Add admin API key management UI #54

New issue

Closed

opened 2026-05-22 11:43:11 -05:00 by erik · 2 comments

erik commented 2026-05-22 11:43:11 -05:00

Owner

Copy link

Goal

Let the authenticated site owner create, list, and revoke API keys through the admin UI after logging in through the admin session flow.

Spec: docs/web-specs/03-admin-auth-keys-passkeys.md

Requirements

• Add authenticated admin pages for API key listing and creation.
• Require the admin session middleware from task-8af07ab8 for all API key management pages/actions.
• Show raw API keys exactly once after creation.
• Avoid putting raw API keys in durable storage, logs, or long-lived URLs.
• Never render stored key hashes or raw keys in list views.
• Add API key revocation UI.
• Use the DB-backed API key service from task-090a180b.
• Do not implement passkey registration or passkey login in this slice.

Acceptance criteria

• Authenticated site owner can create an API key and copy the raw key once.
• API key list shows metadata only and does not expose raw keys or hashes.
• Anonymous users cannot access API key management pages or actions.
• Site owner can revoke an API key.
• Revoked keys can no longer authenticate protected API requests.
• Tests cover creation display, list redaction, revocation, anonymous access protection, and raw-key one-time display behavior.
• Relevant lint/test checks pass.

Dependencies

• task-090a180b
• task-8af07ab8

## Goal Let the authenticated site owner create, list, and revoke API keys through the admin UI after logging in through the admin session flow. Spec: `docs/web-specs/03-admin-auth-keys-passkeys.md` ## Requirements - Add authenticated admin pages for API key listing and creation. - Require the admin session middleware from `task-8af07ab8` for all API key management pages/actions. - Show raw API keys exactly once after creation. - Avoid putting raw API keys in durable storage, logs, or long-lived URLs. - Never render stored key hashes or raw keys in list views. - Add API key revocation UI. - Use the DB-backed API key service from `task-090a180b`. - Do not implement passkey registration or passkey login in this slice. ## Acceptance criteria - [ ] Authenticated site owner can create an API key and copy the raw key once. - [ ] API key list shows metadata only and does not expose raw keys or hashes. - [ ] Anonymous users cannot access API key management pages or actions. - [ ] Site owner can revoke an API key. - [ ] Revoked keys can no longer authenticate protected API requests. - [ ] Tests cover creation display, list redaction, revocation, anonymous access protection, and raw-key one-time display behavior. - [ ] Relevant lint/test checks pass. ## Dependencies - task-090a180b - task-8af07ab8

erik 2026-05-22 11:43:11 -05:00

• closed this issue
• added the
  implementation
  auth
  priority:medium
  web
  status:done
  labels

erik commented 2026-05-22 14:05:34 -05:00

Author

Owner

Copy link

Synced from todu comment by @todu on 2026-05-22T19:03:37.942Z

Closing Summary

PR #59 merged: #59

Acceptance criteria evidence:

• Authenticated site owner can create an API key and copy the raw key once: met via protected POST /admin/api-keys and one-time raw-key display in creation response.
• API key list shows metadata only and does not expose raw keys or hashes: met via metadata-only template and tests.
• Anonymous users cannot access API key management pages or actions: met via admin session middleware and tests.
• Site owner can revoke an API key: met via POST /admin/api-keys/:id/revoke.
• Revoked keys can no longer authenticate protected API requests: met via revocation test with verifyApiKey.
• Tests cover creation display, list redaction, revocation, anonymous access protection, and raw-key one-time display behavior: met.
• Relevant lint/test checks pass: met via make check, ./scripts/pre-pr.sh, PR CI, and main push CI.

Post-merge cleanup: local and remote feature branches deleted.

Readiness: READY

_Synced from todu comment by @todu on 2026-05-22T19:03:37.942Z_ ## Closing Summary PR #59 merged: https://forge.caradoc.com/erik/slugkit/pulls/59 Acceptance criteria evidence: - Authenticated site owner can create an API key and copy the raw key once: met via protected `POST /admin/api-keys` and one-time raw-key display in creation response. - API key list shows metadata only and does not expose raw keys or hashes: met via metadata-only template and tests. - Anonymous users cannot access API key management pages or actions: met via admin session middleware and tests. - Site owner can revoke an API key: met via `POST /admin/api-keys/:id/revoke`. - Revoked keys can no longer authenticate protected API requests: met via revocation test with `verifyApiKey`. - Tests cover creation display, list redaction, revocation, anonymous access protection, and raw-key one-time display behavior: met. - Relevant lint/test checks pass: met via `make check`, `./scripts/pre-pr.sh`, PR CI, and main push CI. Post-merge cleanup: local and remote feature branches deleted. Readiness: READY

erik commented 2026-05-22 14:05:34 -05:00

Author

Owner

Copy link

Synced from todu comment by @todu on 2026-05-22T19:02:02.072Z

PR Review: Approved

PR: #59

Summary

Reviewed PR #59 at commit 9f2de78. The PR adds the protected admin API key management UI: authenticated owners can list API key metadata, create a key and see the raw key only in the creation response, and revoke keys. Anonymous access redirects to login, list views avoid raw keys and hashes, and revocation prevents future API key verification.

Acceptance Criteria

• Authenticated site owner can create an API key and copy the raw key once.
• API key list shows metadata only and does not expose raw keys or hashes.
• Anonymous users cannot access API key management pages or actions.
• Site owner can revoke an API key.
• Revoked keys can no longer authenticate protected API requests.
• Tests cover creation display, list redaction, revocation, anonymous access protection, and raw-key one-time display behavior.
• Relevant lint/test checks pass — make check, ./scripts/pre-pr.sh, and Forgejo CI passed.

Blocking Issues

None.

Warnings

None.

Verdict

Approved for merge.

_Synced from todu comment by @todu on 2026-05-22T19:02:02.072Z_ ## PR Review: Approved PR: https://forge.caradoc.com/erik/slugkit/pulls/59 ### Summary Reviewed PR #59 at commit `9f2de78`. The PR adds the protected admin API key management UI: authenticated owners can list API key metadata, create a key and see the raw key only in the creation response, and revoke keys. Anonymous access redirects to login, list views avoid raw keys and hashes, and revocation prevents future API key verification. ### Acceptance Criteria - [x] Authenticated site owner can create an API key and copy the raw key once. - [x] API key list shows metadata only and does not expose raw keys or hashes. - [x] Anonymous users cannot access API key management pages or actions. - [x] Site owner can revoke an API key. - [x] Revoked keys can no longer authenticate protected API requests. - [x] Tests cover creation display, list redaction, revocation, anonymous access protection, and raw-key one-time display behavior. - [x] Relevant lint/test checks pass — `make check`, `./scripts/pre-pr.sh`, and Forgejo CI passed. ### Blocking Issues None. ### Warnings None. ### Verdict Approved for merge.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

release/slug-cli-v0.5.0

release/slug-cli-v0.4.0

release/slug-cli-v0.3.0

release/slug-cli-v0.2.0

release/slug-cli-v0.1.2

release/slug-cli-v0.1.1

feat/task-47be19ea-api-meta-route

feat/task-51eaa27f-swagger-api-docs

feat/task-0dbd25d3-site-config-homepage

feat/task-69937fe4-sqlite-migrations

feat/task-a3cd5595-cli-foundation

feat/task-c272cbda-openapi-health

feat/task-d6397b57-template-foundation

v0.5.0

v0.4.0

v0.3.0

v0.2.0

v0.1.2

v0.1.1

Labels

Clear labels   

activitypub

  

admin

  

api

  

articles

  

auth

  

bug

  

cleanup

  

cli

  

comments

  

compatibility

  

config

  

contacts

  

database

  

deployment

  

design

  

dev-env

  

docs

  

documentation

  

email

  

enhancement

  

feature

  

federation

  

feed

  

homepage

  

implementation

  

integration

  

media

  

openapi

  

priority:high

  

priority:low

  

priority:medium

  

proof

  

public-routes

  

public-ui

  

release

  

safety

  

social

  

sources

  

status:active

  

status:canceled

  

status:done

  

status:inprogress

  

status:waiting

  

syndication

  

tailwind

  

template

  

test

  

web

No labels

activitypub

admin

api

articles

auth

bug

cleanup

cli

comments

compatibility

config

contacts

database

deployment

design

dev-env

docs

documentation

email

enhancement

feature

federation

feed

homepage

implementation

integration

media

openapi

priority:high

priority:low

priority:medium

proof

public-routes

public-ui

release

safety

social

sources

status:active

status:canceled

status:done

status:inprogress

status:waiting

syndication

tailwind

template

test

web

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

erik/slugkit#54

No description provided.