captaincodeman / svelte-api-keys Goto Github PK

Example: you have an API route /routes/api/projects/[id]/+server.ts

You could have a permission allowing you access to all projects, such as project:* or you might want a token that only allows access to a specific project, so would have a permission like project:world-domination

Fairly easy to do, but maybe not obvious:

export async function GET({ locals, params }) {
  const { id } = params
  await locals.api.any(`project:*`, `project:${id}`).approve(limit)
  // rest of code
}

Allow updating permissions on existing API keys

Cover lots of databases for key storage - use something like Drizzle (?)

Document how to implement API Key Prefixes to indicate usage, similar as Stripe's pk_test_ (prefix can be stripped out via custom fn in key extractor)

There would never be enough tokens available to fulfill the request, so the system should warn when this is detected

e.g. for cloudflare, when it would be in a http header (True-Client-IP?) instead of using SvelteKit's event.getClientAddress()

Combine Handler into KeyManager, and also pass in KeyExtractor Options as a parameter instead of it being a separate instance. i.e. it's just the key store and token bucket implementation (that have different implementations) that need to be passed in.

before

const store = new InMemoryKeyStore()
const manager = new KeyManager(store)
const bucket = new InMemoryTokenBucket()
const extractor = new KeyExtractor({ searchParam: 'key', httpHeader: 'x-api-key' })
const handler = new Handler(extractor, manager, bucket)

export const handle = handler.handle

after

const store = new InMemoryKeyStore()
const bucket = new InMemoryTokenBucket()
const manager = new KeyManager(store, bucket, { searchParam: 'key', httpHeader: 'x-api-key' })

export const handle = manager.handle

Demo doesn't need to be making real http requests, which then require a backend.

It can use the pieces to emulate making requests, which would also allow it to visualize the operation of the token buckets and permission checks.

More importantly, it can then the run completely client-side so it wouldn't require a real back-end and could be run on GitHub Pages.

Make it easier to call the limit fn in endpoints, without requiring any imports, by accepting rate and size parameters directly (which are normally used for the Refill constructor). The api object on locals could also expose the SECOND, MINUTE, etc... constants

before

import { MINUTE, Refill } from 'svelte-api-keys'

const rate = new Refill(30 / MINUTE, 10)

export async function GET({ locals }) {
  await locals.api.has('read').limit(rate)
  // process request
}

after

export async function GET({ locals }) {
  await locals.api.has('read').limit(30 / locals.api.MINUTE, 10)
  // process request
}

Unless the key size is way too small the chances are so tiny as to be impossible, which means it's guaranteed to happen ...