ghost/core/server/models/api-key.js

const omit = require('lodash/omit');
const security = require('@tryghost/security');
const ghostBookshelf = require('./base');
const {Role} = require('./role');

const ApiKey = ghostBookshelf.Model.extend({
    tableName: 'api_keys',

    defaults() {
        const secret = security.secret.create(this.get('type'));

        return {
            secret
        };
    },

    role() {
        return this.belongsTo('Role');
    },

    integration() {
        return this.belongsTo('Integration');
    },

    user() {
        return this.belongsTo('User');
    },

    format(attrs) {
        return omit(attrs, 'role');
    },

    onSaving(model, attrs, options) {
        ghostBookshelf.Model.prototype.onSaving.apply(this, arguments);

        // enforce roles which are currently hardcoded
        // - admin key = Adminstrator role
        // - content key = no role
        if (this.hasChanged('type') || this.hasChanged('role_id')) {
            if (this.get('type') === 'admin') {
                return Role.findOne({name: attrs.role || 'Admin Integration'}, Object.assign({}, options, {columns: ['id']}))
                    .then((role) => {
                        this.set('role_id', role.get('id'));
                    });
            }

            if (this.get('type') === 'content') {
                this.set('role_id', null);
            }
        }
    },
    onUpdated(model, options) {
        if (this.previous('secret') !== this.get('secret')) {
            this.addAction(model, 'refreshed', options);
        }
    },

    getAction(event, options) {
        const actor = this.getActor(options);

        // @NOTE: we ignore internal updates (`options.context.internal`) for now
        if (!actor) {
            return;
        }

        // @TODO: implement context
        return {
            event: event,
            resource_id: this.id || this.previous('id'),
            resource_type: 'api_key',
            actor_id: actor.id,
            actor_type: actor.type
        };
    }
}, {
    refreshSecret(data, options) {
        const secret = security.secret.create(data.type);
        return this.edit(Object.assign({}, data, {secret}), options);
    }
});

const ApiKeys = ghostBookshelf.Collection.extend({
    model: ApiKey
});

module.exports = {
    ApiKey: ghostBookshelf.model('ApiKey', ApiKey),
    ApiKeys: ghostBookshelf.collection('ApiKeys', ApiKeys)
};
Created DB Backup integration (#10974) * Simplified db controller permissions options The existing objects were confusing because they did the same thing as setting permissions to true, but gave the impressions that something special was happening/required. * Added DB Backup Integration Role This will allow us to assign certain api_keys this role, in order to automate db backups * Allowed admin api_keys to have configurable roles This will allow keys for the admin api to do customised things such as db export * Added ghost-backup integration to fixtures * Added migrations for DB Backup Integration and role 2019-08-02 17:28:02 +08:00			`const omit = require('lodash/omit');`
Update dependency @tryghost/security to v0.3.0 (#14718) - Swapped instances of createSecret for security.secret.create Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: Hannah Wolfe <github.erisds@gmail.com> 2022-05-06 17:53:10 +01:00			`const security = require('@tryghost/security');`
Set up schema and models for API Key authentication (#9904) refs https://github.com/TryGhost/Ghost/issues/9865 - schema migrations - adds `integrations` and `api_keys` tables - inserts `integration` and `api_key` permissions and Administrator role relationships - inserts `Admin Integration` role and permissions - adds `Integration` model - adds `ApiKey` model - creates default secret if not given - hardcodes associated role based on key type - `admin` = `Admin API Client` - `content` = no role - updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy 2018-10-02 17:46:38 +01:00			`const ghostBookshelf = require('./base');`
			`const {Role} = require('./role');`

			`const ApiKey = ghostBookshelf.Model.extend({`
			`tableName: 'api_keys',`

			`defaults() {`
Update dependency @tryghost/security to v0.3.0 (#14718) - Swapped instances of createSecret for security.secret.create Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: Hannah Wolfe <github.erisds@gmail.com> 2022-05-06 17:53:10 +01:00			`const secret = security.secret.create(this.get('type'));`
Set up schema and models for API Key authentication (#9904) refs https://github.com/TryGhost/Ghost/issues/9865 - schema migrations - adds `integrations` and `api_keys` tables - inserts `integration` and `api_key` permissions and Administrator role relationships - inserts `Admin Integration` role and permissions - adds `Integration` model - adds `ApiKey` model - creates default secret if not given - hardcodes associated role based on key type - `admin` = `Admin API Client` - `content` = no role - updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy 2018-10-02 17:46:38 +01:00
			`return {`
			`secret`
			`};`
			`},`

			`role() {`
			`return this.belongsTo('Role');`
			`},`

			`integration() {`
			`return this.belongsTo('Integration');`
			`},`

Added the user_id field to the api_keys table no issue - Migration related to the Personal Tokens feature. 2020-10-23 13:01:14 +02:00			`user() {`
			`return this.belongsTo('User');`
			`},`

Created DB Backup integration (#10974) * Simplified db controller permissions options The existing objects were confusing because they did the same thing as setting permissions to true, but gave the impressions that something special was happening/required. * Added DB Backup Integration Role This will allow us to assign certain api_keys this role, in order to automate db backups * Allowed admin api_keys to have configurable roles This will allow keys for the admin api to do customised things such as db export * Added ghost-backup integration to fixtures * Added migrations for DB Backup Integration and role 2019-08-02 17:28:02 +08:00			`format(attrs) {`
			`return omit(attrs, 'role');`
			`},`

Updated ApiKey onSaving to forward options (#9994) refs #9865 We require models to forward options on, so that any transactions continue to work 2018-10-14 16:54:10 +07:00			`onSaving(model, attrs, options) {`
Set up schema and models for API Key authentication (#9904) refs https://github.com/TryGhost/Ghost/issues/9865 - schema migrations - adds `integrations` and `api_keys` tables - inserts `integration` and `api_key` permissions and Administrator role relationships - inserts `Admin Integration` role and permissions - adds `Integration` model - adds `ApiKey` model - creates default secret if not given - hardcodes associated role based on key type - `admin` = `Admin API Client` - `content` = no role - updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy 2018-10-02 17:46:38 +01:00			`ghostBookshelf.Model.prototype.onSaving.apply(this, arguments);`

			`// enforce roles which are currently hardcoded`
			`// - admin key = Adminstrator role`
			`// - content key = no role`
			`if (this.hasChanged('type') \|\| this.hasChanged('role_id')) {`
			`if (this.get('type') === 'admin') {`
Created DB Backup integration (#10974) * Simplified db controller permissions options The existing objects were confusing because they did the same thing as setting permissions to true, but gave the impressions that something special was happening/required. * Added DB Backup Integration Role This will allow us to assign certain api_keys this role, in order to automate db backups * Allowed admin api_keys to have configurable roles This will allow keys for the admin api to do customised things such as db export * Added ghost-backup integration to fixtures * Added migrations for DB Backup Integration and role 2019-08-02 17:28:02 +08:00			`return Role.findOne({name: attrs.role \|\| 'Admin Integration'}, Object.assign({}, options, {columns: ['id']}))`
Set up schema and models for API Key authentication (#9904) refs https://github.com/TryGhost/Ghost/issues/9865 - schema migrations - adds `integrations` and `api_keys` tables - inserts `integration` and `api_key` permissions and Administrator role relationships - inserts `Admin Integration` role and permissions - adds `Integration` model - adds `ApiKey` model - creates default secret if not given - hardcodes associated role based on key type - `admin` = `Admin API Client` - `content` = no role - updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy 2018-10-02 17:46:38 +01:00			`.then((role) => {`
			`this.set('role_id', role.get('id'));`
			`});`
			`}`

			`if (this.get('type') === 'content') {`
			`this.set('role_id', null);`
			`}`
			`}`
Added new endpoint for refreshing api key secret (#11791) no issue - Adds new endpoint on integration to refresh admin/content api key secret - Allows owner/admin to refresh their content or admin API keys for an integration via Ghost Admin - Adds a new `refreshed` event to actions table for anytime an api_key secret is refreshed 2020-05-05 23:36:21 +05:30			`},`
Updated signature of Bookshelf model listeners - as per https://github.com/bookshelf/bookshelf/wiki/Migrating-from-0.15.1-to-1.0.0#different-arguments-on-after-save-event-listeners-saved-created-and-updated, the signature of saved, created and updated listeners has changed to remove the second argument - this commits updates our signatures too 2021-08-25 12:44:34 +02:00			`onUpdated(model, options) {`
Added new endpoint for refreshing api key secret (#11791) no issue - Adds new endpoint on integration to refresh admin/content api key secret - Allows owner/admin to refresh their content or admin API keys for an integration via Ghost Admin - Adds a new `refreshed` event to actions table for anytime an api_key secret is refreshed 2020-05-05 23:36:21 +05:30			`if (this.previous('secret') !== this.get('secret')) {`
Extracted Bookshelf actions code to plugin no issue - this commit extracts code related to Actions from the Base model into a separate plugin - `api-key.js` contained the exact same helper function as the Base model so that has been de-duplicated 2021-06-16 12:18:58 +01:00			`this.addAction(model, 'refreshed', options);`
Added new endpoint for refreshing api key secret (#11791) no issue - Adds new endpoint on integration to refresh admin/content api key secret - Allows owner/admin to refresh their content or admin API keys for an integration via Ghost Admin - Adds a new `refreshed` event to actions table for anytime an api_key secret is refreshed 2020-05-05 23:36:21 +05:30			`}`
			`},`

			`getAction(event, options) {`
			`const actor = this.getActor(options);`

			// @NOTE: we ignore internal updates (`options.context.internal`) for now
			`if (!actor) {`
			`return;`
			`}`

			`// @TODO: implement context`
			`return {`
			`event: event,`
			`resource_id: this.id \|\| this.previous('id'),`
			`resource_type: 'api_key',`
			`actor_id: actor.id,`
			`actor_type: actor.type`
			`};`
Set up schema and models for API Key authentication (#9904) refs https://github.com/TryGhost/Ghost/issues/9865 - schema migrations - adds `integrations` and `api_keys` tables - inserts `integration` and `api_key` permissions and Administrator role relationships - inserts `Admin Integration` role and permissions - adds `Integration` model - adds `ApiKey` model - creates default secret if not given - hardcodes associated role based on key type - `admin` = `Admin API Client` - `content` = no role - updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy 2018-10-02 17:46:38 +01:00			`}`
Added refreshSecret method to ApiKey model (#9947) refs #9865 This is to allow the secret of an api_key to be refreshed, in the event of a secret being compromised. 2018-10-05 15:51:13 +07:00			`}, {`
			`refreshSecret(data, options) {`
Update dependency @tryghost/security to v0.3.0 (#14718) - Swapped instances of createSecret for security.secret.create Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: Hannah Wolfe <github.erisds@gmail.com> 2022-05-06 17:53:10 +01:00			`const secret = security.secret.create(data.type);`
Added refreshSecret method to ApiKey model (#9947) refs #9865 This is to allow the secret of an api_key to be refreshed, in the event of a secret being compromised. 2018-10-05 15:51:13 +07:00			`return this.edit(Object.assign({}, data, {secret}), options);`
			`}`
Set up schema and models for API Key authentication (#9904) refs https://github.com/TryGhost/Ghost/issues/9865 - schema migrations - adds `integrations` and `api_keys` tables - inserts `integration` and `api_key` permissions and Administrator role relationships - inserts `Admin Integration` role and permissions - adds `Integration` model - adds `ApiKey` model - creates default secret if not given - hardcodes associated role based on key type - `admin` = `Admin API Client` - `content` = no role - updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy 2018-10-02 17:46:38 +01:00			`});`

			`const ApiKeys = ghostBookshelf.Collection.extend({`
			`model: ApiKey`
			`});`

			`module.exports = {`
			`ApiKey: ghostBookshelf.model('ApiKey', ApiKey),`
			`ApiKeys: ghostBookshelf.collection('ApiKeys', ApiKeys)`
			`};`