FEATURE: Add scopes to API keys (#9844)

* Added scopes UI

* Create scopes when creating a new API key

* Show scopes on the API key show route

* Apply scopes on API requests

* Extend scopes from plugins

* Add missing scopes. A mapping can be associated with multiple controller actions

* Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes

* Add not null validations and index for api_key_id

* Annotate model

* DEV: Move default mappings to ApiKeyScope

* Remove unused attribute and improve UI for existing keys

* Support multiple parameters separated by a comma

lib/auth/default_current_user_provider.rb

@@ -330,7 +330,8 @@ class Auth::DefaultCurrentUserProvider
     if api_key = ApiKey.active.with_key(api_key_value).includes(:user).first
       api_username = header_api_key? ? @env[HEADER_API_USERNAME] : request[API_USERNAME]
 
-      if api_key.allowed_ips.present? && !api_key.allowed_ips.any? { |ip| ip.include?(request.ip) }
+      params = @env['action_dispatch.request.parameters']
+      unless api_key.request_allowed?(request, params)
         Rails.logger.warn("[Unauthorized API Access] username: #{api_username}, IP address: #{request.ip}")
         return nil
       end

lib/discourse_plugin_registry.rb

@@ -78,6 +78,8 @@ class DiscoursePluginRegistry
 
   define_filtered_register :topic_thumbnail_sizes
 
+  define_filtered_register :api_key_scope_mappings
+
   def self.register_auth_provider(auth_provider)
     self.auth_providers << auth_provider
   end

lib/plugin/instance.rb

@@ -738,6 +738,10 @@ class Plugin::Instance
     end
   end
 
+  def add_api_key_scope(resource, action)
+    DiscoursePluginRegistry.register_api_key_scope_mapping({ resource => action }, self)
+  end
+
   protected
 
   def self.js_path