Ghost/core/server/models/api-key.js

const crypto = require('crypto');
const ghostBookshelf = require('./base');
const {Role} = require('./role');

/*
 * Uses birthday problem estimation to calculate chance of collision
 * d = 16^26        // 26 char hex string
 * n = 10,000,000   // 10 million
 *
 *       (-n x (n-1)) / 2d
 * 1 - e^
 *
 *
 *           17
 * ~= 4 x 10^
 *
 * ref: https://medium.freecodecamp.org/how-long-should-i-make-my-api-key-833ebf2dc26f
 * ref: https://en.wikipedia.org/wiki/Birthday_problem#Approximations
 *
 * 26 char hex string = 13 bytes
 * 64 char hex string JWT secret = 32 bytes
 */
const createSecret = (type) => {
    const bytes = type === 'content' ? 13 : 32;
    return crypto.randomBytes(bytes).toString('hex');
};

const ApiKey = ghostBookshelf.Model.extend({
    tableName: 'api_keys',

    defaults() {
        const secret = createSecret(this.get('type'));

        return {
            secret
        };
    },

    role() {
        return this.belongsTo('Role');
    },

    integration() {
        return this.belongsTo('Integration');
    },

    onSaving(model, attrs, options) {
        ghostBookshelf.Model.prototype.onSaving.apply(this, arguments);

        // enforce roles which are currently hardcoded
        // - admin key = Adminstrator role
        // - content key = no role
        if (this.hasChanged('type') || this.hasChanged('role_id')) {
            if (this.get('type') === 'admin') {
                return Role.findOne({name: 'Admin Integration'}, Object.assign({}, options, {columns: ['id']}))
                    .then((role) => {
                        this.set('role_id', role.get('id'));
                    });
            }

            if (this.get('type') === 'content') {
                this.set('role_id', null);
            }
        }
    }
}, {
    refreshSecret(data, options) {
        const secret = createSecret(data.type);
        return this.edit(Object.assign({}, data, {secret}), options);
    }
});

const ApiKeys = ghostBookshelf.Collection.extend({
    model: ApiKey
});

module.exports = {
    ApiKey: ghostBookshelf.model('ApiKey', ApiKey),
    ApiKeys: ghostBookshelf.collection('ApiKeys', ApiKeys)
};
Set up schema and models for API Key authentication (#9904) refs https://github.com/TryGhost/Ghost/issues/9865 - schema migrations - adds `integrations` and `api_keys` tables - inserts `integration` and `api_key` permissions and Administrator role relationships - inserts `Admin Integration` role and permissions - adds `Integration` model - adds `ApiKey` model - creates default secret if not given - hardcodes associated role based on key type - `admin` = `Admin API Client` - `content` = no role - updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy 2018-10-02 19:46:38 +03:00			`const crypto = require('crypto');`
			`const ghostBookshelf = require('./base');`
			`const {Role} = require('./role');`

Shortened content api key lengths (#10322) * Lowered the min length for api keys to 26 * Updated ApiKey model to use shorter secrets for content keys 2019-01-04 15:39:54 +03:00			`/*`
			`* Uses birthday problem estimation to calculate chance of collision`
			`* d = 16^26 // 26 char hex string`
			`* n = 10,000,000 // 10 million`
			`*`
			`* (-n x (n-1)) / 2d`
			`* 1 - e^`
			`*`
			`*`
			`* 17`
			`* ~= 4 x 10^`
			`*`
			`* ref: https://medium.freecodecamp.org/how-long-should-i-make-my-api-key-833ebf2dc26f`
			`* ref: https://en.wikipedia.org/wiki/Birthday_problem#Approximations`
			`*`
			`* 26 char hex string = 13 bytes`
Shortened admin key length (#10418) refs #10156 - Updated ApiKey model to use shorter secrets for admin keys 2019-01-24 16:46:33 +03:00			`* 64 char hex string JWT secret = 32 bytes`
Shortened content api key lengths (#10322) * Lowered the min length for api keys to 26 * Updated ApiKey model to use shorter secrets for content keys 2019-01-04 15:39:54 +03:00			`*/`
			`const createSecret = (type) => {`
Shortened admin key length (#10418) refs #10156 - Updated ApiKey model to use shorter secrets for admin keys 2019-01-24 16:46:33 +03:00			`const bytes = type === 'content' ? 13 : 32;`
Shortened content api key lengths (#10322) * Lowered the min length for api keys to 26 * Updated ApiKey model to use shorter secrets for content keys 2019-01-04 15:39:54 +03:00			`return crypto.randomBytes(bytes).toString('hex');`
			`};`
Added refreshSecret method to ApiKey model (#9947) refs #9865 This is to allow the secret of an api_key to be refreshed, in the event of a secret being compromised. 2018-10-05 11:51:13 +03:00
Set up schema and models for API Key authentication (#9904) refs https://github.com/TryGhost/Ghost/issues/9865 - schema migrations - adds `integrations` and `api_keys` tables - inserts `integration` and `api_key` permissions and Administrator role relationships - inserts `Admin Integration` role and permissions - adds `Integration` model - adds `ApiKey` model - creates default secret if not given - hardcodes associated role based on key type - `admin` = `Admin API Client` - `content` = no role - updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy 2018-10-02 19:46:38 +03:00			`const ApiKey = ghostBookshelf.Model.extend({`
			`tableName: 'api_keys',`

			`defaults() {`
Shortened content api key lengths (#10322) * Lowered the min length for api keys to 26 * Updated ApiKey model to use shorter secrets for content keys 2019-01-04 15:39:54 +03:00			`const secret = createSecret(this.get('type'));`
Set up schema and models for API Key authentication (#9904) refs https://github.com/TryGhost/Ghost/issues/9865 - schema migrations - adds `integrations` and `api_keys` tables - inserts `integration` and `api_key` permissions and Administrator role relationships - inserts `Admin Integration` role and permissions - adds `Integration` model - adds `ApiKey` model - creates default secret if not given - hardcodes associated role based on key type - `admin` = `Admin API Client` - `content` = no role - updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy 2018-10-02 19:46:38 +03:00
			`return {`
			`secret`
			`};`
			`},`

			`role() {`
			`return this.belongsTo('Role');`
			`},`

			`integration() {`
			`return this.belongsTo('Integration');`
			`},`

Updated ApiKey onSaving to forward options (#9994) refs #9865 We require models to forward options on, so that any transactions continue to work 2018-10-14 12:54:10 +03:00			`onSaving(model, attrs, options) {`
Set up schema and models for API Key authentication (#9904) refs https://github.com/TryGhost/Ghost/issues/9865 - schema migrations - adds `integrations` and `api_keys` tables - inserts `integration` and `api_key` permissions and Administrator role relationships - inserts `Admin Integration` role and permissions - adds `Integration` model - adds `ApiKey` model - creates default secret if not given - hardcodes associated role based on key type - `admin` = `Admin API Client` - `content` = no role - updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy 2018-10-02 19:46:38 +03:00			`ghostBookshelf.Model.prototype.onSaving.apply(this, arguments);`

			`// enforce roles which are currently hardcoded`
			`// - admin key = Adminstrator role`
			`// - content key = no role`
			`if (this.hasChanged('type') \|\| this.hasChanged('role_id')) {`
			`if (this.get('type') === 'admin') {`
Updated ApiKey onSaving to forward options (#9994) refs #9865 We require models to forward options on, so that any transactions continue to work 2018-10-14 12:54:10 +03:00			`return Role.findOne({name: 'Admin Integration'}, Object.assign({}, options, {columns: ['id']}))`
Set up schema and models for API Key authentication (#9904) refs https://github.com/TryGhost/Ghost/issues/9865 - schema migrations - adds `integrations` and `api_keys` tables - inserts `integration` and `api_key` permissions and Administrator role relationships - inserts `Admin Integration` role and permissions - adds `Integration` model - adds `ApiKey` model - creates default secret if not given - hardcodes associated role based on key type - `admin` = `Admin API Client` - `content` = no role - updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy 2018-10-02 19:46:38 +03:00			`.then((role) => {`
			`this.set('role_id', role.get('id'));`
			`});`
			`}`

			`if (this.get('type') === 'content') {`
			`this.set('role_id', null);`
			`}`
			`}`
			`}`
Added refreshSecret method to ApiKey model (#9947) refs #9865 This is to allow the secret of an api_key to be refreshed, in the event of a secret being compromised. 2018-10-05 11:51:13 +03:00			`}, {`
			`refreshSecret(data, options) {`
Shortened admin key length (#10418) refs #10156 - Updated ApiKey model to use shorter secrets for admin keys 2019-01-24 16:46:33 +03:00			`const secret = createSecret(data.type);`
Added refreshSecret method to ApiKey model (#9947) refs #9865 This is to allow the secret of an api_key to be refreshed, in the event of a secret being compromised. 2018-10-05 11:51:13 +03:00			`return this.edit(Object.assign({}, data, {secret}), options);`
			`}`
Set up schema and models for API Key authentication (#9904) refs https://github.com/TryGhost/Ghost/issues/9865 - schema migrations - adds `integrations` and `api_keys` tables - inserts `integration` and `api_key` permissions and Administrator role relationships - inserts `Admin Integration` role and permissions - adds `Integration` model - adds `ApiKey` model - creates default secret if not given - hardcodes associated role based on key type - `admin` = `Admin API Client` - `content` = no role - updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy 2018-10-02 19:46:38 +03:00			`});`

			`const ApiKeys = ghostBookshelf.Collection.extend({`
			`model: ApiKey`
			`});`

			`module.exports = {`
			`ApiKey: ghostBookshelf.model('ApiKey', ApiKey),`
			`ApiKeys: ghostBookshelf.collection('ApiKeys', ApiKeys)`
			`};`