api/api-keys: add allowedServices to limit or extend access

it's useful for limiting access to services per key, or for overriding default list of enabled services with "all"
2025-06-26 22:20:09 +06:00
parent d69100c68d
commit 3243564f77
4 changed files with 44 additions and 5 deletions
--- a/api/src/security/api-keys.js
+++ b/api/src/security/api-keys.js
@@ -15,7 +15,7 @@ const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12

 let keys = {}, reader = null;

-const ALLOWED_KEYS = new Set(['name', 'ips', 'userAgents', 'limit']);
+const ALLOWED_KEYS = new Set(['name', 'ips', 'userAgents', 'limit', 'allowedServices']);

 /* Expected format pseudotype:
 ** type KeyFileContents = Record<
@@ -24,7 +24,8 @@ const ALLOWED_KEYS = new Set(['name', 'ips', 'userAgents', 'limit']);
 **        name?: string,
 **        limit?: number | "unlimited",
 **        ips?: CIDRString[],
-**        userAgents?: string[]
+**        userAgents?: string[],
+**        allowedServices?: "all" | string[],
 **    }
 ** >;
 */
@@ -77,6 +78,19 @@ const validateKeys = (input) => {
                throw "`userAgents` in details contains an invalid user agent: " + invalid_ua;
            }
        }
+
+        if (details.allowedServices) {
+            const isArray = Array.isArray(details.allowedServices);
+
+            if (isArray) {
+                const invalid_services = details.allowedServices.find(service => !env.allServices.has(service));
+                if (invalid_services) {
+                    throw "`allowedServices` in details contains an invalid service";
+                }
+            } else if (details.allowedServices !== "all") {
+                throw "details object contains value for `allowedServices` which is not an array or `all`";
+            }
+        }
    });
 }

@@ -112,6 +126,14 @@ const formatKeys = (keyData) => {
        if (data.userAgents) {
            formatted[key].userAgents = data.userAgents.map(generateWildcardRegex);
        }
+
+        if (data.allowedServices) {
+            if (Array.isArray(data.allowedServices)) {
+                formatted[key].allowedServices = new Set(data.allowedServices);
+            } else {
+                formatted[key].allowedServices = data.allowedServices;
+            }
+        }
    }

    return formatted;
@@ -230,3 +252,15 @@ export const setup = (url) => {
        });
    }
 }
+
+export const getAllowedServices = (key) => {
+    if (typeof key !== "string") return;
+
+    const allowedServices = keys[key.toLowerCase()]?.allowedServices;
+    if (!allowedServices) return;
+
+    if (allowedServices === "all") {
+        return env.allServices;
+    }
+    return allowedServices;
+}