Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: add allow_list to resource-scoped API tokens#19964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
ThomasK33 wants to merge1 commit intomain
base:main
Choose a base branch
Loading
fromthomask33/09-25-feat_add_allow_list_field_api_keys

Conversation

ThomasK33
Copy link
Member

@ThomasK33ThomasK33 commentedSep 25, 2025
edited
Loading

Add API key allow_list for resource-scoped tokens

This PR adds support for API key allow lists, enabling tokens to be scoped to specific resources. The implementation:

  1. Adds a newallow_list field to theCreateTokenRequest struct, allowing clients to specify resource-specific scopes when creating API tokens
  2. ImplementsAPIAllowListTarget type to represent resource targets in the format<type>:<id> with support for wildcards
  3. Adds validation and normalization logic for allow lists to handle wildcards and deduplication
  4. Integrates with RBAC by creating anAPIKeyEffectiveScope that merges API key scopes with allow list restrictions
  5. Updates API documentation and TypeScript types to reflect the new functionality

This feature enables creating tokens that are limited to specific resources (like workspaces or templates) by ID, making it possible to create more granular API tokens with limited access.

@ThomasK33Graphite App
Copy link
MemberAuthor

ThomasK33 commentedSep 25, 2025
edited
Loading

@ThomasK33ThomasK33 changed the titlefeat: add resource-scoped API tokens with allow listsfeat: add allow_list ti resource-scoped API tokensSep 25, 2025
@ThomasK33ThomasK33 changed the titlefeat: add allow_list ti resource-scoped API tokensfeat: add allow_list to resource-scoped API tokensSep 25, 2025
@ThomasK33ThomasK33 linked an issueSep 25, 2025 that may beclosed by this pull request
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch from4522801 to5050f89CompareSeptember 25, 2025 15:56
@ThomasK33ThomasK33force-pushed thethomask33/09-24-add_composite_api_key_scopes branch from01e4d20 to84dc70dCompareSeptember 25, 2025 15:56
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch from5050f89 to6451b31CompareSeptember 25, 2025 16:07
@ThomasK33ThomasK33force-pushed thethomask33/09-24-add_composite_api_key_scopes branch 2 times, most recently from26fbd88 tod90697eCompareSeptember 25, 2025 16:25
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch 2 times, most recently from30352b6 to5e9b41cCompareSeptember 25, 2025 16:50
@ThomasK33ThomasK33force-pushed thethomask33/09-24-add_composite_api_key_scopes branch fromd90697e toe6d4c8cCompareSeptember 25, 2025 16:50
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch from5e9b41c to30352b6CompareSeptember 25, 2025 17:27
@ThomasK33ThomasK33force-pushed thethomask33/09-24-add_composite_api_key_scopes branch frome6d4c8c tod90697eCompareSeptember 25, 2025 17:27
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch from30352b6 todeba62dCompareSeptember 25, 2025 17:33
@ThomasK33ThomasK33force-pushed thethomask33/09-24-add_composite_api_key_scopes branch fromd90697e to2463c7fCompareSeptember 25, 2025 17:33
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch fromdeba62d toff0d568CompareSeptember 25, 2025 17:39
@ThomasK33ThomasK33force-pushed thethomask33/09-24-add_composite_api_key_scopes branch 2 times, most recently from2547799 to71ff7deCompareSeptember 25, 2025 18:09
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch fromff0d568 to4ec061dCompareSeptember 25, 2025 18:09
@ThomasK33ThomasK33force-pushed thethomask33/09-30-add_wildcard_scope_entries_for_api_keys branch 2 times, most recently fromc7ec9c6 tobf0f8e8CompareOctober 3, 2025 12:41
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch fromaf2c645 to5dd3400CompareOctober 3, 2025 12:41
@EmyrkGraphite App
Copy link
Member

The intersection code is a good pattern 👍

Inscopes.go we have 2 places where the allow_list is empty by default. If we instead make it*:* by default, we don't need to treat empty lists as special.

// Composites are site-level; allow-list empty by default
AllowIDList: []AllowListElement{},

// Low-level scopes intentionally return an empty allow list.
AllowIDList: []AllowListElement{},

@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch from5dd3400 to5a6e8ccCompareOctober 3, 2025 17:59
@ThomasK33ThomasK33force-pushed thethomask33/09-30-add_wildcard_scope_entries_for_api_keys branch frombf0f8e8 to515bfd7CompareOctober 3, 2025 17:59
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch from5a6e8cc to73a65faCompareOctober 6, 2025 09:42
@ThomasK33ThomasK33force-pushed thethomask33/09-30-add_wildcard_scope_entries_for_api_keys branch from515bfd7 to5884dbdCompareOctober 6, 2025 09:42
@ThomasK33ThomasK33 changed the base branch fromthomask33/09-30-add_wildcard_scope_entries_for_api_keys tographite-base/19964October 6, 2025 10:08
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch from73a65fa to7d422aaCompareOctober 6, 2025 10:08
@graphite-appgraphite-appbot changed the base branch fromgraphite-base/19964 tomainOctober 6, 2025 10:09
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch 3 times, most recently from49af2b4 tofa53285CompareOctober 6, 2025 11:57
Copy link
Member

@EmyrkEmyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Minor comments, will approve after this round 👍

@EmyrkEmyrk self-assigned thisOct 6, 2025
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch fromfa53285 tod7df2aaCompareOctober 6, 2025 21:16
@ThomasK33ThomasK33 requested a review fromEmyrkOctober 6, 2025 21:19
Copy link
Member

@EmyrkEmyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Last changes, then let's merge 👍

Expose allow_list targets on CreateTokenRequest and persist them in thedatabase so API keys can be scoped to resources.Introduce codersdk and rbac helpers to parse, validate, and normalizeallow lists to enforce consistent wildcard handling.Regenerate OpenAPI documentation, API typing outputs, and TypeScriptbindings with stable serialization ordering for generated files.
@ThomasK33ThomasK33force-pushed thethomask33/09-25-feat_add_allow_list_field_api_keys branch fromd7df2aa toa1346f5CompareOctober 7, 2025 16:38
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@EmyrkEmyrkEmyrk approved these changes

Assignees

@ThomasK33ThomasK33

@EmyrkEmyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2 participants
@ThomasK33@Emyrk
[8]ページ先頭
©2009-2025 Movatter.jp