dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #3576 from peaklabs-dev/fix-api-enabeled

Browse Source 
Fix: Disable API by default and do not allow API key creation when API is disabled
This commit is contained in:
Andras Bacsai
2024-09-27 16:46:21 +02:00
committed by GitHub
parent 4995675745 111e9ba3a3
commit c52fe571f5
3 changed files with 74 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/Livewire/Security/ApiTokens.php
View File

@@ -2,6 +2,7 @@
namespace App\Livewire\Security; namespace App\Livewire\Security;
use App\Models\InstanceSettings;
use Livewire\Component; use Livewire\Component;
class ApiTokens extends Component class ApiTokens extends Component
@@ -16,13 +17,18 @@ class ApiTokens extends Component
public array $permissions = ['read-only']; public array $permissions = ['read-only'];
public $instanceSettings;
public function render() public function render()
{ {
return view('livewire.security.api-tokens'); return view('livewire.security.api-tokens', [
'instanceSettings' => $this->instanceSettings,
]);
} }
public function mount() public function mount()
{ {
$this->instanceSettings = InstanceSettings::get();
$this->tokens = auth()->user()->tokens->sortByDesc('created_at'); $this->tokens = auth()->user()->tokens->sortByDesc('created_at');
} }

18
database/migrations/2024_09_26_083441_disable_api_by_default.php Normal file
View File

@@ -0,0 +1,18 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration
{
/**
* Run the migrations.
*/
public function up(): void
{
Schema::table('instance_settings', function (Blueprint $table) {
$table->boolean('is_api_enabled')->default(false)->change();
});
}
};

106
resources/views/livewire/security/api-tokens.blade.php
View File

@@ -1,79 +1,71 @@
<div> <div>
<x-slot:title> <x-slot:title>
API Tokens | Coolify API Tokens | Coolify
</x-slot> </x-slot>
<x-security.navbar /> <x-security.navbar />
<div class="pb-4 "> <div class="pb-4 ">
<h2>API Tokens</h2> <h2>API Tokens</h2>
<div>Tokens are created with the current team as scope. You will only have access to this team's resources. @if (!$instanceSettings->is_api_enabled)
</div> <strong>API is disabled. If you want to use the API, please enable it in the Coolify Instance Settings.</strong>
</div> @else
<h3>New Token</h3> <div>Tokens are created with the current team as scope. You will only have access to this team's resources.
<form class="flex flex-col gap-2 pt-4" wire:submit='addNewToken'>
<div class="flex items-end gap-2">
<x-forms.input required id="description" label="Description" />
<x-forms.button type="submit">Create New Token</x-forms.button>
</div>
<div class="flex">
Permissions <x-helper class="px-1" helper="These permissions will be granted to the token." /><span
class="pr-1">:</span>
<div class="flex gap-1 font-bold dark:text-white">
@if ($permissions)
@foreach ($permissions as $permission)
@if ($permission === '*')
<div>All (root/admin access), be careful!</div>
@else
<div>{{ $permission }}</div>
@endif
@endforeach
@endif
</div> </div>
</div> </div>
<h4>Token Permissions</h4> <h3>New Token</h3>
<div class="w-64"> <form class="flex flex-col gap-2 pt-4" wire:submit='addNewToken'>
<x-forms.checkbox label="Read-only" wire:model.live="readOnly"></x-forms.checkbox> <div class="flex items-end gap-2">
<x-forms.checkbox label="View Sensitive Data" wire:model.live="viewSensitiveData"></x-forms.checkbox> <x-forms.input required id="description" label="Description" />
</div> <x-forms.button type="submit">Create New Token</x-forms.button>
</form> </div>
@if (session()->has('token')) <div class="flex">
Permissions
<x-helper class="px-1" helper="These permissions will be granted to the token." /><span class="pr-1">:</span>
<div class="flex gap-1 font-bold dark:text-white">
@if ($permissions)
@foreach ($permissions as $permission)
@if ($permission === '*')
<div>All (root/admin access), be careful!</div>
@else
<div>{{ $permission }}</div>
@endif
@endforeach
@endif
</div>
</div>
<h4>Token Permissions</h4>
<div class="w-64">
<x-forms.checkbox label="Read-only" wire:model.live="readOnly"></x-forms.checkbox>
<x-forms.checkbox label="View Sensitive Data" wire:model.live="viewSensitiveData"></x-forms.checkbox>
</div>
</form>
@if (session()->has('token'))
<div class="py-4 font-bold dark:text-warning">Please copy this token now. For your security, it won't be shown <div class="py-4 font-bold dark:text-warning">Please copy this token now. For your security, it won't be shown
again. again.
</div> </div>
<div class="pb-4 font-bold dark:text-white"> {{ session('token') }}</div> <div class="pb-4 font-bold dark:text-white"> {{ session('token') }}</div>
@endif @endif
<h3 class="py-4">Issued Tokens</h3> <h3 class="py-4">Issued Tokens</h3>
<div class="grid gap-2 lg:grid-cols-1"> <div class="grid gap-2 lg:grid-cols-1">
@forelse ($tokens as $token) @forelse ($tokens as $token)
<div class="flex flex-col gap-1 p-2 border dark:border-coolgray-200 hover:no-underline"> <div class="flex flex-col gap-1 p-2 border dark:border-coolgray-200 hover:no-underline">
<div>Description: {{ $token->name }}</div> <div>Description: {{ $token->name }}</div>
<div>Last used: {{ $token->last_used_at ? $token->last_used_at->diffForHumans() : 'Never' }}</div> <div>Last used: {{ $token->last_used_at ? $token->last_used_at->diffForHumans() : 'Never' }}</div>
<div class="flex gap-1"> <div class="flex gap-1">
@if ($token->abilities) @if ($token->abilities)
Abilities: Abilities:
@foreach ($token->abilities as $ability) @foreach ($token->abilities as $ability)
<div class="font-bold dark:text-white">{{ $ability }}</div> <div class="font-bold dark:text-white">{{ $ability }}</div>
@endforeach @endforeach
@endif @endif
</div> </div>
<x-modal-confirmation <x-modal-confirmation title="Confirm API Token Revocation?" isErrorButton buttonTitle="Revoke token" submitAction="revoke({{ data_get($token, 'id') }})" :actions="['This API Token will be revoked and permanently deleted.', 'Any API call made with this token will fail.']" confirmationText="{{ $token->name }}" confirmationLabel="Please confirm the execution of the actions by entering the API Token Description below" shortConfirmationLabel="API Token Description" :confirmWithPassword="false" step2ButtonText="Revoke API Token" />
title="Confirm API Token Revocation?"
isErrorButton
buttonTitle="Revoke token"
submitAction="revoke({{ data_get($token, 'id') }})"
:actions="['This API Token will be revoked and permanently deleted.', 'Any API call made with this token will fail.']"
confirmationText="{{ $token->name }}"
confirmationLabel="Please confirm the execution of the actions by entering the API Token Description below"
shortConfirmationLabel="API Token Description"
:confirmWithPassword="false"
step2ButtonText="Revoke API Token"
/>
</div> </div>
@empty @empty
<div> <div>
<div>No API tokens found.</div> <div>No API tokens found.</div>
</div> </div>
@endforelse @endforelse
</div> </div>
@endif
</div> </div>