Merge pull request #352 from keboola/upstream/api-key-auth

Add API key authentication and MCP search improvements

Author: 239573049

src/OpenDeepWiki.EFCore/MasterDbContext.cs

@@ -46,6 +46,7 @@ public interface IContext : IDisposable
     DbSet<McpProvider> McpProviders { get; set; }
     DbSet<McpUsageLog> McpUsageLogs { get; set; }
     DbSet<McpDailyStatistics> McpDailyStatistics { get; set; }
+    DbSet<ApiKey> ApiKeys { get; set; }
 
     Task<int> SaveChangesAsync(CancellationToken cancellationToken = default);
 }
@@ -97,6 +98,7 @@ protected MasterDbContext(DbContextOptions options)
     public DbSet<McpProvider> McpProviders { get; set; } = null!;
     public DbSet<McpUsageLog> McpUsageLogs { get; set; } = null!;
     public DbSet<McpDailyStatistics> McpDailyStatistics { get; set; } = null!;
+    public DbSet<ApiKey> ApiKeys { get; set; } = null!;
 
     protected override void OnModelCreating(ModelBuilder modelBuilder)
     {
@@ -394,5 +396,12 @@ protected override void OnModelCreating(ModelBuilder modelBuilder)
             .WithMany()
             .HasForeignKey(g => g.DepartmentId)
             .OnDelete(DeleteBehavior.SetNull);
+
+        // ApiKey indexes
+        modelBuilder.Entity<ApiKey>(entity =>
+        {
+            entity.HasIndex(e => e.KeyPrefix).IsUnique();
+            entity.HasIndex(e => e.UserId);
+        });
     }
 }

src/OpenDeepWiki.Entities/ApiKeys/ApiKey.cs

@@ -0,0 +1,66 @@
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+
+namespace OpenDeepWiki.Entities;
+
+/// <summary>
+/// API Key entity for headless/M2M authentication
+/// </summary>
+public class ApiKey : AggregateRoot<string>
+{
+    /// <summary>
+    /// Human-readable label for the API key
+    /// </summary>
+    [Required]
+    [StringLength(50)]
+    public string Name { get; set; } = string.Empty;
+
+    /// <summary>
+    /// First 8 chars of random part for lookup
+    /// </summary>
+    [Required]
+    [StringLength(12)]
+    public string KeyPrefix { get; set; } = string.Empty;
+
+    /// <summary>
+    /// SHA-256 hex of full token
+    /// </summary>
+    [Required]
+    [StringLength(64)]
+    public string KeyHash { get; set; } = string.Empty;
+
+    /// <summary>
+    /// Foreign key to User
+    /// </summary>
+    [Required]
+    [StringLength(36)]
+    public string UserId { get; set; } = string.Empty;
+
+    /// <summary>
+    /// Permission scope
+    /// </summary>
+    [StringLength(50)]
+    public string Scope { get; set; } = "mcp:read";
+
+    /// <summary>
+    /// Expiration date (null = never expires)
+    /// </summary>
+    public DateTime? ExpiresAt { get; set; }
+
+    /// <summary>
+    /// Last time this key was used
+    /// </summary>
+    public DateTime? LastUsedAt { get; set; }
+
+    /// <summary>
+    /// IP address of last usage
+    /// </summary>
+    [StringLength(50)]
+    public string? LastUsedIp { get; set; }
+
+    /// <summary>
+    /// User navigation property
+    /// </summary>
+    [ForeignKey("UserId")]
+    public virtual User? User { get; set; }
+}

src/OpenDeepWiki.Entities/Repositories/Repository.cs

@@ -123,6 +123,12 @@ public class Repository : AggregateRoot<string>
     /// </summary>
     public DateTime? LastUpdateCheckAt { get; set; }
 
+    /// <summary>
+    /// Repository description (from GitHub)
+    /// </summary>
+    [StringLength(1000)]
+    public string? Description { get; set; }
+
     /// <summary>
     /// Whether this repository is owned by a department (org import) rather than an individual user.
     /// When true, the repo appears in Organization view only, not in the importing user's "My Repos".

src/OpenDeepWiki/Endpoints/Admin/AdminApiKeyEndpoints.cs

@@ -0,0 +1,46 @@
+using OpenDeepWiki.Services.Admin;
+
+namespace OpenDeepWiki.Endpoints.Admin;
+
+public static class AdminApiKeyEndpoints
+{
+    public static RouteGroupBuilder MapAdminApiKeyEndpoints(this RouteGroupBuilder group)
+    {
+        var apiKeys = group.MapGroup("/api-keys");
+
+        apiKeys.MapPost("/", async (CreateApiKeyRequest request, IAdminApiKeyService service) =>
+        {
+            try
+            {
+                var result = await service.CreateApiKeyAsync(request.Name, request.UserId, request.Scope, request.ExpiresInDays);
+                return Results.Ok(result);
+            }
+            catch (ArgumentException ex)
+            {
+                return Results.BadRequest(new { error = true, message = ex.Message });
+            }
+        });
+
+        apiKeys.MapGet("/", async (IAdminApiKeyService service) =>
+        {
+            var keys = await service.ListApiKeysAsync();
+            return Results.Ok(keys);
+        });
+
+        apiKeys.MapDelete("/{id}", async (string id, IAdminApiKeyService service) =>
+        {
+            var revoked = await service.RevokeApiKeyAsync(id);
+            return revoked ? Results.Ok(new { message = "API key revoked" }) : Results.NotFound(new { error = true, message = "API key not found" });
+        });
+
+        return apiKeys;
+    }
+}
+
+public class CreateApiKeyRequest
+{
+    public required string Name { get; set; }
+    public required string UserId { get; set; }
+    public string? Scope { get; set; }
+    public int? ExpiresInDays { get; set; }
+}

src/OpenDeepWiki/Endpoints/Admin/AdminEndpoints.cs

@@ -21,6 +21,7 @@ public static IEndpointRouteBuilder MapAdminEndpoints(this IEndpointRouteBuilder
         adminGroup.MapAdminSettingsEndpoints();
         adminGroup.MapAdminChatAssistantEndpoints();
         adminGroup.MapAdminMcpProviderEndpoints();
+        adminGroup.MapAdminApiKeyEndpoints();
 
         return app;
     }

src/OpenDeepWiki/Endpoints/ApiKeyEndpoints.cs

@@ -0,0 +1,63 @@
+using OpenDeepWiki.Services.Admin;
+using OpenDeepWiki.Services.Auth;
+
+namespace OpenDeepWiki.Endpoints;
+
+public static class ApiKeyEndpoints
+{
+    public static IEndpointRouteBuilder MapApiKeyEndpoints(this IEndpointRouteBuilder app)
+    {
+        var group = app.MapGroup("/api/auth/api-keys")
+            .WithTags("API Keys")
+            .RequireAuthorization();
+
+        // List own API keys
+        group.MapGet("/", async (IUserContext userContext, IAdminApiKeyService service) =>
+        {
+            if (string.IsNullOrEmpty(userContext.UserId))
+                return Results.Unauthorized();
+
+            var keys = await service.ListApiKeysForUserAsync(userContext.UserId);
+            return Results.Ok(keys);
+        });
+
+        // Create own API key
+        group.MapPost("/", async (CreateUserApiKeyRequest request, IUserContext userContext, IAdminApiKeyService service) =>
+        {
+            if (string.IsNullOrEmpty(userContext.UserId))
+                return Results.Unauthorized();
+
+            try
+            {
+                var result = await service.CreateApiKeyForUserAsync(
+                    userContext.UserId, request.Name, request.Scope, request.ExpiresInDays);
+                return Results.Ok(result);
+            }
+            catch (ArgumentException ex)
+            {
+                return Results.BadRequest(new { error = true, message = ex.Message });
+            }
+        });
+
+        // Revoke own API key
+        group.MapDelete("/{id}", async (string id, IUserContext userContext, IAdminApiKeyService service) =>
+        {
+            if (string.IsNullOrEmpty(userContext.UserId))
+                return Results.Unauthorized();
+
+            var revoked = await service.RevokeApiKeyForUserAsync(userContext.UserId, id);
+            return revoked
+                ? Results.Ok(new { message = "API key revoked" })
+                : Results.NotFound(new { error = true, message = "API key not found" });
+        });
+
+        return app;
+    }
+}
+
+public class CreateUserApiKeyRequest
+{
+    public required string Name { get; set; }
+    public string? Scope { get; set; }
+    public int? ExpiresInDays { get; set; }
+}

src/OpenDeepWiki/Infrastructure/DbInitializer.cs

@@ -34,6 +34,45 @@ public static async Task InitializeAsync(IServiceProvider serviceProvider)
         // 初始化OAuth提供商
         await InitializeOAuthProvidersAsync(context);
 
+        // Schema migrations for existing databases
+        if (context is DbContext migrationCtx)
+        {
+            // Create ApiKeys table if not exists
+            await migrationCtx.Database.ExecuteSqlRawAsync(@"
+                CREATE TABLE IF NOT EXISTS ApiKeys (
+                    Id TEXT NOT NULL PRIMARY KEY,
+                    Name TEXT NOT NULL,
+                    KeyPrefix TEXT NOT NULL,
+                    KeyHash TEXT NOT NULL,
+                    UserId TEXT NOT NULL,
+                    Scope TEXT NOT NULL DEFAULT 'mcp:read',
+                    ExpiresAt TEXT,
+                    LastUsedAt TEXT,
+                    LastUsedIp TEXT,
+                    CreatedAt TEXT NOT NULL,
+                    UpdatedAt TEXT,
+                    DeletedAt TEXT,
+                    IsDeleted INTEGER NOT NULL DEFAULT 0,
+                    Version BLOB,
+                    FOREIGN KEY (UserId) REFERENCES Users(Id)
+                )");
+            await migrationCtx.Database.ExecuteSqlRawAsync(@"
+                CREATE UNIQUE INDEX IF NOT EXISTS IX_ApiKeys_KeyPrefix ON ApiKeys (KeyPrefix)");
+            await migrationCtx.Database.ExecuteSqlRawAsync(@"
+                CREATE INDEX IF NOT EXISTS IX_ApiKeys_UserId ON ApiKeys (UserId)");
+
+            // Add Description column to Repositories if not exists
+            try
+            {
+                await migrationCtx.Database.ExecuteSqlRawAsync(
+                    "ALTER TABLE Repositories ADD COLUMN Description TEXT");
+            }
+            catch
+            {
+                // Column already exists -- ignore
+            }
+        }
+
         // 初始化系统设置默认值（仅在首次运行时从环境变量创建）
         await SystemSettingDefaults.InitializeDefaultsAsync(configuration, context);
     }

src/OpenDeepWiki/MCP/ApiKeyAuthenticationHandler.cs

@@ -0,0 +1,123 @@
+using System.Security.Claims;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Options;
+using OpenDeepWiki.EFCore;
+
+namespace OpenDeepWiki.MCP;
+
+public class ApiKeyAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
+{
+    private const string ApiKeyPrefix = "dwk_";
+    private readonly IServiceScopeFactory _scopeFactory;
+
+    public ApiKeyAuthenticationHandler(
+        IOptionsMonitor<AuthenticationSchemeOptions> options,
+        ILoggerFactory logger,
+        UrlEncoder encoder,
+        IServiceScopeFactory scopeFactory)
+        : base(options, logger, encoder)
+    {
+        _scopeFactory = scopeFactory;
+    }
+
+    protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
+    {
+        var authHeader = Request.Headers.Authorization.ToString();
+        if (string.IsNullOrEmpty(authHeader) || !authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
+            return AuthenticateResult.NoResult();
+
+        var token = authHeader["Bearer ".Length..].Trim();
+        if (!token.StartsWith(ApiKeyPrefix))
+            return AuthenticateResult.NoResult();
+
+        // Extract prefix and compute hash
+        var randomPart = token[ApiKeyPrefix.Length..];
+        if (randomPart.Length < 8)
+            return AuthenticateResult.Fail("Invalid API key format");
+
+        var keyPrefix = randomPart[..8];
+        var tokenBytes = Encoding.UTF8.GetBytes(token);
+        var hashBytes = SHA256.HashData(tokenBytes);
+        var keyHash = Convert.ToHexString(hashBytes).ToLowerInvariant();
+
+        // Look up in database using a new scope (handler is singleton-like)
+        using var scope = _scopeFactory.CreateScope();
+        var context = scope.ServiceProvider.GetRequiredService<IContext>();
+
+        var apiKey = await context.ApiKeys
+            .Include(k => k.User)
+            .FirstOrDefaultAsync(k => k.KeyPrefix == keyPrefix && !k.IsDeleted);
+
+        if (apiKey == null)
+            return AuthenticateResult.Fail("Invalid API key");
+
+        // Constant-time hash comparison
+        var storedHashBytes = Convert.FromHexString(apiKey.KeyHash);
+        if (!CryptographicOperations.FixedTimeEquals(hashBytes, storedHashBytes))
+            return AuthenticateResult.Fail("Invalid API key");
+
+        // Check expiration
+        if (apiKey.ExpiresAt.HasValue && apiKey.ExpiresAt.Value < DateTime.UtcNow)
+            return AuthenticateResult.Fail("API key has expired");
+
+        // Check user exists and is not deleted
+        if (apiKey.User == null || apiKey.User.IsDeleted)
+            return AuthenticateResult.Fail("Associated user not found or disabled");
+
+        // Load user roles
+        var userRoles = await context.UserRoles
+            .Where(ur => ur.UserId == apiKey.UserId)
+            .Join(context.Roles.Where(r => !r.IsDeleted),
+                  ur => ur.RoleId, r => r.Id,
+                  (ur, r) => r.Name)
+            .ToListAsync();
+
+        // Build claims (same as JwtService)
+        var claims = new List<Claim>
+        {
+            new(ClaimTypes.NameIdentifier, apiKey.UserId),
+            new(ClaimTypes.Name, apiKey.User.Name ?? string.Empty),
+            new(ClaimTypes.Email, apiKey.User.Email ?? string.Empty),
+        };
+        foreach (var role in userRoles)
+        {
+            claims.Add(new Claim(ClaimTypes.Role, role));
+        }
+
+        var identity = new ClaimsIdentity(claims, Scheme.Name);
+        var principal = new ClaimsPrincipal(identity);
+        var ticket = new AuthenticationTicket(principal, Scheme.Name);
+
+        // Capture values before fire-and-forget (HttpContext may be recycled after response completes)
+        var apiKeyId = apiKey.Id;
+        var remoteIp = Request.HttpContext.Connection.RemoteIpAddress?.ToString();
+
+        // Update last used info (fire and forget)
+        _ = Task.Run(async () =>
+        {
+            try
+            {
+                using var updateScope = _scopeFactory.CreateScope();
+                var updateContext = updateScope.ServiceProvider.GetRequiredService<IContext>();
+                var keyToUpdate = await updateContext.ApiKeys.FindAsync(apiKeyId);
+                if (keyToUpdate != null)
+                {
+                    keyToUpdate.LastUsedAt = DateTime.UtcNow;
+                    keyToUpdate.LastUsedIp = remoteIp;
+                    await updateContext.SaveChangesAsync();
+                }
+            }
+            catch (Exception ex)
+            {
+                Logger.LogWarning(ex, "Failed to update API key last used info for prefix {KeyPrefix}", keyPrefix);
+            }
+        });
+
+        Logger.LogInformation("API key authenticated: prefix={KeyPrefix}, user={Email}", keyPrefix, apiKey.User.Email);
+        return AuthenticateResult.Success(ticket);
+    }
+}