announce_startup as the
source of truth for registration status, not local host_id cache
- Auto re-register when server doesn't recognize daemon (e.g., after
server database reset or daemon deletion)
- Remove local host_id caching entirely - server already provides
host_id in discovery requests via DiscoveryType
- Fix API paths to use legacy /api/daemons/ routes for compatibility
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.