Skip to content

Releases: rameerez/api_keys

v0.3.0

Choose a tag to compare

@rameerez rameerez released this 09 Feb 05:08

Highlights

Major release adding Stripe-style key types with permission ceilings, environment isolation (test/live), and a security fix for scope enforcement.

New Features

  • Stripe-style key types โ€” publishable (pk_*) and secret (sk_*) keys with per-type permission ceilings
  • Environment isolation โ€” test/live key prefixes (pk_test_, sk_live_) with strict environment enforcement
  • Public key token storage โ€” non-revocable publishable keys can be viewed again in the dashboard
  • Headless helpers โ€” for apps with custom dashboard integrations
  • Usage analytics scopes โ€” admin dashboard query helpers

Fixes

  • Fix PostgreSQL FOR UPDATE with COUNT aggregate error
  • Security: Fix blank scopes bypass in key_types mode โ€” empty scopes no longer grant unrestricted access when permission ceilings are configured

What's Changed

  • Ensure comprehensive testing and production readiness by @rameerez in #5
  • Add Stripe-style key types and environments (publishable/secret keys with test/live isolation) by @rameerez in #6
  • Fix PostgreSQL FOR UPDATE with COUNT aggregate error by @rameerez in #7
  • Add public key token storage for non-revocable publishable keys by @rameerez in #8
  • Add headless helpers for custom dashboard integrations by @rameerez in #9
  • Add usage analytics scopes for admin dashboards by @rameerez in #10
  • Fix blank scopes bypass in key_types mode by @rameerez in #11

Full Changelog: v0.2.1...v0.3.0


Production-readiness review (2026-07-07)

Full release review ahead of the RubyGems push and the RailsFast v1.0.0 integration โ€” verdict: GO. (At review time 0.3.0 was tagged but not yet on RubyGems, so Bundler still resolved 0.2.1.) Everything below was verified empirically inside a fresh RailsFast app โ€” Ruby 4.0.5 / Rails 8.1.3 / PostgreSQL with uuid primary keys โ€” not just the gem's own suite:

  • Install path: rails generate api_keys:install correctly picks up the host app's primary_key_type (uuid) for both the table and the polymorphic owner FK, and jsonb on PostgreSQL.
  • Auth matrix (integration-tested): missing/garbage/truncated tokens โ†’ missing_token/invalid_token; revoked โ†’ revoked_key; expired โ†’ expired_key; Bearer and raw Authorization header forms both accepted; authenticate_api_key!(scope:) gates enforced (missing_scope); simple mode's "no scopes = unrestricted" default confirmed. The documented ActionController::API + include ApiKeys::Controller pattern works as advertised on Rails 8.1.
  • Security spot-checks: plaintext is never persisted (stored digest == SHA256(token), #token nil after reload); publishable-key plaintext storage is correctly double-gated on public: true and revocable: false; the dashboard is fully owner-scoped (a cross-user access probe was rejected); revocation lag is bounded by the 5-second default cache_ttl; token entropy is 24 random bytes (~192 bits) with the default :sha256 strategy giving O(1) indexed lookup.
  • Dashboard: Devise-authenticated mount, key minting through the UI (blank form scopes cleaned), show-once plaintext, revoke flow โ€” all green.
  • Boot/deploy gates: host-app suite green with the gem enabled (235 runs, 0 failures), zeitwerk production-parity eager load clean, assets:precompile with no reachable database exits 0 (Docker image builds are safe), and a full RAILS_ENV=production eager-loaded boot verified end to end.
  • Package: gem build produces a clean package โ€” 61 files, zero test/dummy leakage.
  • CI: matrix green on Ruby 3.3 / 3.4 / 4.0 ร— Rails 7.2 / 8.1.

Non-blocking hardening and polish follow-ups from the review are tracked in #12.

v0.2.1

Choose a tag to compare

@rameerez rameerez released this 04 Aug 22:33
d9a4f83

#4 Fixes a production error that was caused by SecurityController referencing a non-existent callback :authenticate_api_keys_user! instead of the correct :authenticate_api_keys_owner! defined in ApplicationController

For searchability, the verbatim error was:

Before `process_action` callback `:authenticate_api_keys_user!` has not been defined

User-agnostic API key owner

Choose a tag to compare

@rameerez rameerez released this 03 Jun 18:31
  • Make gem owner-agnostic: API keys can now belong to any model (User, Organization, Team, etc.)
  • Add flexible dashboard configuration for custom owner models
  • Add support for multi-tenant and team-based API key ownership
  • Improve documentation with common ownership scenarios
  • Add configuration options for current_owner_method and authenticate_owner_method

๐ŸŽ‰ Initial release!

Choose a tag to compare

@rameerez rameerez released this 30 Apr 16:52

Initial release:

  • Issue new keys
  • Secure store of hashed digest
  • Sensible, secure defaults
  • Self-serve dashboard mountable via Rails engine
  • Revoke keys, expire tokens, etc.