Cannot delete an API key generated through OAuth
See original GitHub issueSee: https://rollbar.com/carto/CartoDB/items/37066/
Context
When granting access to other artifacts (a sequence, a view, etc.) to the db role associated to an OAuth generated API key, the role is not dropped.
Steps to Reproduce
Please break down here below all the needed steps to reproduce the issue
- Authorize a user
https://reveal-user1.carto.com/oauth2/authorize?client_id=8vA48VW9UwMr&response_type=token&state=9808598598718741&redirect_uri=https://localhost:8080/oauth&scope=dataservices:routing
- Use the access token returned in the previous step to get the session role (in the example below
access_token=PJd8M69xWmyoV3P7OnqR3w
)
curl -X POST \
'https://reveal-user1.carto.com/api/v2/sql?api_key=PJd8M69xWmyoV3P7OnqR3w' \
-H 'Content-Type: application/json' \
-d '{
"q": "SELECT session_user"
}'
output: carto_role_c29a4102-e799-426b-80b3-dd851923f1be
- GRANT SELECT to a table of another user in the same org:
curl -X POST \
'https://reveal-admin.carto.com/api/v2/sql?api_key=PJd8M69xWmyoV3P7OnqR3w' \
-H 'Content-Type: application/json' \
-d '{
"q": "GRANT SELECT ON \"reveal-admin\".projects TO \"carto_role_c29a4102-e799-426b-80b3-dd851923f1be\""
}'
- Once the key is expired (and destroyed) the rollbar notification pops up
Current Result
See: https://rollbar.com/carto/CartoDB/items/37066/
Expected result
The role is dropped as expected and the key destroyed.
Additional info
Rollbar issue fixed manually from the rails console:
oat.api_key.send(:db_run, "DROP OWNED BY #{oat.api_key.db_role}"); oat.destroy
We could just include the fix here
summoning @javitonino for triage, feel free to assign it to me 😃
Issue Analytics
- State:
- Created 5 years ago
- Comments:7 (7 by maintainers)
Top Results From Across the Web
I accidentally delete API keys that automatically created by ...
I get it. I manually create the API key then store it to the mobile app. go to https://console.cloud.google.com/apis/credentials.
Read more >Managing OAuth 2.0 API Keys - CookiePro Community
Go to the API Keys tab. ... that appears. On the Context menu, select Delete. The Delete API Key modal appears. ... Click...
Read more >API Keys (Settings) – MachineMetrics
Deleting an API Key If you want to delete an existing API Key that you created, do the following: In the API...
Read more >Deleting an API key - Boomi AtomSphere Documentation
Deleting an API key means that any future requests made to the Boomi Flow Rest API using the deleted API key are no...
Read more >Authenticate using API keys - Google Cloud
Solution for improving end-to-end software supply chain security. ... Generate instant insights from data at any scale with a serverless, fully managed analytics ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
🚀
Useful and related documentation: https://www.postgresql.org/docs/10/static/role-removal.html