Class: Spree::Api::V3::Admin::ApiKeysController

Inherits:

ResourceController

• Object
• ActionController::API
• BaseController
• ResourceController
• Spree::Api::V3::Admin::ApiKeysController

Defined in:

app/controllers/spree/api/v3/admin/api_keys_controller.rb

Constant Summary

Constants inherited from BaseController

BaseController::RATE_LIMIT_RESPONSE

Constants included from Idempotent

Idempotent::IDEMPOTENCY_HEADER, Idempotent::IDEMPOTENCY_TTL, Idempotent::MAX_KEY_LENGTH, Idempotent::MUTATING_METHODS

Constants included from ErrorHandler

ErrorHandler::ERROR_CODES

Constants included from JwtAuthentication

JwtAuthentication::JWT_AUDIENCE_ADMIN, JwtAuthentication::JWT_AUDIENCE_STORE, JwtAuthentication::JWT_ISSUER, JwtAuthentication::USER_TYPE_ADMIN, JwtAuthentication::USER_TYPE_CUSTOMER

Instance Method Summary

• #create ⇒ Object

  POST /api/v3/admin/api_keys Prevents scope amplification: a key minted via a secret API key can only carry scopes that key already holds.

• #current ⇒ Object

  GET /api/v3/admin/api_keys/current Describes the key that authenticated this request, including its live scopes — so a client (e.g. the ‘spree api` CLI) can show the real, current authority instead of a stale local snapshot.

• #revoke ⇒ Object

  PATCH /api/v3/admin/api_keys/:id/revoke Marks the key revoked rather than deleting it — the row stays so audit logs and ‘created_by`/`revoked_by` remain queryable.

Methods inherited from ResourceController

#destroy, #index, #show, #update

Methods included from Spree::Api::V3::ApiKeyAuthentication

#authenticate_api_key!, #authenticate_secret_key!

Methods included from JwtAuthentication

#authenticate_user, #require_authentication!

Instance Method Details

#create ⇒ Object

POST /api/v3/admin/api_keys Prevents scope amplification: a key minted via a secret API key can only carry scopes that key already holds. A JWT admin is governed by CanCanCan (not scopes) and may grant any valid scope — so when a JWT user authenticated the request, ‘current_ability` ignores the API key (see AdminAuthentication#current_ability) and we skip the scope cap too, even if an `X-Spree-Api-Key` header was also sent.

# File 'app/controllers/spree/api/v3/admin/api_keys_controller.rb', line 22

def create
  if scope_limited_principal? && (excess = requested_scopes.reject { |s| current_api_key.has_scope?(s) }).any?
    return render_error(
      code: ERROR_CODES[:access_denied],
      message: "Cannot grant scopes beyond your own: #{excess.join(', ')}",
      status: :forbidden,
      details: { excess_scopes: excess }
    )
  end

  super
end

#current ⇒ Object

GET /api/v3/admin/api_keys/current Describes the key that authenticated this request, including its live scopes — so a client (e.g. the ‘spree api` CLI) can show the real, current authority instead of a stale local snapshot. Only secret-key principals have a single key; a JWT admin does not.

This is the secret-key half of “describe the current credential”; the JWT-admin half is GET /api/v3/admin/me (see MeController), which returns the user + their CanCanCan permissions.

# File 'app/controllers/spree/api/v3/admin/api_keys_controller.rb', line 56

def current
  unless current_api_key
    return render_error(
      code: ERROR_CODES[:record_not_found],
      message: Spree.t(:api_key_no_current_key),
      status: :not_found
    )
  end

  render json: serialize_resource(current_api_key)
end

#revoke ⇒ Object

PATCH /api/v3/admin/api_keys/:id/revoke Marks the key revoked rather than deleting it — the row stays so audit logs and ‘created_by`/`revoked_by` remain queryable. Hard deletion is available via `destroy` for cleanup.

# File 'app/controllers/spree/api/v3/admin/api_keys_controller.rb', line 39

def revoke
  @resource = find_resource
  authorize!(:update, @resource)

  @resource.revoke!(try_spree_current_user)
  render json: serialize_resource(@resource)
end