1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
import { TRPCError } from "@trpc/server";
import { and, eq } from "drizzle-orm";
import { z } from "zod";
import { apiKeys } from "@karakeep/db/schema";
import serverConfig from "@karakeep/shared/config";
import {
authenticateApiKey,
generateApiKey,
regenerateApiKey,
validatePassword,
} from "../auth";
import {
authedProcedure,
createRateLimitMiddleware,
publicProcedure,
router,
} from "../index";
const zApiKeySchema = z.object({
id: z.string(),
name: z.string(),
key: z.string(),
createdAt: z.date(),
});
export const apiKeysAppRouter = router({
create: authedProcedure
.input(
z.object({
name: z.string(),
}),
)
.output(zApiKeySchema)
.mutation(async ({ input, ctx }) => {
return await generateApiKey(input.name, ctx.user.id, ctx.db);
}),
regenerate: authedProcedure
.input(
z.object({
id: z.string(),
}),
)
.output(zApiKeySchema)
.mutation(async ({ input, ctx }) => {
// Find the existing API key to get its name
const existingKey = await ctx.db.query.apiKeys.findFirst({
where: and(eq(apiKeys.id, input.id), eq(apiKeys.userId, ctx.user.id)),
});
if (!existingKey) {
throw new TRPCError({
message: "API key not found",
code: "NOT_FOUND",
});
}
return {
id: existingKey.id,
name: existingKey.name,
createdAt: existingKey.createdAt,
key: await regenerateApiKey(existingKey.id, ctx.user.id, ctx.db),
};
}),
revoke: authedProcedure
.input(
z.object({
id: z.string(),
}),
)
.mutation(async ({ input, ctx }) => {
await ctx.db
.delete(apiKeys)
.where(and(eq(apiKeys.id, input.id), eq(apiKeys.userId, ctx.user.id)));
}),
list: authedProcedure
.output(
z.object({
keys: z.array(
z.object({
id: z.string(),
name: z.string(),
createdAt: z.date(),
keyId: z.string(),
}),
),
}),
)
.query(async ({ ctx }) => {
const resp = await ctx.db.query.apiKeys.findMany({
where: eq(apiKeys.userId, ctx.user.id),
columns: {
id: true,
name: true,
createdAt: true,
keyId: true,
},
});
return { keys: resp };
}),
// Exchange the username and password with an API key.
// Homemade oAuth. This is used by the extension.
exchange: publicProcedure
.use(
createRateLimitMiddleware({
name: "apiKey.exchange",
windowMs: 15 * 60 * 1000,
maxRequests: 10,
}),
) // 10 requests per 15 minutes
.input(
z.object({
keyName: z.string(),
email: z.string(),
password: z.string(),
}),
)
.output(zApiKeySchema)
.mutation(async ({ input, ctx }) => {
let user;
// Special handling as otherwise the extension would show "username or password is wrong"
if (serverConfig.auth.disablePasswordAuth) {
throw new TRPCError({
message: "Password authentication is currently disabled",
code: "FORBIDDEN",
});
}
try {
user = await validatePassword(input.email, input.password, ctx.db);
} catch {
throw new TRPCError({ code: "UNAUTHORIZED" });
}
return await generateApiKey(input.keyName, user.id, ctx.db);
}),
validate: publicProcedure
.use(
createRateLimitMiddleware({
name: "apiKey.validate",
windowMs: 60 * 1000,
maxRequests: 30,
}),
) // 30 requests per minute
.input(z.object({ apiKey: z.string() }))
.output(z.object({ success: z.boolean() }))
.mutation(async ({ input, ctx }) => {
try {
await authenticateApiKey(input.apiKey, ctx.db); // Throws if the key is invalid
} catch {
throw new TRPCError({ code: "UNAUTHORIZED" });
}
return {
success: true,
};
}),
});
|
