Allow API to be accessed with master key
tobyzerner opened this issue · 5 comments
So that you can interact with the API freely on the server side.
e.g. if you want a new topic to be created for every new blog post, you generate a master key and stick it into a Flarum WordPress plugin.
A master key should allow performing actions with any user account, without the need to authenticate with a username/password. We should allow generation/revocation of multiple master keys.
What needs to be done:
- Create a table (
api_keys) to store the keys in. They don't expire. - Add an API endpoint to generate a new key, as well as one to delete an existing one.
- Add an admin interface to manage the keys. This can probably live as a sub-interface in an AdvancedPage, along with other stuff we'll add later.
- Alter the LoginWithHeader middleware to check for a master key (still need to work out how exactly it should be passed) as well as the ID of a user to log in as.
Regarding WordPress integration a quick question. Will it be possible to use flarum for comments? (e.g. Vanilla offers this option when you WP website)
It's on the roadmap, yes
Looking forward to this one! Been planning to integrate Flarum into our platform once there's a safe way to synchronize user accounts via the API, i.e.: not directly modifying the Flarum DB behind the scenes.
Master api token would be great for administrative usage. Create topics based on blog entries or user content (with user as author).
As a side note. Master keys are possible by adding a token to the api_keys table. All other requirements of the initial post by Toby are still part of this issue and need to be resolved:
- Add an API endpoint to generate a new key, as well as one to delete an existing one.
- Add an admin interface to manage the keys. This can probably live as a sub-interface in an AdvancedPage, along with other stuff we'll add later.