mirrors/btcpayserver
1
0
Fork 0
mirror of https://github.com/btcpayserver/btcpayserver.git synced 2025-01-18 13:26:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

add greenfield authorize UI docs and fix small issues (#2156)

Browse Source 
* add greenfield authorize UI docs and fix small issues

* Update ManageController.APIKeys.cs

* Apply suggestions from code review

Co-authored-by: Dennis Reimann <mail@dennisreimann.de>

Co-authored-by: Dennis Reimann <mail@dennisreimann.de>
This commit is contained in:
Andrew Camilleri 2020-12-23 05:19:38 +01:00 committed by GitHub
parent 5ca4e71c34
commit 9dbfe22171
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 33 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
BTCPayServer/Controllers/ManageController.APIKeys.cs
View File

@ -98,8 +98,13 @@ namespace BTCPayServer.Controllers
permissions ??= Array.Empty<string>(); permissions ??= Array.Empty<string>();
var requestPermissions = Permission.ToPermissions(permissions); var requestPermissions = Permission.ToPermissions(permissions);
if (redirect?.IsAbsoluteUri is false)
{
redirect = null;
}
if (!string.IsNullOrEmpty(applicationIdentifier) && redirect != null) if (!string.IsNullOrEmpty(applicationIdentifier) && redirect != null)
{ {
//check if there is an app identifier that matches and belongs to the current user //check if there is an app identifier that matches and belongs to the current user
var keys = await _apiKeyRepository.GetKeys(new APIKeyRepository.APIKeyQuery() var keys = await _apiKeyRepository.GetKeys(new APIKeyRepository.APIKeyQuery()
{ {
@ -110,7 +115,7 @@ namespace BTCPayServer.Controllers
var blob = key.GetBlob(); var blob = key.GetBlob();
if (blob.ApplicationIdentifier != applicationIdentifier || if (blob.ApplicationIdentifier != applicationIdentifier ||
blob.ApplicationAuthority != redirect.Authority) blob.ApplicationAuthority != redirect.AbsoluteUri)
{ {
continue; continue;
} }
@ -190,7 +195,7 @@ namespace BTCPayServer.Controllers
private void AdjustVMForAuthorization(AuthorizeApiKeysViewModel vm) private void AdjustVMForAuthorization(AuthorizeApiKeysViewModel vm)
{ {
var parsedPermissions = Permission.ToPermissions(vm.Permissions.Split(';')).GroupBy(permission => permission.Policy); var parsedPermissions = Permission.ToPermissions(vm.Permissions?.Split(';')??Array.Empty<string>()).GroupBy(permission => permission.Policy);
for (var index = vm.PermissionValues.Count - 1; index >= 0; index--) for (var index = vm.PermissionValues.Count - 1; index >= 0; index--)
{ {
@ -266,7 +271,7 @@ namespace BTCPayServer.Controllers
case "authorize": case "authorize":
case "confirm": case "confirm":
var key = command == "authorize" var key = command == "authorize"
? await CreateKey(viewModel, (viewModel.ApplicationIdentifier, viewModel.RedirectUrl?.Authority)) ? await CreateKey(viewModel, (viewModel.ApplicationIdentifier, viewModel.RedirectUrl.AbsoluteUri))
: await _apiKeyRepository.GetKey(viewModel.ApiKey); : await _apiKeyRepository.GetKey(viewModel.ApiKey);
if (viewModel.RedirectUrl != null) if (viewModel.RedirectUrl != null)
@ -274,7 +279,7 @@ namespace BTCPayServer.Controllers
var permissions = key.GetBlob().Permissions; var permissions = key.GetBlob().Permissions;
var redirectVm = new PostRedirectViewModel() var redirectVm = new PostRedirectViewModel()
{ {
FormUrl = viewModel.RedirectUrl.ToString(), FormUrl = viewModel.RedirectUrl.AbsoluteUri,
Parameters = Parameters =
{ {
new KeyValuePair<string, string>("apiKey", key.Id), new KeyValuePair<string, string>("apiKey", key.Id),

24
docs/greenfield-authorization.md Normal file
View File

@ -0,0 +1,24 @@
# GreenField API Authorization Flow
The GreenField API allows two modes of authentication to its endpoints: Basic auth and API Keys.
## Basic auth
Basic auth allows you to seamlessly integrate with BTCPay Server's user system using only a traditional user/password login form. This is however a security risk if the application is a third party as they will receive your credentials in plain text and will be able to access your full account.
## API Keys
BTCPay Server's GreenField API also allows users to generate API keys with [specific permissions](https://docs.btcpayserver.org/API/Greenfield/v1/#section/Authentication/API%20Key). **If you are integrating BTCPay Server into your third-party application, this is the recommended way.**
Asking a user to generate a dedicated API key, with a specific set of permissions can be a bad UX experience. For this scenario, we have the [Authorize User UI](https://docs.btcpayserver.org/API/Greenfield/v1/#tag/Authorization). This allows external applications to request the user to generate an API key with a specific set of permissions by simply generating a URL to BTCPay Server and redirecting the user to it.
Additionally, there are 2 optional parameters to the endpoint which allow a more seamless integration:
* if `redirect` is specified, once the API key is created, BTCPay Server redirects the user via a POST submission to the specified `redirect` URL, with a json body containing the API key, user id, and permissions granted.
* if `applicationIdentifier` is specified (along with `redirect`), BTCPay Server will check if there is an existing API key associated with the user that also has this application identifier, redirect host AND the permissions required match. `applicationIdentifier` is ignored if `redirect` is not specified.
Some examples of a generated Authorize URL:
* `https://mainnet.demo.btcpayserver.org/api-keys/authorize` - A simplistic request, where no permission is requested. Useful to prove that a user exists on a specific BTCPay Server instance.
* `https://mainnet.demo.btcpayserver.org/api-keys/authorize?applicationName=Your%20Application` - Indicates that the API key is being generated for `Your Application`
* `https://mainnet.demo.btcpayserver.org/api-keys/authorize?applicationName=Your%20Application&redirect=http://gozo.com` - Redirects the user via a POST to `http://gozo.com` with a JSON body containing the API key and its info.
* `https://mainnet.demo.btcpayserver.org/api-keys/authorize?applicationName=Your%20Application&redirect=http://gozo.com&applicationIdentifier=gozo` - Attempts to match a previously created API key based on the app identifier, domain and permissions and is prompted.
* `https://mainnet.demo.btcpayserver.org/api-keys/authorize?permissions=btcpay.store.cancreateinvoice&permissions=btcpay.store.canviewinvoices` - A request asking for permissions to create and view invoices on all stores available to the user
* `https://mainnet.demo.btcpayserver.org/api-keys/authorize?permissions=btcpay.store.cancreateinvoice&permissions=btcpay.store.canviewinvoices&selectiveStores=true` - A request asking for permissions to create and view invoices on stores but also allows the user to choose which stores the application will have the permission to.
* `https://mainnet.demo.btcpayserver.org/api-keys/authorize?permissions=btcpay.store.cancreateinvoice&permissions=btcpay.store.canviewinvoices&strict=false` - A request asking for permissions but allows the user to remove or add to the requested permission list.