feat(api-keys): add read_only field to api-keys

apps/dashboard/app/api/auth/[...nextauth]/route.ts

@@ -26,7 +26,7 @@ export const authOptions: AuthOptions = {
       clientSecret: env.CLIENT_SECRET,
       wellKnown: `${env.HYDRA_PUBLIC}/.well-known/openid-configuration`,
       authorization: {
-        params: { scope: "offline transactions:read payments:send" },
+        params: { scope: "offline read write" },
       },
       idToken: false,
       name: "Blink",

bats/core/api-keys/api-keys.bats

@@ -33,6 +33,10 @@ new_key_name() {
 
   name=$(echo "$key" | jq -r '.name')
   [[ "${name}" = "${key_name}" ]] || exit 1
+
+  readOnly=$(echo "$key" | jq -r '.readOnly')
+  [[ "${readOnly}" = "false" ]] || exit 1
+
   key_id=$(echo "$key" | jq -r '.id')
   cache_value "api-key-id" "$key_id"
 
@@ -67,3 +71,44 @@ new_key_name() {
   error="$(graphql_output '.error.code')"
   [[ "${error}" = "401" ]] || exit 1
 }
+
+@test "api-keys: can create read-only" {
+  key_name="$(new_key_name)"
+
+  variables="{\"input\":{\"name\":\"${key_name}\",\"readOnly\": true}}"
+
+  exec_graphql 'alice' 'api-key-create' "$variables"
+  key="$(graphql_output '.data.apiKeyCreate.apiKey')"
+  secret="$(graphql_output '.data.apiKeyCreate.apiKeySecret')"
+  cache_value "api-key-secret" "$secret"
+
+  readOnly=$(echo "$key" | jq -r '.readOnly')
+  [[ "${readOnly}" = "true" ]] || exit 1
+
+  key_id=$(echo "$key" | jq -r '.id')
+  cache_value "api-key-id" "$key_id"
+
+  exec_graphql 'api-key-secret' 'api-keys'
+
+  name="$(graphql_output '.data.me.apiKeys[-1].name')"
+  [[ "${name}" = "${key_name}" ]] || exit 1
+}
+
+@test "api-keys: read-only key cannot mutate" {
+  key_name="$(new_key_name)"
+
+  variables="{\"input\":{\"name\":\"${key_name}\"}}"
+  exec_graphql 'api-key-secret' 'api-key-create' "$variables"
+  errors="$(graphql_output '.errors | length')"
+  [[ "${errors}" = "1" ]] || exit 1
+
+  variables="{\"input\":{\"currency\":\"USD\"}}"
+  exec_graphql 'api-key-secret' 'update-display-currency' "$variables"
+  errors="$(graphql_output '.errors | length')"
+  [[ "${errors}" = "1" ]] || exit 1
+
+  # Sanity check that it works with alice
+  exec_graphql 'alice' 'update-display-currency' "$variables"
+  errors="$(graphql_output '.errors | length')"
+  [[ "${errors}" = "0" ]] || exit 1
+}

bats/gql/api-key-create.gql

@@ -5,6 +5,7 @@ mutation apiKeyCreate($input: ApiKeyCreateInput!) {
       name
       createdAt
       expiresAt
+      readOnly
     }
     apiKeySecret
   }

bats/gql/api-keys.gql

@@ -9,6 +9,7 @@ query apiKeys {
       revoked
       createdAt
       expiresAt
+      readOnly
     }
   }
 }

bats/gql/update-display-currency.gql

@@ -0,0 +1,7 @@
+mutation displayCurrencyUpdate($input: AccountUpdateDisplayCurrencyInput!) {
+  accountUpdateDisplayCurrency(input: $input) {
+    account {
+      displayCurrency
+    }
+  }
+}

core/api-keys/migrations/20231115113501_add-read-only-to-identity-api-keys.sql

@@ -0,0 +1,2 @@
+ALTER TABLE identity_api_keys
+ADD COLUMN read_only BOOL NOT NULL DEFAULT false;

core/api-keys/src/app/mod.rs

@@ -31,7 +31,7 @@ impl ApiKeysApp {
     pub async fn lookup_authenticated_subject(
         &self,
         key: &str,
-    ) -> Result<String, ApplicationError> {
+    ) -> Result<(String, bool), ApplicationError> {
         Ok(self.identities.find_subject_by_key(&key).await?)
     }
 
@@ -40,16 +40,21 @@ impl ApiKeysApp {
         &self,
         subject_id: &str,
         name: String,
+        expire_in_days: Option<u16>,
+        read_only: bool,
     ) -> Result<(IdentityApiKey, ApiKeySecret), ApplicationError> {
         let mut tx = self.pool.begin().await?;
         let id = self
             .identities
             .find_or_create_identity_for_subject_in_tx(&mut tx, subject_id)
             .await?;
-        let expiry = chrono::Utc::now() + self.config.default_expiry();
+        let expiry = chrono::Utc::now()
+            + expire_in_days
+                .map(|days| std::time::Duration::from_secs(days as u64 * 24 * 60 * 60))
+                .unwrap_or_else(|| self.config.default_expiry());
         let key = self
             .identities
-            .create_key_for_identity_in_tx(&mut tx, id, name, expiry)
+            .create_key_for_identity_in_tx(&mut tx, id, name, expiry, read_only)
             .await?;
         tx.commit().await?;
         Ok(key)

core/api-keys/src/graphql/convert.rs

@@ -23,6 +23,7 @@ impl From<IdentityApiKey> for ApiKey {
             last_used_at: key.last_used_at.map(Timestamp::from),
             created_at: Timestamp::from(key.created_at),
             expires_at: Timestamp::from(key.expires_at),
+            read_only: key.read_only,
         }
     }
 }

core/api-keys/src/graphql/schema.rs

@@ -5,6 +5,7 @@ use crate::{app::ApiKeysApp, identity::IdentityApiKeyId};
 
 pub struct AuthSubject {
     pub id: String,
+    pub read_only: bool,
 }
 
 #[derive(Clone, Copy)]
@@ -62,6 +63,7 @@ pub(super) struct ApiKey {
     pub expired: bool,
     pub last_used_at: Option<Timestamp>,
     pub expires_at: Timestamp,
+    pub read_only: bool,
 }
 
 #[derive(SimpleObject)]
@@ -102,6 +104,8 @@ pub struct Mutation;
 struct ApiKeyCreateInput {
     name: String,
     expire_in_days: Option<u16>,
+    #[graphql(default)]
+    read_only: bool,
 }
 
 #[derive(InputObject)]
@@ -118,8 +122,16 @@ impl Mutation {
     ) -> async_graphql::Result<ApiKeyCreatePayload> {
         let app = ctx.data_unchecked::<ApiKeysApp>();
         let subject = ctx.data::<AuthSubject>()?;
+        if subject.read_only {
+            return Err("Permission denied".into());
+        }
         let key = app
-            .create_api_key_for_subject(&subject.id, input.name)
+            .create_api_key_for_subject(
+                &subject.id,
+                input.name,
+                input.expire_in_days,
+                input.read_only,
+            )
             .await?;
         Ok(ApiKeyCreatePayload::from(key))
     }

core/api-keys/src/identity/mod.rs

@@ -20,6 +20,7 @@ pub struct IdentityApiKey {
     pub last_used_at: Option<chrono::DateTime<chrono::Utc>>,
     pub revoked: bool,
     pub expired: bool,
+    pub read_only: bool,
 }
 
 pub struct ApiKeySecret(String);
@@ -62,15 +63,17 @@ impl Identities {
         identity_id: IdentityId,
         name: String,
         expires_at: chrono::DateTime<chrono::Utc>,
+        read_only: bool,
     ) -> Result<(IdentityApiKey, ApiKeySecret), IdentityError> {
         let code = Alphanumeric.sample_string(&mut rand::thread_rng(), 64);
         let record = sqlx::query!(
-            r#"INSERT INTO identity_api_keys (encrypted_key, identity_id, name, expires_at)
-            VALUES (crypt($1, gen_salt('bf')), $2, $3, $4) RETURNING id, created_at"#,
+            r#"INSERT INTO identity_api_keys (encrypted_key, identity_id, name, expires_at, read_only)
+            VALUES (crypt($1, gen_salt('bf')), $2, $3, $4, $5) RETURNING id, created_at"#,
             code,
             identity_id as IdentityId,
             name,
             expires_at,
+            read_only,
         )
         .fetch_one(&mut **tx)
         .await?;
@@ -86,12 +89,13 @@ impl Identities {
                 revoked: false,
                 expired: false,
                 last_used_at: None,
+                read_only,
             },
             ApiKeySecret(key),
         ))
     }
 
-    pub async fn find_subject_by_key(&self, key: &str) -> Result<String, IdentityError> {
+    pub async fn find_subject_by_key(&self, key: &str) -> Result<(String, bool), IdentityError> {
         let code = match key.strip_prefix(&*self.key_prefix) {
             None => return Err(IdentityError::MismatchedPrefix),
             Some(code) => code,
@@ -106,16 +110,16 @@ impl Identities {
                  AND k.revoked = false
                  AND k.encrypted_key = crypt($1, k.encrypted_key)
                  AND k.expires_at > NOW()
-                 RETURNING k.id, i.subject_id
+                 RETURNING k.id, i.subject_id, k.read_only
                )
-               SELECT subject_id FROM updated_key"#,
+               SELECT subject_id, read_only FROM updated_key"#,
             code
         )
         .fetch_optional(&self.pool)
         .await?;
 
         if let Some(record) = record {
-            Ok(record.subject_id)
+            Ok((record.subject_id, record.read_only))
         } else {
             Err(IdentityError::NoActiveKeyFound)
         }
@@ -135,6 +139,7 @@ impl Identities {
                     a.expires_at,
                     revoked,
                     expires_at < NOW() AS "expired!",
+                    read_only,
                     last_used_at
             FROM
                 identities i
@@ -160,6 +165,7 @@ impl Identities {
                 revoked: record.revoked,
                 expired: record.expired,
                 last_used_at: record.last_used_at,
+                read_only: record.read_only,
             })
             .collect();
 
@@ -186,6 +192,7 @@ impl Identities {
                k.expires_at,
                k.revoked,
                expires_at < NOW() AS "expired!",
+               k.read_only,
                k.last_used_at
             "#,
             subject_id,
@@ -204,6 +211,7 @@ impl Identities {
                 revoked: record.revoked,
                 expired: record.expired,
                 last_used_at: record.last_used_at,
+                read_only: record.read_only,
             }),
             None => Err(IdentityError::KeyNotFoundForRevoke),
         }

core/api-keys/src/lib.rs

@@ -6,4 +6,5 @@ pub mod cli;
 mod entity;
 pub mod graphql;
 pub mod identity;
+pub mod scope;
 pub mod server;