Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(platform): Add api generator functions and endpoints #8597

Merged

Conversation

Abhi1992002
Copy link
Contributor

Fix #8589

This issue depends on #8585


These changes make it easy to create and manage API keys, so we can control who gets access and what they can do. It’s like giving out special keys that we can turn on or off anytime, keeping things secure and organized.

Changes 🏗️

  • Created /api-keys endpoint to generate a new API key with custom permissions.

  • Added generate_api_key function to handle API key generation and hashing.

  • Built validate_api_key function to check if a provided API key is valid.

  • Created DELETE /api-keys/{key_id} endpoint to revoke an API key.

  • Made POST /api-keys/{key_id}/suspend and POST /api-keys/{key_id}/reactivate endpoints to suspend/reactivate keys.

  • Added list_user_api_keys function to list all API keys for a user, ordered by creation date.

  • Created update_api_key_permissions function to modify an existing key’s permissions.

  • Defined request/response models (CreateAPIKeyRequest, CreateAPIKeyResponse) for API key handling.

  • Added permission validation with has_permission function to check if a key has the required access.


Depends on this schema

enum APIKeyPermission {
	EXECUTE_GRAPH // Can execute agent graphs
	READ_GRAPH // Can get graph versions and details
	EXECUTE_BLOCK // Can execute individual blocks
	READ_BLOCK // Can get block information
}

model APIKey {
	id          String             @id @default(uuid())
	name        String
	prefix      String             @unique // First 8 chars for identification
	key         String             @unique // Hashed key
	status      APIKeyStatus       @default(ACTIVE)
	permissions APIKeyPermission[]

	// Core tracking fields
	createdAt  DateTime  @default(now())
	lastUsedAt DateTime?
	revokedAt  DateTime?

	// Basic metadata
	description String?

	// Relation to user
	userId String
	user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)

	@@index([key])
	@@index([prefix])
	@@index([userId])
	@@index([status])
	@@index([userId, status])
}

enum APIKeyStatus {
	ACTIVE
	REVOKED
	SUSPENDED
}

@Abhi1992002 Abhi1992002 requested a review from a team as a code owner November 8, 2024 13:06
@Abhi1992002 Abhi1992002 requested review from Torantulino and kcze and removed request for a team November 8, 2024 13:06
Copy link
Contributor

github-actions bot commented Nov 8, 2024

This PR targets the master branch but does not come from dev or a hotfix/* branch.

Automatically setting the base branch to dev.

@github-actions github-actions bot added the platform/backend AutoGPT Platform - Back end label Nov 8, 2024
@github-actions github-actions bot changed the base branch from master to dev November 8, 2024 13:06
@github-actions github-actions bot added the size/l label Nov 8, 2024
Copy link

qodo-merge-pro bot commented Nov 8, 2024

PR-Agent was enabled for this repository. To continue using it, please link your git user with your CodiumAI identity here.

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶

8589 - Fully compliant

Fully compliant requirements:

  • Create function to generate and store API key (hashed)
  • Create related endpoint for API key generation

8585 - Fully compliant

Fully compliant requirements:

  • Add permissions Enum
  • Add API key table with hashed key
  • Add FK relationship between user and API keys
⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪
🧪 No relevant tests
🔒 Security concerns

API Key Exposure:
The plain text API key is returned in the CreateAPIKeyResponse. Consider only showing it once during creation and never storing/returning it again. Also ensure it's transmitted securely over HTTPS.

⚡ Recommended focus areas for review

Security Concern
The validate_api_key function should update lastUsedAt timestamp when validating a key to track key usage

Code Smell
The hash_api_key function decodes the hashed key back to string which is unnecessary since bcrypt output should stay as bytes

Code Structure
UpdatePermissionsRequest model is defined inside the route function instead of with other models at the top

Copy link

netlify bot commented Nov 8, 2024

Deploy Preview for auto-gpt-docs canceled.

Name Link
🔨 Latest commit 219719d
🔍 Latest deploy log https://app.netlify.com/sites/auto-gpt-docs/deploys/673591131df6700008379f38

@aarushik93 aarushik93 changed the title add: api generator functions and endpoints feat(platform): Add api generator functions and endpoints Nov 9, 2024
Copy link
Contributor

@aarushik93 aarushik93 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Abhi1992002 thanks for the speedy work as usual

I have a few notes:

We don't need a salt or bcrypt as that's needed for passwords, not for API keys which should already be unique and high entropy strings. So we can use something like token_urlsafe e.g.

secrets.token_urlsafe(32)

for hashing: sha256

We also need a prefix pattern: agpt_

Lastly, in my last PR, I also added a postfix, not sure if you've seen that, would you be able to incorporate that in as well, please

@Abhi1992002 Abhi1992002 force-pushed the feature/api-key-generator branch from 2bfddab to 22e6d33 Compare November 9, 2024 04:00
@aarushik93 aarushik93 self-assigned this Nov 11, 2024
Copy link
Contributor

@aarushik93 aarushik93 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, if you can just address a few minor comments and fix the linting then we can merge please

autogpt_platform/backend/backend/server/routers/v1.py Outdated Show resolved Hide resolved
autogpt_platform/backend/backend/data/api.py Outdated Show resolved Hide resolved
autogpt_platform/backend/backend/server/routers/v1.py Outdated Show resolved Hide resolved
@Abhi1992002 Abhi1992002 marked this pull request as draft November 13, 2024 16:48
@github-actions github-actions bot added size/xl and removed size/l labels Nov 14, 2024
@Abhi1992002 Abhi1992002 marked this pull request as ready for review November 14, 2024 05:59
Copy link

netlify bot commented Nov 14, 2024

Deploy Preview for auto-gpt-docs canceled.

Name Link
🔨 Latest commit c373c4c
🔍 Latest deploy log https://app.netlify.com/sites/auto-gpt-docs/deploys/6735f8c40e363e0008828f13

@aarushik93 aarushik93 enabled auto-merge (squash) November 14, 2024 13:19
@aarushik93 aarushik93 merged commit bbbdb56 into Significant-Gravitas:dev Nov 14, 2024
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

API key generator (backend)
3 participants