DEV: Add deprecation warning of non-header based API auth

DEV: Add deprecation warning of non-header based API auth

This change adds a message to the admin panel if it detects an api requests that doesn’t use the new header based authentication method.

The message is to warn people to switch to header based auth and links to the api documention topic on meta for more info.

diff --git a/app/models/admin_dashboard_data.rb b/app/models/admin_dashboard_data.rb
index 633b1a0019..0ef9960d1b 100644
--- a/app/models/admin_dashboard_data.rb
+++ b/app/models/admin_dashboard_data.rb
@@ -84,7 +84,8 @@ class AdminDashboardData
     @problem_messages = [
       'dashboard.bad_favicon_url',
       'dashboard.poll_pop3_timeout',
-      'dashboard.poll_pop3_auth_error'
+      'dashboard.poll_pop3_auth_error',
+      'dashboard.deprecated_api_usage'
     ]
 
     add_problem_check :rails_env_check, :host_names_check, :force_https_check,
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 0e313715f2..ffd59c8380 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -1338,6 +1338,7 @@ en:
       other: "Email polling has generated %{count} errors in the past 24 hours. Look at <a href='%{base_path}/logs' target='_blank'>the logs</a> for more details."
     missing_mailgun_api_key: "The server is configured to send emails via Mailgun but you haven't provided an API key used to verify the webhook messages."
     bad_favicon_url: "The favicon is failing to load. Check your favicon setting in <a href='%{base_path}/admin/site_settings'>Site Settings</a>."
+    deprecated_api_usage: "We detected an API request using a deprecated authentication method. Please update it to use <a href='https://meta.discourse.org/t/discourse-api-documentation/22706'>header based auth</a>."
     poll_pop3_timeout: "Connection to the POP3 server is timing out. Incoming email could not be retrieved. Please check your <a href='%{base_path}/admin/site_settings/category/email'>POP3 settings</a> and service provider."
     poll_pop3_auth_error: "Connection to the POP3 server is failing with an authentication error. Please check your <a href='%{base_path}/admin/site_settings/category/email'>POP3 settings</a>."
     force_https_warning: "Your website is using SSL. But `<a href='%{base_path}/admin/site_settings/category/all_results?filter=force_https'>force_https</a>` is not yet enabled in your site settings."
diff --git a/lib/auth/default_current_user_provider.rb b/lib/auth/default_current_user_provider.rb
index d7ffdbeb3e..353555880e 100644
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@@ -283,6 +283,10 @@ class Auth::DefaultCurrentUserProvider
   def lookup_api_user(api_key_value, request)
     if api_key = ApiKey.active.where(key: api_key_value).includes(:user).first
       api_username = header_api_key? ? @env[HEADER_API_USERNAME] : request[API_USERNAME]
+      if !header_api_key?
+        # Notify admins of deprecated auth method
+        AdminDashboardData.add_problem_message('dashboard.deprecated_api_usage', 1.day)
+      end
 
       if api_key.allowed_ips.present? && !api_key.allowed_ips.any? { |ip| ip.include?(request.ip) }
         Rails.logger.warn("[Unauthorized API Access] username: #{api_username}, IP address: #{request.ip}")

GitHub sha: 2db20031

1 Like

Update to use header based api auth