jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
25fda1ecc2e42089d3425e2146862e17b3f8b0b6
danbooru/app/views/api_keys/index.html.erb
evazion 25fda1ecc2 api keys: add IP whitelist and API permission system. 
Add the ability to restrict API keys so that they can only be used with
certain IP addresses or certain API endpoints.

Restricting your key is useful to limit damage in case it gets leaked or
stolen. For example, if your key is on a remote server and it gets
hacked, or if you accidentally check-in your key to Github.

Restricting your key's API permissions is useful if a third-party app or
script wants your key, but you don't want to give full access to your
account.

If you're an app or userscript developer, and your app needs an API key
from the user, you should only request a key with the minimum
permissions needed by your app.

If you have a privileged account, and you have scripts running under
your account, you are highly encouraged to restrict your key to limit
damage in case your key gets leaked or stolen.
2021-02-14 21:02:07 -06:00

74 lines
2.7 KiB
Plaintext
Raw Blame History

<%= render "secondary_links" %>
<div id="c-api-keys">
<div id="a-index" class="fixed-width-container">
<div class="page-heading">
<h1>API Keys</h1>
<%= link_to new_user_api_key_path(CurrentUser.user.id), class: "button-primary" do %>
<%= plus_icon %> Add
<% end %>
</div>
<% if params[:user_id].present? %>
<div class="prose">
<p>An API key is used to give programs access to your <%= Danbooru.config.canonical_app_name %> account.</p>
<p>If you're a developer, you can use an API key to access the
<%= link_to_wiki "#{Danbooru.config.canonical_app_name} API", "help:api" %>. If you're not a
developer, and you're not using any third-party apps, then you probably don't need an API key.</p>
<p><strong>Your API key is like your password</strong>. Anyone who has it has full access to
your account. Don't give your API key to apps or people you don't trust, and don't post your
API key in public locations.</p>
<p>Example usage:
<code>
<% if @api_keys.present? %>
<%= profile_url(format: "json", login: CurrentUser.user.name, api_key: @api_keys.first.key) %>
<% else %>
<%= profile_url(format: "json", login: CurrentUser.user.name, api_key: "your_api_key_goes_here") %>
<% end %>
</code>
</p>
<p>See the <%= link_to_wiki "API documentation", "help:api" %> to learn more.</p>
</div>
<% end %>
<% if params[:user_id].present? && !@api_keys.present? %>
<%= link_to "Create API key", new_user_api_key_path(CurrentUser.user.id) %>
<% else %>
<%= table_for @api_keys, width: "100%", class: "striped autofit" do |t| %>
<% t.column :name %>
<% t.column :key, td: { class: "col-expand" } %>
<% t.column :permissions do |api_key| %>
<%= safe_join(api_key.permissions, "<br>".html_safe).presence || "All" %>
<% end %>
<% t.column "IPs" do |api_key| %>
<%= safe_join(api_key.permitted_ip_addresses, "<br>".html_safe).presence || "All" %>
<% end %>
<% if !params[:user_id].present? %>
<% t.column "User" do |api_key| %>
<%= link_to_user api_key.user %>
<% end %>
<% end %>
<% t.column "Created" do |api_key| %>
<%= time_ago_in_words_tagged api_key.created_at %>
<% end %>
<% t.column column: "control" do |api_key| %>
<%= link_to "Edit", edit_api_key_path(api_key) %>
| <%= link_to "Delete", api_key, method: :delete %>
<% end %>
<% end %>
<%= numbered_paginator(@api_keys) %>
<% end %>
</div>
</div>
Reference in New Issue View Git Blame Copy Permalink