Maybe/app/views/settings/api_keys/new.html.erb

<%= content_for :page_title, "Create New API Key" %>

<%= settings_section title: "Create New API Key", subtitle: "Generate a new API key to access your Maybe data programmatically." do %>
  <%= styled_form_with model: @api_key, url: settings_api_key_path, class: "space-y-4" do |form| %>
    <%= form.text_field :name,
        placeholder: "e.g., My Budget App, Portfolio Tracker",
        label: "API Key Name",
        help_text: "Choose a descriptive name to help you identify this key later." %>

    <div>
      <%= form.label :scopes, "Permissions", class: "block text-sm font-medium text-primary mb-2" %>
      <p class="text-sm text-secondary mb-3">Select the permissions this API key should have:</p>

      <div class="space-y-2">
        <% [
          ["read", "Read Only", "View your accounts, transactions, and balances"],
          ["read_write", "Read/Write", "View your data and create new transactions"]
        ].each do |value, label, description| %>
          <div class="bg-surface-inset rounded-lg p-3 border border-primary">
            <label class="flex items-start gap-3 cursor-pointer">
              <%= radio_button_tag "api_key[scopes]", value, (@api_key&.scopes || []).include?(value),
                  class: "mt-1" %>
              <div class="flex-1">
                <div class="font-medium text-primary"><%= label %></div>
                <div class="text-sm text-secondary mt-1"><%= description %></div>
              </div>
            </label>
          </div>
        <% end %>
      </div>
    </div>

    <div class="bg-warning-50 border border-warning-200 rounded-xl p-4">
      <div class="flex items-start gap-2">
        <%= icon("alert-triangle", class: "w-5 h-5 text-warning-600 mt-0.5") %>
        <div>
          <h4 class="font-medium text-warning-800 text-sm">Security Warning</h4>
          <p class="text-warning-700 text-sm mt-1">
            Your API key will be displayed only once after creation. Make sure to copy and store it securely.
            Anyone with access to this key can access your data according to the permissions you select.
          </p>
        </div>
      </div>
    </div>

    <div class="flex justify-end gap-3 pt-4 border-t border-primary">
      <%= render LinkComponent.new(
        text: "Cancel",
        href: settings_api_key_path,
        variant: "ghost"
      ) %>

      <%= render ButtonComponent.new(
        text: "Create API Key",
        variant: "primary",
        type: "submit"
      ) %>
    </div>
  <% end %>
<% end %>
Add comprehensive API v1 with OAuth and API key authentication (#2389) * OAuth * Add API test routes and update Doorkeeper token handling for test environment - Introduced API namespace with test routes for controller testing in the test environment. - Updated Doorkeeper configuration to allow fallback to plain tokens in the test environment for easier testing. - Modified schema to change resource_owner_id type from bigint to string. * Implement API key authentication and enhance access control - Replaced Doorkeeper OAuth authentication with a custom method supporting both OAuth and API keys in the BaseController. - Added methods for API key authentication, including validation and logging. - Introduced scope-based authorization for API keys in the TestController. - Updated routes to include API key management endpoints. - Enhanced logging for API access to include authentication method details. - Added tests for API key functionality, including validation, scope checks, and access control enforcement. * Add API key rate limiting and usage tracking - Implemented rate limiting for API key authentication in BaseController. - Added methods to check rate limits, render appropriate responses, and include rate limit headers in responses. - Updated routes to include a new usage resource for tracking API usage. - Enhanced tests to verify rate limit functionality, including exceeding limits and per-key tracking. - Cleaned up Redis data in tests to ensure isolation between test cases. * Add Jbuilder for JSON rendering and refactor AccountsController - Added Jbuilder gem for improved JSON response handling. - Refactored index action in AccountsController to utilize Jbuilder for rendering JSON. - Removed manual serialization of accounts and streamlined response structure. - Implemented a before_action in BaseController to enforce JSON format for all API requests. * Add transactions resource to API routes - Added routes for transactions, allowing index, show, create, update, and destroy actions. - This enhancement supports comprehensive transaction management within the API. * Enhance API authentication and onboarding handling - Updated BaseController to skip onboarding requirements for API endpoints and added manual token verification for OAuth authentication. - Improved error handling and logging for invalid access tokens. - Introduced a method to set up the current context for API requests, ensuring compatibility with session-like behavior. - Excluded API paths from onboarding redirects in the Onboardable concern. - Updated database schema to change resource_owner_id type from bigint to string for OAuth access grants. * Fix rubocop offenses - Fix indentation and spacing issues - Convert single quotes to double quotes - Add spaces inside array brackets - Fix comment alignment - Add missing trailing newlines - Correct else/end alignment 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix API test failures and improve test reliability - Fix ApiRateLimiterTest by removing mock users method and using fixtures - Fix UsageControllerTest by removing mock users method and using fixtures - Fix BaseControllerTest by using different users for multiple API keys - Use unique display_key values with SecureRandom to avoid conflicts - Fix double render issue in UsageController by returning after authorize_scope\! - Specify controller name in routes for usage resource - Remove trailing whitespace and empty lines per Rubocop All tests now pass and linting is clean. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add API transactions controller warning to brakeman ignore The account_id parameter in the API transactions controller is properly validated on line 79: family.accounts.find(transaction_params[:account_id]) This ensures users can only create transactions in accounts belonging to their family, making this a false positive. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Signed-off-by: Josh Pigford <josh@joshpigford.com> Co-authored-by: Claude <noreply@anthropic.com> 2025-06-17 15:57:05 -05:00			`<%= content_for :page_title, "Create New API Key" %>`

			`<%= settings_section title: "Create New API Key", subtitle: "Generate a new API key to access your Maybe data programmatically." do %>`
			`<%= styled_form_with model: @api_key, url: settings_api_key_path, class: "space-y-4" do \|form\| %>`
			`<%= form.text_field :name,`
			`placeholder: "e.g., My Budget App, Portfolio Tracker",`
			`label: "API Key Name",`
			`help_text: "Choose a descriptive name to help you identify this key later." %>`

			`<div>`
			`<%= form.label :scopes, "Permissions", class: "block text-sm font-medium text-primary mb-2" %>`
			`<p class="text-sm text-secondary mb-3">Select the permissions this API key should have:</p>`

			`<div class="space-y-2">`
			`<% [`
			`["read", "Read Only", "View your accounts, transactions, and balances"],`
			`["read_write", "Read/Write", "View your data and create new transactions"]`
			`].each do \|value, label, description\| %>`
			`<div class="bg-surface-inset rounded-lg p-3 border border-primary">`
			`<label class="flex items-start gap-3 cursor-pointer">`
			`<%= radio_button_tag "api_key[scopes]", value, (@api_key&.scopes \|\| []).include?(value),`
			`class: "mt-1" %>`
			`<div class="flex-1">`
			`<div class="font-medium text-primary"><%= label %></div>`
			`<div class="text-sm text-secondary mt-1"><%= description %></div>`
			`</div>`
			`</label>`
			`</div>`
			`<% end %>`
			`</div>`
			`</div>`

			`<div class="bg-warning-50 border border-warning-200 rounded-xl p-4">`
			`<div class="flex items-start gap-2">`
			`<%= icon("alert-triangle", class: "w-5 h-5 text-warning-600 mt-0.5") %>`
			`<div>`
			`<h4 class="font-medium text-warning-800 text-sm">Security Warning</h4>`
			`<p class="text-warning-700 text-sm mt-1">`
			`Your API key will be displayed only once after creation. Make sure to copy and store it securely.`
			`Anyone with access to this key can access your data according to the permissions you select.`
			`</p>`
			`</div>`
			`</div>`
			`</div>`

			`<div class="flex justify-end gap-3 pt-4 border-t border-primary">`
			`<%= render LinkComponent.new(`
			`text: "Cancel",`
			`href: settings_api_key_path,`
			`variant: "ghost"`
			`) %>`

			`<%= render ButtonComponent.new(`
			`text: "Create API Key",`
			`variant: "primary",`
			`type: "submit"`
			`) %>`
			`</div>`
			`<% end %>`
			`<% end %>`