use of org.jbei.ice.storage.model.ApiKey in project ice by JBEI.
the class ApiKeyDAO method getApiKeysForUser.
public List<ApiKey> getApiKeysForUser(String userId, String sort, int limit, int start, boolean asc) {
try {
CriteriaQuery<ApiKey> query = getBuilder().createQuery(ApiKey.class);
Root<ApiKey> from = query.from(ApiKey.class);
query.where(getBuilder().equal(from.get("ownerEmail"), userId)).orderBy(asc ? getBuilder().asc(from.get(sort)) : getBuilder().desc(from.get(sort))).distinct(true);
return currentSession().createQuery(query).setFirstResult(start).setMaxResults(limit).list();
} catch (HibernateException he) {
Logger.error(he);
throw new DAOException(he);
}
}
use of org.jbei.ice.storage.model.ApiKey in project ice by JBEI.
the class TokenVerification method verifyAPIKey.
public String verifyAPIKey(String token, String clientId, String userId) {
// hash = (token, client + salt + client)
Optional<ApiKey> optionalKey = DAOFactory.getApiKeyDAO().getByClientId(clientId);
if (!optionalKey.isPresent())
throw new PermissionException("Invalid client Id " + clientId);
ApiKey key = optionalKey.get();
String hash_token = tokenHash.encrypt(token, clientId + key.getSecret() + clientId);
if (!hash_token.equalsIgnoreCase(key.getHashedToken()))
throw new PermissionException("Invalid token");
// if the api belongs to an admin, accept whatever user id they present
AccountDAO accountDAO = DAOFactory.getAccountDAO();
Account account = accountDAO.getByEmail(key.getOwnerEmail());
if (userId == null)
userId = account.getEmail();
if (account.getType() == AccountType.ADMIN) {
if (account.getEmail().equalsIgnoreCase(userId))
return userId;
if (accountDAO.getByEmail(userId) == null)
throw new PermissionException("Invalid user id");
return userId;
}
return key.getOwnerEmail();
}
use of org.jbei.ice.storage.model.ApiKey in project ice by JBEI.
the class UserApiKeys method requestKey.
/**
* Generates an access key using the client identifier
*
* @param clientId unique client identifier.
* @return wrapper around created token, client_id and secret.
* <p>The api token that is generated and returned to the user is not stored and therefore cannot be retrieved.
* If lost, the api key record can be deleted by the user who created it (or an admin) and a new one created.</p>
*/
public AccessKey requestKey(String clientId) {
try {
Optional<ApiKey> optional = apiKeyDAO.getByClientId(clientId);
if (optional.isPresent())
throw new IllegalArgumentException("Attempting to create duplicate key for client id " + clientId);
} catch (DAOException e) {
Logger.error(e);
return null;
}
TokenHash hash = new TokenHash();
String token = hash.generateRandomToken(32);
String salt = hash.generateSalt();
String hash_token = hash.encrypt(token, clientId + salt + clientId);
ApiKey apiKey = new ApiKey();
apiKey.setCreationTime(new Date());
apiKey.setOwnerEmail(userId);
apiKey.setClientId(clientId);
apiKey.setSecret(salt);
apiKey.setStatus(AccessStatus.OK);
apiKey.setHashedToken(hash_token);
apiKey = apiKeyDAO.create(apiKey);
AccessKey key = apiKey.toDataTransferObject();
key.setToken(token);
return key;
}
Aggregations