api key authentication system implementation

2025-04-14 10:18:35 +02:00
parent 9a18e4bffa
commit 8022fceff4
3 changed files with 219 additions and 0 deletions
--- a/pages/api/admin/api-keys.ts
+++ b/pages/api/admin/api-keys.ts
@@ -0,0 +1,88 @@
+import type { NextApiRequest, NextApiResponse } from "next"
+import sqlite3 from "sqlite3"
+import path from "path"
+import { generateApiKey, hashApiKey } from "../../../lib/api-auth"
+
+export default async function handler(req: NextApiRequest, res: NextApiResponse) {
+  const dbPath = path.join(process.cwd(), "database", "antihoax.db")
+  const db = new sqlite3.Database(dbPath)
+  
+  try {
+    if (req.method === "GET") {
+      const keys = await new Promise<any[]>((resolve, reject) => {
+        db.all(
+          `SELECT id, name, permissions, rate_limit, is_active, last_used, created_at
+           FROM api_keys ORDER BY created_at DESC`,
+          (err, rows) => {
+            if (err) reject(err)
+            else resolve(rows)
+          }
+        )
+      })
+      
+      res.json({ 
+        keys: keys.map(key => ({
+          ...key,
+          permissions: key.permissions ? JSON.parse(key.permissions) : [],
+          key_preview: '***...' + (key.id.toString().slice(-4))
+        }))
+      })
+      
+    } else if (req.method === "POST") {
+      const { name, permissions = [], rate_limit = 1000 } = req.body
+      
+      if (!name) {
+        return res.status(400).json({ error: "Name required" })
+      }
+      
+      const apiKey = generateApiKey()
+      const keyHash = hashApiKey(apiKey)
+      
+      const result = await new Promise<any>((resolve, reject) => {
+        db.run(
+          `INSERT INTO api_keys (key_hash, name, permissions, rate_limit, is_active, created_at)
+           VALUES (?, ?, ?, ?, 1, datetime('now'))`,
+          [keyHash, name, JSON.stringify(permissions), rate_limit],
+          function(err) {
+            if (err) reject(err)
+            else resolve({ id: this.lastID })
+          }
+        )
+      })
+      
+      res.json({
+        success: true,
+        id: result.id,
+        api_key: apiKey, // Only returned once during creation
+        name,
+        permissions,
+        rate_limit
+      })
+      
+    } else if (req.method === "DELETE") {
+      const { id } = req.query
+      
+      await new Promise<void>((resolve, reject) => {
+        db.run(
+          'UPDATE api_keys SET is_active = 0 WHERE id = ?',
+          [id],
+          (err) => {
+            if (err) reject(err)
+            else resolve()
+          }
+        )
+      })
+      
+      res.json({ success: true })
+      
+    } else {
+      res.status(405).json({ error: "Method not allowed" })
+    }
+    
+  } catch (error) {
+    console.error('API keys error:', error)
+    res.status(500).json({ error: "Operation failed" })
+  } finally {
+    db.close()
+  }
+}