authify-api 0.0.6 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d0212938c798f261b1090fb3f324e1e092bd6d42
-  data.tar.gz: 71144d630505d1f7d358868d358d5f408b1c1239
+  metadata.gz: a0f77e5a23fef6d16a82c095c2f76b9840dcf33f
+  data.tar.gz: c77e75b1605e0ea51c1bd589b47e9ca859735ba1
 SHA512:
-  metadata.gz: 25f7cd520b354df503b74aecac21523b8333df8103970e1ba6ae18d8a2b2b9b8dae79d17c2d28408bac22b34fd2a86707cb21302d2431748b597593dacfb6410
-  data.tar.gz: 28dddd5daba389f4d4b813fa1f8c83def144136552c307eac8d9ea9e2e92ccb9552da358a3ddbfe74a0c4461f04c53e21eb94133b28658f9ffba14eac16f4efb
+  metadata.gz: fb9a4ed3c1c41e5e3ef207521fcc33d1fe50177eafdfb4037702ae0bf81a941b48d81b266230339a71cdf2e896616325d009f08f656f1a869fa4220588edee63
+  data.tar.gz: 0afea4d9d48418bae6f32d597f15c440259c49e84da4d4403dfdb41ca30e7d3b6d0102f7b5e01f98aba9f40f9cd332b8f1f3b9cd065c970a4f86b1274207e110

data/.rubocop.yml

@@ -13,10 +13,15 @@ Metrics/MethodLength:
 Metrics/CyclomaticComplexity:
   Max: 10
 
+Metrics/PerceivedComplexity:
+  Max: 9
+
 BlockLength:
+  Max: 30
   Exclude:
     - '*.gemspec'
     - 'lib/authify/api/controllers/*.rb'
+    - Rakefile
 
 AllCops:
   Exclude:

data/Gemfile

@@ -2,3 +2,6 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in authify-api.gemspec
 gemspec
+
+gem 'sinja',
+    git: 'https://github.com/mwpastore/sinja.git', branch: 'master'

data/README.md

@@ -19,12 +19,14 @@ The Authify API service consists of a database for storing:
 
 Nearly all API endpoints available via Authify implement the [{json:api}](http://jsonapi.org/) 1.0 specification. The exceptions are:
 
-* `GET /jwt/key` - Returns Content Type: `application/x-pem-file`. This endpoint returns the PEM-encoded public key ([ES512](https://tools.ietf.org/html/rfc7518#section-3.4) (ECDSA)) which should be used to verify the signature made by the Authify service.
-* `POST /jwt/token` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to obtain a [JWT token](https://en.wikipedia.org/wiki/JSON_Web_Token) for authentication when interacting with restricted endpoints (both on this service and for other integrated services). This endpoint expects a JSON Object with either the keys `access_key` and `secret_key` _OR_ `email` and `password`. There is no firm requirement to use either pair for any particular purpose, but for scenarios where the credentials may be stored on local disk (like an API command-line client), that the `access_key` and `secret_key` be used since those can easily be revoked if necessary. Upon successful authentication, the endpoint provides an JSON Object with the key `jwt` and a signed -- but not encrypted -- JWT. There should be nothing highly sensitive embedded in the JWT. The JWT defaults to expiring every 15 minutes.
+* `GET /jwt/key` - Returns Content Type: `application/json`. This endpoint returns a JSON Object with the key `data` whose value is a PEM-encoded ECDSA public key, which should be used to verify the signature made by the Authify service.
+* `GET /jwt/meta` - Returns Content Type: `application/json`. This endpoint returns a JSON Object with the keys `algorithm`, `issuer`, and `expiration` that describe the kind of JWTs produced by this service.
+* `POST /jwt/token` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to obtain a [JWT](https://en.wikipedia.org/wiki/JSON_Web_Token). This endpoint expects a JSON Object with either the keys `access_key` and `secret_key` _OR_ `email` and `password`. There is no firm requirement to use either pair for any particular purpose, but for scenarios where the credentials may be stored, the `access_key` and `secret_key` may be used since those can easily be revoked if necessary. Upon successful authentication, the endpoint provides a JSON Object with the key `jwt` and a signed JWT. There should be nothing highly sensitive embedded in the JWT. The JWT defaults to expiring every 15 minutes.
+* `POST /registration/signup` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to signup for an account with Authify. This endpoint expects a JSON Object, requiring the keys `email` and `password`, with `name` and `via` being optional. If `via` is provided, then it must be a JSON Object with the keys `provider` and `uid`, otherwise it will be ignored. The `via` key is used to add an alternate identity (meaning they logged-in through an integration, like Github). This endpoint returns a JSON Object with the keys `id`, `email`, and `jwt` on success.
 
 All other endpoints adhere to the {json:api} specification and can be found at the following base paths:
 
-* `/api-keys` - User API keys. Index is restricted. Should only really be useful for users manipulating their own keys.
+* `/apikeys` - User API keys. Index is restricted. Should only really be useful for users manipulating their own keys.
 * `/groups` - Groups. Index is restricted. Most interactions with groups should be scoped via organizations.
 * `/identities` - Alternate User Identities. These are other services that the user can login via (web UI only).
 * `/organizations` - Organizations. These are high-level groupings of users and groups. Non-administrators should only be able to see limited amounts of information about organizations.
@@ -57,12 +59,158 @@ Or install it yourself as:
 The Authify API services supports the following configuration settings, managed via environment variables of the same name:
 
 * `AUTHIFY_DB_URL` - The URL used by [ActiveRecord](http://guides.rubyonrails.org/configuring.html#configuring-a-database) to connect to the database. Currently supports `mysql2://` or `sqlite3://` URLs, though any driver supported by ActiveRecord should work if the required gems are installed. Defaults to `mysql2://root@localhost:3306/authifydb`.
-* `AUTHIFY_PUBKEY_PATH` - The path on the filesystem to the PEM-encoded, public ECDSA key.
-* `AUTHIFY_PRIVKEY_PATH` - The path on the filesystem to the PEM-encoded, private ECDSA key. Currently, Authify only supports a [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) key using a `secp521r1` curve and the [SHA-512](https://en.wikipedia.org/wiki/SHA-2) hashing algorithm.
-* `AUTHIFY_JWT_ISSUER` - The name of the issuer ([iss field](https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields)) used when creating the JWT. This **must** match on any service that verifies the JWT (meaning any service relying on Authify for authentication).
+* `AUTHIFY_PUBKEY_PATH` - The path on the filesystem to the PEM-encoded, public ECDSA key. Defaults to `~/.authify/ssl/public.pem`.
+* `AUTHIFY_PRIVKEY_PATH` - The path on the filesystem to the PEM-encoded, private ECDSA key. Currently, Authify only supports an [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) keys. Options include using a `secp521r1` curve and the [SHA-512](https://en.wikipedia.org/wiki/SHA-2) hashing algorithm (called `ES512`), a `secp384r1` curve and the SHA-384 hashing algorithm (called `ES384`), or a `prime256v1` curve and the SHA-256 hashing algorithm (called `ES256`). See `AUTHIFY_JWT_ALGORITHM` below for information on how to configure Authify's algorithm to match the public and private keys you provide. The keys you specify **must** match the ECDSA algortihm and curve used to create them. 
+* `AUTHIFY_JWT_ISSUER` - The name of the issuer ([iss field](https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields)) used when creating the JWT. This **must** match on any service that verifies the JWT (meaning any service relying on Authify for authentication), and it **must** be the same for all services that integrate with Authify.
+* `AUTHIFY_JWT_ALGORITHM` - The name of the [JWA](https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40) algorithm to use when loading keys and creating or verifying JWT signatures. Valid values are `ES256`, `ES384`, or `ES512`. Defaults to `ES512`. This **must** match the curve and algorithm used to produce the public and private keys found at `AUTHIFY_PUBKEY_PATH` and `AUTHIFY_PRIVKEY_PATH`, respectively. Note that the curves `prime256v1` (also called NIST P-256) used by `ES256` and `secp384r1` (also called NIST P-384) used by `ES384`, while offering a wider range of compatible SSL libraries, are described as unsafe on [SafeCurves](https://safecurves.cr.yp.to/) for several reasons described there.
+* `AUTHIFY_JWT_EXPIRATION` - How long should a JWT be valid (in minutes). Defaults to 15. Too small of a value will mean a lot more requests to the API; too high increases the possibility of viable keys being captured.
 
 ## Usage and Authentication Workflow
 
+### Generating an SSL Certificate
+
+Here is an example in Ruby for generating an SSL cert for use with the Authify API server:
+
+```ruby
+require 'openssl'
+# Using ES512. For others, switch 'secp512r1' to the desired curve
+secret_key = OpenSSL::PKey::EC.new('secp521r1')
+secret_key.generate_key
+# write out the private key to a file...
+File.write(File.expand_path('/path/to/keys/private.pem'), secret_key.to_pem)
+public_key = secret_key
+public_key.private_key = nil
+# write out the public key to a file...
+File.write(File.expand_path('/path/to/keys/public.pem'), private_key.to_pem)
+```
+
+Using the OpenSSL CLI tool:
+
+```shell
+# Private key
+openssl ecparam -name secp521r1 -genkey -out /path/to/keys/private.pem
+# Public key
+openssl ec -in /path/to/keys/private.pem -pubout -out /path/to/keys/public.pem
+```
+
+### Authenticating for API clients
+
+We'll show how to interact with the API using `curl` as an example, and we'll assume the server is running at `auth.mycompany.com`.
+
+#### Register a new user
+
+```shell
+curl \
+  -H 'Content-Type: application/json' \
+  -H 'Accept: application/json' \
+  --data \
+  '{
+    "name": "Some User",
+    "email": "someuser@mycompany.com",
+    "password": "b@d!dea",
+    "via": {
+      "provider": "github",
+      "uid": "1234567"
+    }
+  }' \
+  https://auth.mycompany.com/registration/signup
+```
+
+This will return JSON similar to the following:
+
+```javascript
+{
+  "id": 172,
+  "email": "someuser@mycompany.com",
+  "jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9.eyJleHAiOjE0ODY0ODcyODcsImlhdCI6MTQ4NjQ4MzY4NywiaXNzIjoiTXkgQXdlc29tZSBDb21wYW55IEluYy4iLCJzY29wZXMiOlsidXNlcl9hY2Nlc3MiXSwidXNlciI6eyJ1c2VybmFtZSI6ImZvb0BiYXIuY29tIiwidWlkIjoyLCJvcmdhbml6YXRpb25zIjpbXSwiZ3JvdXBzIjpbXX19.AWfPpKX9mP03Djz3-LMneJdEVsXQm_4GOPVCdkfiiBeIR4pVLKTVrNoNdlNgSEkZEeUw1RPsVxpAR7wDgB4cNcYiAP3fNaD8OPyWfOQAV0lTvDUSH3YU39cZAVwvbX9HleOHBLrFGBbui5wSvfi7WZZlH808psiuUAVhBOe7mfrNiHGB"
+}
+```
+
+You'll need the JWT (found at key `jwt`) for the next step.
+
+#### Create an API key set
+
+```shell
+curl \
+  -H 'Content-Type: application/vnd.api+json' \
+  -H 'Accept: application/vnd.api+json' \
+  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9.eyJleHAiOjE0ODY0ODcyODcsImlhdCI6MTQ4NjQ4MzY4NywiaXNzIjoiTXkgQXdlc29tZSBDb21wYW55IEluYy4iLCJzY29wZXMiOlsidXNlcl9hY2Nlc3MiXSwidXNlciI6eyJ1c2VybmFtZSI6ImZvb0BiYXIuY29tIiwidWlkIjoyLCJvcmdhbml6YXRpb25zIjpbXSwiZ3JvdXBzIjpbXX19.AWfPpKX9mP03Djz3-LMneJdEVsXQm_4GOPVCdkfiiBeIR4pVLKTVrNoNdlNgSEkZEeUw1RPsVxpAR7wDgB4cNcYiAP3fNaD8OPyWfOQAV0lTvDUSH3YU39cZAVwvbX9HleOHBLrFGBbui5wSvfi7WZZlH808psiuUAVhBOe7mfrNiHGB" \
+  --data \
+  '{
+    "data":
+    {
+      "type": "apikeys"
+    }
+  }' \
+  https://auth.mycompany.com/apikeys
+```
+
+This endpoint (as can be seen from the `Accept` and `Content-Type` headers) speaks only {json:api} and will return something like this with an HTTP 201:
+
+```javascript
+{
+  "data": {
+    "type": "apikeys",
+    "id": "197",
+    "attributes": {
+      "access-key": "4bb651af1754b2dff5b9",
+      "secret-key": "a3f1ee5085dad87d53ce04a1857a2677c7ffa136c506e8174fef6fa1c962e46f",
+      "created-at": "2017-02-13 22:50:44 UTC"
+    },
+    "links": {
+      "self": "/apikeys/197"
+    },
+    "relationships": {
+      "user": {
+        "links": {
+          "self": "/apikeys/197/relationships/user",
+          "related": "/apikeys/197/user"
+        }
+      }
+    }
+  },
+  "jsonapi": {
+    "version": "1.0"
+  },
+  "included": [
+
+  ]
+}
+```
+
+Note that **it will not be possible to retrieve the `secret-key` attribute in plaintext again**, so store the results in a safe place.
+
+#### Obtain a JWT
+
+```shell
+curl \
+  -H 'Accept: application/json' \
+  -H 'Content-Type: application/json' \
+  --data \
+  '{ 
+    "access_key": "5f4abd1c6423ef02d1ec42e1cddaf5f8",
+    "secret_key": "fb97aa7d4e48f3e4bbb2930161a423fa8308393426c3612940da03f22cf36879"
+   }' \
+  https://auth.mycompany.com/jwt/token
+```
+
+Note that you can also use either the underscored format for logging in with API keys (`access_key` and `secret_key`) or the dashed version provided in the {json:api} response before (`access-key` and `secret-key`). For all other endpoints (those adhering to the {json:api} spec) the dashed approach is required.
+
+The server will return something like:
+
+```javascript
+{"jwt":"eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9.eyJleHAiOjE0ODY0ODcyODcsImlhdCI6MTQ4NjQ4MzY4NywiaXNzIjoiTXkgQXdlc29tZSBDb21wYW55IEluYy4iLCJzY29wZXMiOlsidXNlcl9hY2Nlc3MiXSwidXNlciI6eyJ1c2VybmFtZSI6ImZvb0BiYXIuY29tIiwidWlkIjoyLCJvcmdhbml6YXRpb25zIjpbXSwiZ3JvdXBzIjpbXX19.AWfPpKX9mP03Djz3-LMneJdEVsXQm_4GOPVCdkfiiBeIR4pVLKTVrNoNdlNgSEkZEeUw1RPsVxpAR7wDgB4cNcYiAP3fNaD8OPyWfOQAV0lTvDUSH3YU39cZAVwvbX9HleOHBLrFGBbui5wSvfi7WZZlH808psiuUAVhBOe7mfrNiHGB"}
+```
+
+#### Use the JWT to Access a Protected Resource
+
+```shell
+curl \
+  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9.eyJleHAiOjE0ODY0ODcyODcsImlhdCI6MTQ4NjQ4MzY4NywiaXNzIjoiTXkgQXdlc29tZSBDb21wYW55IEluYy4iLCJzY29wZXMiOlsidXNlcl9hY2Nlc3MiXSwidXNlciI6eyJ1c2VybmFtZSI6ImZvb0BiYXIuY29tIiwidWlkIjoyLCJvcmdhbml6YXRpb25zIjpbXSwiZ3JvdXBzIjpbXX19.AWfPpKX9mP03Djz3-LMneJdEVsXQm_4GOPVCdkfiiBeIR4pVLKTVrNoNdlNgSEkZEeUw1RPsVxpAR7wDgB4cNcYiAP3fNaD8OPyWfOQAV0lTvDUSH3YU39cZAVwvbX9HleOHBLrFGBbui5wSvfi7WZZlH808psiuUAVhBOe7mfrNiHGB" \
+  -H 'Accept: application/vnd.api+json' \
+  https://auth.mycompany.com/organizations
+```
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/knuedge/authify-api.

data/Rakefile

@@ -35,4 +35,24 @@ namespace :delegate do
       exit 1
     end
   end
+
+  desc 'List Trusted Delegates'
+  task :list do
+    require 'authify/api'
+    Authify::API::Models::TrustedDelegate.all.each do |td|
+      p(name: td.name, access: td.access_key)
+    end
+  end
+
+  desc 'Delete a Trusted Delegate'
+  task :remove, [:name] do |_t, args|
+    require 'authify/api'
+    td = Authify::API::Models::TrustedDelegate.find_by_name(args[:name])
+    if td && td.destroy
+      puts 'Trusted Delegate destroyed'
+    else
+      puts 'Failed to destroy Trusted Delegate'
+      exit 1
+    end
+  end
 end

data/authify-api.gemspec

@@ -25,13 +25,15 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'authify-core'
   spec.add_runtime_dependency 'authify-middleware'
   spec.add_runtime_dependency 'connection_pool', '~> 2.2'
-  spec.add_runtime_dependency 'sinatra', '~> 1.4'
+  spec.add_runtime_dependency 'sinatra', '>= 2.0.0.beta2', '< 3'
+  spec.add_runtime_dependency 'sinatra-contrib', '>= 2.0.0.beta2', '< 3'
   spec.add_runtime_dependency 'sinatra-activerecord', '~> 2.0'
   spec.add_runtime_dependency 'moneta', '~> 0.8'
   spec.add_runtime_dependency 'mysql2', '~> 0.4'
   spec.add_runtime_dependency 'sqlite3', '~> 1.3'
+  spec.add_runtime_dependency 'json', '~> 2.0'
   spec.add_runtime_dependency 'jsonapi-serializers', '~> 0.16'
-  spec.add_runtime_dependency 'sinja', '~> 1.2'
+  # spec.add_runtime_dependency 'sinja', '~> 1.2', '>= 1.2.4'
   spec.add_runtime_dependency 'puma', '~> 3.7'
 
   spec.add_development_dependency 'bundler', '~> 1.12'

data/config.ru

@@ -5,5 +5,6 @@ require 'authify/api'
 use Rack::ShowExceptions
 
 run Rack::URLMap.new \
-  '/'     => Authify::API::Services::API.new,
-  '/jwt'  => Authify::API::Services::JWTProvider.new
+  '/'              => Authify::API::Services::API.new,
+  '/jwt'           => Authify::API::Services::JWTProvider.new,
+  '/registration'  => Authify::API::Services::Registration.new

data/db/migrate/20170201220029_create_api_keys.rb

@@ -1,7 +1,7 @@
-# Creates the api_keys table
+# Creates the apikeys table
 class CreateApiKeys < ActiveRecord::Migration[5.0]
   def change
-    create_table :api_keys do |t|
+    create_table :apikeys do |t|
       t.references :user, index: true
       t.string :access_key, index: true
       t.text :secret_key_digest

data/db/migrate/20170208021933_add_admin_to_user.rb

@@ -0,0 +1,9 @@
+# Make it so we can have global admin users
+class AddAdminToUser < ActiveRecord::Migration[5.0]
+  def change
+    change_table :users do |t|
+      t.boolean :admin
+      t.index :admin
+    end
+  end
+end

data/db/migrate/20170208022427_set_default_for_user_admin.rb

@@ -0,0 +1,7 @@
+# Sets a default for Users to not be admins
+class SetDefaultForUserAdmin < ActiveRecord::Migration[5.0]
+  def change
+    change_column_null :users, :admin, false
+    change_column_default :users, :admin, false
+  end
+end

data/db/schema.rb

@@ -10,16 +10,16 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20170204001405) do
+ActiveRecord::Schema.define(version: 20170208022427) do
 
-  create_table "api_keys", force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
+  create_table "apikeys", force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
     t.integer  "user_id"
     t.string   "access_key"
     t.text     "secret_key_digest", limit: 65535
     t.datetime "created_at",                      null: false
     t.datetime "updated_at",                      null: false
-    t.index ["access_key"], name: "index_api_keys_on_access_key", using: :btree
-    t.index ["user_id"], name: "index_api_keys_on_user_id", using: :btree
+    t.index ["access_key"], name: "index_apikeys_on_access_key", using: :btree
+    t.index ["user_id"], name: "index_apikeys_on_user_id", using: :btree
   end
 
   create_table "groups", force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
@@ -87,8 +87,10 @@ ActiveRecord::Schema.define(version: 20170204001405) do
     t.string   "email"
     t.text     "password_digest", limit: 65535
     t.string   "full_name"
-    t.datetime "created_at",                    null: false
-    t.datetime "updated_at",                    null: false
+    t.datetime "created_at",                                    null: false
+    t.datetime "updated_at",                                    null: false
+    t.boolean  "admin",                         default: false, null: false
+    t.index ["admin"], name: "index_users_on_admin", using: :btree
     t.index ["email"], name: "index_users_on_email", using: :btree
   end
 

data/lib/authify/api.rb

@@ -18,7 +18,6 @@ module Authify
       db: {
         url: ENV['AUTHIFY_DB_URL'] || 'mysql2://root@localhost:3306/authifydb'
       },
-      session_secret: ENV['AUTHIFY_SESSION_SECRET'] || '1q2w3e4r5t6y7u8i9o0pazsxdcfvgbhnjmkl10zm',
       redis: {
         host: ENV['AUTHIFY_REDIS_HOST'] || 'localhost',
         port: ENV['AUTHIFY_REDIS_PORT'] || '6379'
@@ -29,15 +28,17 @@ end
 
 require 'authify/api/version'
 require 'authify/api/jsonapi_utils'
-require 'authify/api/controllers/api_key'
+require 'authify/api/controllers/apikey'
 require 'authify/api/controllers/group'
+require 'authify/api/controllers/identity'
 require 'authify/api/controllers/organization'
 require 'authify/api/controllers/user'
-require 'authify/api/serializers/api_key_serializer'
+require 'authify/api/serializers/apikey_serializer'
 require 'authify/api/serializers/group_serializer'
+require 'authify/api/serializers/identity_serializer'
 require 'authify/api/serializers/user_serializer'
 require 'authify/api/serializers/organization_serializer'
-require 'authify/api/models/api_key'
+require 'authify/api/models/apikey'
 require 'authify/api/models/group'
 require 'authify/api/models/identity'
 require 'authify/api/models/organization'
@@ -49,3 +50,4 @@ require 'authify/api/helpers/api_user'
 require 'authify/api/service'
 require 'authify/api/services/api'
 require 'authify/api/services/jwt_provider'
+require 'authify/api/services/registration'

data/lib/authify/api/controllers/apikey.rb

@@ -0,0 +1,50 @@
+module Authify
+  module API
+    module Controllers
+      APIKey = proc do
+        helpers do
+          def find(id)
+            Models::APIKey.find(id.to_i)
+          end
+
+          def role
+            Array(super).tap do |a|
+              a << :myself if current_user && current_user.apikeys.include?(resource)
+            end.uniq
+          end
+        end
+
+        index(roles: [:admin]) do
+          Models::APIKey.all
+        end
+
+        show(roles: [:myself, :admin]) do
+          last_modified resource.updated_at
+          next resource, exclude: [:secret_key]
+        end
+
+        create(roles: [:user]) do |_attributes|
+          key = Models::APIKey.new
+          key.populate!
+          current_user.apikeys << key
+          current_user.save
+          next key.id, key
+        end
+
+        destroy(roles: [:myself, :admin]) do
+          resource.destroy
+        end
+
+        show_many do |ids|
+          Models::APIKey.find(ids)
+        end
+
+        has_one :user do
+          pluck(roles: [:myself, :admin]) do
+            resource.user
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authify/api/controllers/group.rb

@@ -6,22 +6,31 @@ module Authify
           def find(id)
             Models::Group.find(id.to_i)
           end
+
+          def role
+            Array(super).tap do |a|
+              a << :owner if current_user && current_user.admin_for?(resource.organization)
+              a << :member if resource && resource.users.include?(current_user)
+            end.uniq
+          end
         end
 
-        index do
+        index(roles: [:admin]) do
           Models::Group.all
         end
 
-        show do
+        show(roles: [:admin, :owner]) do
           last_modified resource.updated_at
           next resource
         end
 
-        create do |attrs|
-          Models::Group.new(attrs)
+        create(roles: [:admin]) do |attrs|
+          g = Models::Group.new(attrs)
+          g.save
+          next g
         end
 
-        destroy do
+        destroy(roles: [:admin, :owner]) do
           resource.destroy
         end
 
@@ -30,9 +39,28 @@ module Authify
         end
 
         has_many :users do
-          fetch do
+          fetch(roles: [:admin, :owner]) do
             resource.users
           end
+
+          replace(roles: [:admin, :owner]) do |rios|
+            refs = rios.map { |attrs| Models::User.find(attrs) }
+            resource.users = refs
+            resource.save
+          end
+
+          merge(roles: [:admin, :owner]) do |rios|
+            refs = rios.map { |attrs| Models::User.find(attrs) }
+            resource.users << refs
+            resource.save
+          end
+
+          subtract(roles: [:admin, :owner]) do |rios|
+            refs = rios.map { |attrs| Models::User.find(attrs) }
+            # This only removes the linkage, not the actual users
+            resource.users.delete(refs)
+            resource.save
+          end
         end
       end
     end