Support multiple API keys

chucker commented 1 month ago

(This is identical to https://github.com/loic-sharma/BaGet/issues/801; it appears this fork is more active.)

Is your feature request related to a problem? Please describe.

Currently, the recommended approach to authentication is an API key. However, this only enables you to set one API key for your entire staff. This requires key rotation as soon as one staffer leaks the key and/or leaves the team.

Describe the solution you'd like

Therefore, what I would like is simply the — optional — ability to define multiple API keys, e.g.:

  "ApiKeys": [
    {
      "User": "Frank",
      "Key": "asd"
    },
    {
      "User": "Sarah",
      "Key": "qwe"
    },
    {
      "User": "Kim",
      "Key": "zxc"
    },
  ]

On a technical level,

ApiKeys has precedence over ApiKey, if present.
The code only really cares about the Key property. The User property is human metadata.

Describe alternatives you've considered

What we do now instead is use IIS to setup HTTP basic auth, but unfortunately, NuGet (whether through dotnet, VS, or Rider) handles HTTP auth very poorly. The recommended path for them, too, appears to be API keys.

Regenhardt commented 1 month ago

Hi chucker, this is being implemented in #156 currently, you're welcome to review the changes, it's almost ready to merge.

chucker commented 1 month ago

Yep, this is pretty much a dupe of #147. Thanks!

bagetter / BaGetter