dohertj2/mxaccessgw
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Dashboard: delete revoked API keys + confirm Rotate/Revoke/Delete

Browse Source 
Add IApiKeyAdminStore.DeleteAsync that only deletes already-revoked
rows (active keys must be revoked first so the revoke event lands in
the audit log before the row disappears) and a matching admin-gated
DashboardApiKeyManagementService.DeleteAsync. ApiKeysPage now shows
Delete on revoked rows in place of the old "No actions" stub, and
Rotate/Revoke/Delete all route through ConfirmDialog so each
destructive action requires an explicit confirmation step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Joseph Doherty
2026-05-24 07:30:30 -04:00
parent c5153d68bb
commit 24cc5fd0f0
7 changed files with 218 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/ZB.MOM.WW.MxGateway.Server/Dashboard/Components/Pages/ApiKeysPage.razor
+84 -15
View File
@@ -39,6 +39,15 @@ else
</div>
}
<ConfirmDialog IsOpen="@(PendingAction is not null)"
Title="@(PendingAction?.Title ?? string.Empty)"
Message="@(PendingAction?.Message ?? string.Empty)"
ConfirmLabel="@(PendingAction?.ConfirmLabel ?? "Confirm")"
ConfirmButtonClass="@(PendingAction?.ConfirmButtonClass ?? "btn-primary")"
IsBusy="IsBusy"
OnConfirm="ConfirmPendingAsync"
OnCancel="CancelPending" />
@if (IsCreateDialogOpen)
{
<div class="modal-backdrop fade show"></div>
@@ -171,18 +180,22 @@ else
revoked key is not un-revoked as a side effect of rotation. *@
<button type="button" class="btn btn-outline-secondary"
disabled="@IsBusy"
@onclick="() => RotateApiKeyAsync(key.KeyId)">
@onclick="() => RequestRotate(key.KeyId)">
Rotate
</button>
<button type="button" class="btn btn-outline-danger"
disabled="@IsBusy"
@onclick="() => RevokeApiKeyAsync(key.KeyId)">
@onclick="() => RequestRevoke(key.KeyId)">
Revoke
</button>
}
else
{
<span class="text-muted small">No actions</span>
<button type="button" class="btn btn-outline-danger"
disabled="@IsBusy"
@onclick="() => RequestDelete(key.KeyId)">
Delete
</button>
}
</div>
</td>
@@ -252,24 +265,80 @@ else
.ConfigureAwait(false);
}
private async Task RevokeApiKeyAsync(string keyId)
private PendingConfirm? PendingAction { get; set; }
private void RequestRotate(string keyId)
{
await RunManagementActionAsync(user => ApiKeyManagementService.RevokeAsync(
user,
keyId,
CancellationToken.None))
.ConfigureAwait(false);
if (IsBusy)
{
return;
}
PendingAction = new PendingConfirm(
Title: "Rotate API key?",
Message: $"Rotate the secret for key {keyId}? Any client still using the previous secret will start failing immediately.",
ConfirmLabel: "Rotate",
ConfirmButtonClass: "btn-warning",
Action: user => ApiKeyManagementService.RotateAsync(user, keyId, CancellationToken.None));
}
private async Task RotateApiKeyAsync(string keyId)
private void RequestRevoke(string keyId)
{
await RunManagementActionAsync(user => ApiKeyManagementService.RotateAsync(
user,
keyId,
CancellationToken.None))
.ConfigureAwait(false);
if (IsBusy)
{
return;
}
PendingAction = new PendingConfirm(
Title: "Revoke API key?",
Message: $"Revoke key {keyId}? Clients using it will be rejected on the next request.",
ConfirmLabel: "Revoke",
ConfirmButtonClass: "btn-danger",
Action: user => ApiKeyManagementService.RevokeAsync(user, keyId, CancellationToken.None));
}
private void RequestDelete(string keyId)
{
if (IsBusy)
{
return;
}
PendingAction = new PendingConfirm(
Title: "Delete API key?",
Message: $"Permanently delete revoked key {keyId}? This removes the row from the auth database — only the audit log will retain the history.",
ConfirmLabel: "Delete",
ConfirmButtonClass: "btn-danger",
Action: user => ApiKeyManagementService.DeleteAsync(user, keyId, CancellationToken.None));
}
private void CancelPending()
{
if (!IsBusy)
{
PendingAction = null;
}
}
private async Task ConfirmPendingAsync()
{
if (IsBusy || PendingAction is null)
{
return;
}
Func<System.Security.Claims.ClaimsPrincipal, Task<DashboardApiKeyManagementResult>> action = PendingAction.Action;
PendingAction = null;
await RunManagementActionAsync(action).ConfigureAwait(false);
}
private sealed record PendingConfirm(
string Title,
string Message,
string ConfirmLabel,
string ConfirmButtonClass,
Func<System.Security.Claims.ClaimsPrincipal, Task<DashboardApiKeyManagementResult>> Action);
private async Task RunManagementActionAsync(
Func<System.Security.Claims.ClaimsPrincipal, Task<DashboardApiKeyManagementResult>> action)
{
src/ZB.MOM.WW.MxGateway.Server/Dashboard/DashboardApiKeyManagementService.cs
+33
View File
@@ -143,6 +143,39 @@ public sealed class DashboardApiKeyManagementService(
}
}
public async Task<DashboardApiKeyManagementResult> DeleteAsync(
ClaimsPrincipal user,
string keyId,
CancellationToken cancellationToken)
{
if (!CanManage(user))
{
return DashboardApiKeyManagementResult.Fail(UnauthorizedMessage);
}
string? validation = ValidateKeyId(keyId);
if (validation is not null)
{
return DashboardApiKeyManagementResult.Fail(validation);
}
string normalizedKeyId = keyId.Trim();
bool deleted = await adminStore
.DeleteAsync(normalizedKeyId, cancellationToken)
.ConfigureAwait(false);
await AppendAuditAsync(
normalizedKeyId,
"dashboard-delete-key",
deleted ? "deleted" : "not-found-or-active",
cancellationToken)
.ConfigureAwait(false);
return deleted
? DashboardApiKeyManagementResult.Success("API key deleted.")
: DashboardApiKeyManagementResult.Fail("API key was not found, or is still active. Revoke it before deleting.");
}
private async Task AppendAuditAsync(
string? keyId,
string eventType,
src/ZB.MOM.WW.MxGateway.Server/Dashboard/IDashboardApiKeyManagementService.cs
+5
View File
@@ -20,4 +20,9 @@ public interface IDashboardApiKeyManagementService
ClaimsPrincipal user,
string keyId,
CancellationToken cancellationToken);
Task<DashboardApiKeyManagementResult> DeleteAsync(
ClaimsPrincipal user,
string keyId,
CancellationToken cancellationToken);
}
src/ZB.MOM.WW.MxGateway.Server/Security/Authentication/IApiKeyAdminStore.cs
+11
View File
@@ -39,4 +39,15 @@ public interface IApiKeyAdminStore
byte[] secretHash,
DateTimeOffset rotatedUtc,
CancellationToken cancellationToken);
/// <summary>
/// Permanently deletes an API key, but only if it is already revoked. Active keys are
/// untouched (returns false) so an admin cannot delete a working credential without
/// first revoking it — that preserves the audit trail and forces the revoke event to
/// land in the audit log before the row disappears.
/// </summary>
/// <param name="keyId">Key identifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if a revoked key was deleted; false if the key is missing or active.</returns>
Task<bool> DeleteAsync(string keyId, CancellationToken cancellationToken);
}
src/ZB.MOM.WW.MxGateway.Server/Security/Authentication/SqliteApiKeyAdminStore.cs
+17
View File
@@ -109,6 +109,23 @@ public sealed class SqliteApiKeyAdminStore(AuthSqliteConnectionFactory connectio
return rows > 0;
}
/// <inheritdoc />
public async Task<bool> DeleteAsync(string keyId, CancellationToken cancellationToken)
{
await using SqliteConnection connection = await connectionFactory.OpenConnectionAsync(cancellationToken).ConfigureAwait(false);
await using SqliteCommand command = connection.CreateCommand();
command.CommandText = """
DELETE FROM api_keys
WHERE key_id = $key_id AND revoked_utc IS NOT NULL;
""";
command.Parameters.AddWithValue("$key_id", keyId);
int rows = await command.ExecuteNonQueryAsync(cancellationToken).ConfigureAwait(false);
return rows > 0;
}
private static void AddCreateParameters(SqliteCommand command, ApiKeyCreateRequest request)
{
command.Parameters.AddWithValue("$key_id", request.KeyId);
src/ZB.MOM.WW.MxGateway.Tests/Gateway/Dashboard/DashboardApiKeyManagementServiceTests.cs
+63
View File
@@ -112,6 +112,56 @@ public sealed class DashboardApiKeyManagementServiceTests
&& entry.Details == "rotated");
}
[Fact]
public async Task DeleteAsync_UnauthorizedUser_DoesNotCallStore()
{
FakeApiKeyAdminStore adminStore = new();
DashboardApiKeyManagementService service = CreateService(adminStore);
DashboardApiKeyManagementResult result = await service.DeleteAsync(
new ClaimsPrincipal(new ClaimsIdentity()),
"operator01",
CancellationToken.None);
Assert.False(result.Succeeded);
Assert.Equal(0, adminStore.DeleteCount);
}
[Fact]
public async Task DeleteAsync_AuthorizedUser_DeletesRevokedKeyAndAudits()
{
FakeApiKeyAdminStore adminStore = new() { DeleteResult = true };
FakeApiKeyAuditStore auditStore = new();
DashboardApiKeyManagementService service = CreateService(adminStore, auditStore);
DashboardApiKeyManagementResult result = await service.DeleteAsync(
CreateAuthorizedUser(),
"operator01",
CancellationToken.None);
Assert.True(result.Succeeded);
Assert.Equal("operator01", adminStore.LastDeletedKeyId);
Assert.Contains(auditStore.Entries, entry =>
entry.EventType == "dashboard-delete-key"
&& entry.KeyId == "operator01"
&& entry.Details == "deleted");
}
[Fact]
public async Task DeleteAsync_WhenStoreRefuses_ReportsFriendlyError()
{
FakeApiKeyAdminStore adminStore = new() { DeleteResult = false };
DashboardApiKeyManagementService service = CreateService(adminStore);
DashboardApiKeyManagementResult result = await service.DeleteAsync(
CreateAuthorizedUser(),
"operator01",
CancellationToken.None);
Assert.False(result.Succeeded);
Assert.Contains("Revoke", result.Message, StringComparison.Ordinal);
}
/// <summary>
/// Server-004 regression: the dashboard create path must reject a request
/// carrying a non-canonical scope string rather than persisting a key whose
@@ -184,12 +234,18 @@ public sealed class DashboardApiKeyManagementServiceTests
public int RevokeCount { get; private set; }
public int DeleteCount { get; private set; }
public bool RevokeResult { get; init; }
public bool RotateResult { get; init; }
public bool DeleteResult { get; init; }
public string? LastRevokedKeyId { get; private set; }
public string? LastDeletedKeyId { get; private set; }
public byte[]? LastRotatedSecretHash { get; private set; }
public List<ApiKeyCreateRequest> CreatedRequests { get; } = [];
@@ -225,6 +281,13 @@ public sealed class DashboardApiKeyManagementServiceTests
LastRotatedSecretHash = secretHash;
return Task.FromResult(RotateResult);
}
public Task<bool> DeleteAsync(string keyId, CancellationToken cancellationToken)
{
DeleteCount++;
LastDeletedKeyId = keyId;
return Task.FromResult(DeleteResult);
}
}
private sealed class FakeApiKeyAuditStore : IApiKeyAuditStore
src/ZB.MOM.WW.MxGateway.Tests/Gateway/Dashboard/DashboardSnapshotServiceTests.cs
+5
View File
@@ -447,6 +447,11 @@ public sealed class DashboardSnapshotServiceTests
{
return Task.FromResult(false);
}
public Task<bool> DeleteAsync(string keyId, CancellationToken cancellationToken)
{
return Task.FromResult(false);
}
}
private class CountingApiKeyAdminStore(params ApiKeyRecord[] records) : FakeApiKeyAdminStore