73 lines
1.9 KiB
Ruby
73 lines
1.9 KiB
Ruby
class ApiKey < ApplicationRecord
|
|
# Normalize permissions to always be a Hash
|
|
attribute :permissions, :jsonb, default: {}
|
|
|
|
before_validation :ensure_permissions_is_hash
|
|
|
|
validates :name, presence: true
|
|
validates :key_digest, presence: true, uniqueness: true
|
|
validates :key_prefix, presence: true
|
|
|
|
scope :active_keys, -> { where(active: true) }
|
|
scope :expired, -> { where("expires_at IS NOT NULL AND expires_at < ?", Time.current) }
|
|
scope :valid, -> { active_keys.where("expires_at IS NULL OR expires_at > ?", Time.current) }
|
|
|
|
# Generate a new API key
|
|
def self.generate!(name:, permissions: {}, expires_at: nil)
|
|
raw_key = "api_live_#{SecureRandom.hex(32)}"
|
|
key_digest = Digest::SHA256.hexdigest(raw_key)
|
|
key_prefix = raw_key[0..11] # First 12 chars for identification
|
|
|
|
api_key = create!(
|
|
name: name,
|
|
key_digest: key_digest,
|
|
key_prefix: key_prefix,
|
|
permissions: permissions,
|
|
expires_at: expires_at
|
|
)
|
|
|
|
{ api_key: api_key, raw_key: raw_key }
|
|
end
|
|
|
|
# Authenticate with a raw key
|
|
def self.authenticate(raw_key)
|
|
return nil unless raw_key.present?
|
|
|
|
key_digest = Digest::SHA256.hexdigest(raw_key)
|
|
api_key = valid.find_by(key_digest: key_digest)
|
|
|
|
if api_key
|
|
api_key.touch(:last_used_at)
|
|
end
|
|
|
|
api_key
|
|
end
|
|
|
|
# Check if API key is still active and not expired
|
|
def active_and_valid?
|
|
active && (expires_at.nil? || expires_at > Time.current)
|
|
end
|
|
|
|
# Check if API key has specific permission
|
|
def can?(permission)
|
|
permissions.fetch(permission.to_s, false)
|
|
end
|
|
|
|
# Revoke API key
|
|
def revoke!
|
|
update!(active: false)
|
|
end
|
|
|
|
# Deactivate expired keys
|
|
def self.deactivate_expired!
|
|
expired.update_all(active: false)
|
|
end
|
|
|
|
private
|
|
|
|
def ensure_permissions_is_hash
|
|
self.permissions = {} if permissions.nil?
|
|
self.permissions = {} unless permissions.is_a?(Hash)
|
|
end
|
|
end
|