API key

[KangarooWasp]

I'd like there to be a way to authenticate with an API key (which could perhaps be generated via the website when logged into an existing account), so that it's possible to programatically modify existing decks/create new ones, without having to mess around with Google or Twitch's login features.

(as I stated in https://github.com/Lattyware/massivedecks/issues/250, my motivation here is to create a discord bot that makes it possible for small communities to collaborate on a deck)

[Lattyware]

So this definitely makes sense, although just a static API key isn't amazing security-wise. I'd consider it, but at least for your use case, would a better option be allowing authorization through Discord? That would seem optimal for a Discord bot, as it is natural to already be authenticated to Discord, so you can just use the auth you have in-hand already.

[KangarooWasp]

It's been a while since I've made a new one, but I'm pretty sure Discord bots authenticate with Discord using a static API key.

[KangarooWasp]

Anyway, unless I'm mistaken I don't think that the Discord auth API would allow bots to authenticate on third-party websites, that seems like it'd be a bit of a security flaw?

[Lattyware]

So there are two different flows here: the bot or server side of the discord application authenticates using a fixed secret and client ID, but then there is an OpenID flow to allow another service to authenticate that user (and potentially act on their behalf).

The thing I'm suggesting here is that the bot does an OpenID flow, this then allows MD to authenticate the bot with Discord, and then MD can issue a short-term token for the bot to use to access the MD APIs.

This would just reduce the amount of static keys that could be compromised and need to be revoked, etc...

I don't see why it would be a security issue to allow the bot to do an auth flow, but Discord may treat the account differently and not allow it as the bot doesn't have the same kind of profile a normal user has, I'll have to take a look.

[lhvy]

In my opinion, a static API key is much easier and can be used in more use cases, outside of discord bots etc. It would also allow apps and scripts to authenticate as regular users (which could be helpful to allow manual edits as well as automated edits) rather than having their own account that could only be accessed through the discord bot (which is what I think your commented implementation would do).

Perhaps accounts would have to first enable their static API key in their Massive Decks account page? And then they can use a static API key with the option to regenerate the API key if needed in the event of the key leaking etc. You could maybe pair the key with some sort of user ID or just the username if you wanted to make it less susceptible to bruteforcing?