analytics/lib/plausible_web/plugs/authorize_sites_api.ex

defmodule PlausibleWeb.AuthorizeSitesApiPlug do
  import Plug.Conn
  use Plausible.Repo
  alias Plausible.Auth.ApiKey

  def init(options) do
    options
  end

  def call(conn, _opts) do
    with {:ok, raw_api_key} <- get_bearer_token(conn),
         {:ok, api_key} <- verify_access(raw_api_key) do
      assign(conn, :current_user_id, api_key.user_id)
    else
      {:error, :missing_api_key} ->
        unauthorized(
          conn,
          "Missing API key. Please use a valid Plausible API key as a Bearer Token."
        )

      {:error, :invalid_api_key} ->
        unauthorized(
          conn,
          "Invalid API key. Please make sure you're using a valid API key with access to the resource you've requested."
        )
    end
  end

  defp verify_access(api_key) do
    hashed_key = ApiKey.do_hash(api_key)

    found_key =
      Repo.one(
        from a in ApiKey,
          where: a.key_hash == ^hashed_key,
          where: fragment("? @> ?", a.scopes, ["sites:provision:*"])
      )

    cond do
      found_key -> {:ok, found_key}
      true -> {:error, :invalid_api_key}
    end
  end

  defp get_bearer_token(conn) do
    authorization_header =
      Plug.Conn.get_req_header(conn, "authorization")
      |> List.first()

    case authorization_header do
      "Bearer " <> token -> {:ok, String.trim(token)}
      _ -> {:error, :missing_api_key}
    end
  end

  defp unauthorized(conn, msg) do
    conn
    |> put_status(401)
    |> Phoenix.Controller.json(%{error: msg})
    |> halt()
  end
end
Add API endpoints for site and shared link creation 2021-04-09 10:30:51 +03:00			`defmodule PlausibleWeb.AuthorizeSitesApiPlug do`
Stats API (#679) * WIP * Add ability to filter by anything * Add API keys * Add version to api endpoint * Fix API test route * Fix API tests * Allow 'date' parameter in '6mo' and '12mo' * Rename session -> visit in API filters * Filter expressions in the API * Implement filters in aggregate call * Add `compare` option to aggregate call * Add way to manage API keys through the UI * Authenticate with API key * Use API key in tests 2021-02-05 12:23:30 +03:00			`import Plug.Conn`
			`use Plausible.Repo`
			`alias Plausible.Auth.ApiKey`

			`def init(options) do`
			`options`
			`end`

			`def call(conn, _opts) do`
Add API endpoints for site and shared link creation 2021-04-09 10:30:51 +03:00			`with {:ok, raw_api_key} <- get_bearer_token(conn),`
			`{:ok, api_key} <- verify_access(raw_api_key) do`
			`assign(conn, :current_user_id, api_key.user_id)`
Stats API (#679) * WIP * Add ability to filter by anything * Add API keys * Add version to api endpoint * Fix API test route * Fix API tests * Allow 'date' parameter in '6mo' and '12mo' * Rename session -> visit in API filters * Filter expressions in the API * Implement filters in aggregate call * Add `compare` option to aggregate call * Add way to manage API keys through the UI * Authenticate with API key * Use API key in tests 2021-02-05 12:23:30 +03:00			`else`
Api improvements (#723) * Require date parameter with custom period * Validate format of the `date` param with custom period * Return proper status codes for auth failures * Add breakdown endpoint * Fix pagination * Add API validations for breakdown call * Change the breakdown endpoint to return an object instead of an array * Remove change to aggregate call * Change timeseries call 2021-02-22 11:21:25 +03:00			`{:error, :missing_api_key} ->`
			`unauthorized(`
			`conn,`
			`"Missing API key. Please use a valid Plausible API key as a Bearer Token."`
			`)`

			`{:error, :invalid_api_key} ->`
			`unauthorized(`
			`conn,`
Add API key scopes 2021-04-09 11:53:41 +03:00			`"Invalid API key. Please make sure you're using a valid API key with access to the resource you've requested."`
Api improvements (#723) * Require date parameter with custom period * Validate format of the `date` param with custom period * Return proper status codes for auth failures * Add breakdown endpoint * Fix pagination * Add API validations for breakdown call * Change the breakdown endpoint to return an object instead of an array * Remove change to aggregate call * Change timeseries call 2021-02-22 11:21:25 +03:00			`)`
			`end`
			`end`

Add API endpoints for site and shared link creation 2021-04-09 10:30:51 +03:00			`defp verify_access(api_key) do`
Api improvements (#723) * Require date parameter with custom period * Validate format of the `date` param with custom period * Return proper status codes for auth failures * Add breakdown endpoint * Fix pagination * Add API validations for breakdown call * Change the breakdown endpoint to return an object instead of an array * Remove change to aggregate call * Change timeseries call 2021-02-22 11:21:25 +03:00			`hashed_key = ApiKey.do_hash(api_key)`
Add API key scopes 2021-04-09 11:53:41 +03:00
			`found_key =`
			`Repo.one(`
			`from a in ApiKey,`
			`where: a.key_hash == ^hashed_key,`
			`where: fragment("? @> ?", a.scopes, ["sites:provision:*"])`
			`)`
Api improvements (#723) * Require date parameter with custom period * Validate format of the `date` param with custom period * Return proper status codes for auth failures * Add breakdown endpoint * Fix pagination * Add API validations for breakdown call * Change the breakdown endpoint to return an object instead of an array * Remove change to aggregate call * Change timeseries call 2021-02-22 11:21:25 +03:00
			`cond do`
Add API endpoints for site and shared link creation 2021-04-09 10:30:51 +03:00			`found_key -> {:ok, found_key}`
Api improvements (#723) * Require date parameter with custom period * Validate format of the `date` param with custom period * Return proper status codes for auth failures * Add breakdown endpoint * Fix pagination * Add API validations for breakdown call * Change the breakdown endpoint to return an object instead of an array * Remove change to aggregate call * Change timeseries call 2021-02-22 11:21:25 +03:00			`true -> {:error, :invalid_api_key}`
Stats API (#679) * WIP * Add ability to filter by anything * Add API keys * Add version to api endpoint * Fix API test route * Fix API tests * Allow 'date' parameter in '6mo' and '12mo' * Rename session -> visit in API filters * Filter expressions in the API * Implement filters in aggregate call * Add `compare` option to aggregate call * Add way to manage API keys through the UI * Authenticate with API key * Use API key in tests 2021-02-05 12:23:30 +03:00			`end`
			`end`

			`defp get_bearer_token(conn) do`
			`authorization_header =`
			`Plug.Conn.get_req_header(conn, "authorization")`
			`\|> List.first()`

			`case authorization_header do`
Api improvements (#723) * Require date parameter with custom period * Validate format of the `date` param with custom period * Return proper status codes for auth failures * Add breakdown endpoint * Fix pagination * Add API validations for breakdown call * Change the breakdown endpoint to return an object instead of an array * Remove change to aggregate call * Change timeseries call 2021-02-22 11:21:25 +03:00			`"Bearer " <> token -> {:ok, String.trim(token)}`
			`_ -> {:error, :missing_api_key}`
Stats API (#679) * WIP * Add ability to filter by anything * Add API keys * Add version to api endpoint * Fix API test route * Fix API tests * Allow 'date' parameter in '6mo' and '12mo' * Rename session -> visit in API filters * Filter expressions in the API * Implement filters in aggregate call * Add `compare` option to aggregate call * Add way to manage API keys through the UI * Authenticate with API key * Use API key in tests 2021-02-05 12:23:30 +03:00			`end`
			`end`

Api improvements (#723) * Require date parameter with custom period * Validate format of the `date` param with custom period * Return proper status codes for auth failures * Add breakdown endpoint * Fix pagination * Add API validations for breakdown call * Change the breakdown endpoint to return an object instead of an array * Remove change to aggregate call * Change timeseries call 2021-02-22 11:21:25 +03:00			`defp unauthorized(conn, msg) do`
Stats API (#679) * WIP * Add ability to filter by anything * Add API keys * Add version to api endpoint * Fix API test route * Fix API tests * Allow 'date' parameter in '6mo' and '12mo' * Rename session -> visit in API filters * Filter expressions in the API * Implement filters in aggregate call * Add `compare` option to aggregate call * Add way to manage API keys through the UI * Authenticate with API key * Use API key in tests 2021-02-05 12:23:30 +03:00			`conn`
Api improvements (#723) * Require date parameter with custom period * Validate format of the `date` param with custom period * Return proper status codes for auth failures * Add breakdown endpoint * Fix pagination * Add API validations for breakdown call * Change the breakdown endpoint to return an object instead of an array * Remove change to aggregate call * Change timeseries call 2021-02-22 11:21:25 +03:00			`\|> put_status(401)`
			`\|> Phoenix.Controller.json(%{error: msg})`
Stats API (#679) * WIP * Add ability to filter by anything * Add API keys * Add version to api endpoint * Fix API test route * Fix API tests * Allow 'date' parameter in '6mo' and '12mo' * Rename session -> visit in API filters * Filter expressions in the API * Implement filters in aggregate call * Add `compare` option to aggregate call * Add way to manage API keys through the UI * Authenticate with API key * Use API key in tests 2021-02-05 12:23:30 +03:00			`\|> halt()`
			`end`
			`end`