Add User API Token Management to Admin API and CLI (#12595)

## Summary This PR extends the RAGFlow Admin API and CLI with comprehensive user API token management capabilities. Administrators can now generate, list, and delete API tokens for users through both the REST API and the Admin CLI interface. ## Changes ### Backend API (`admin/server/`) #### New Endpoints - **POST `/api/v1/admin/users/<username>/new_token`** - Generate a new API token for a user - **GET `/api/v1/admin/users/<username>/token_list`** - List all API tokens for a user - **DELETE `/api/v1/admin/users/<username>/token/<token>`** - Delete a specific API token for a user #### Service Layer Updates (`services.py`) - Added `get_user_api_key(username)` - Retrieves all API tokens for a user - Added `save_api_token(api_token)` - Saves a new API token to the database - Added `delete_api_token(username, token)` - Deletes an API token for a user ### Admin CLI (`admin/client/`) #### New Commands - **`GENERATE TOKEN FOR USER <username>;`** - Generate a new API token for the specified user - **`LIST TOKENS OF <username>;`** - List all API tokens associated with a user - **`DROP TOKEN <token> OF <username>;`** - Delete a specific API token for a user ### Testing Added comprehensive test suite in `test/testcases/test_admin_api/`: - **`test_generate_user_api_key.py`** - Tests for API token generation - **`test_get_user_api_key.py`** - Tests for listing user API tokens - **`test_delete_user_api_key.py`** - Tests for deleting API tokens - **`conftest.py`** - Shared test fixtures and utilities ## Technical Details ### Token Generation - Tokens are generated using `generate_confirmation_token()` utility - Each token includes metadata: `tenant_id`, `token`, `beta`, `create_time`, `create_date` - Tokens are associated with user tenants automatically ### Security Considerations - All endpoints require admin authentication (`@check_admin_auth`) - Tokens are URL-encoded when passed in DELETE requests to handle special characters - Proper error handling for unauthorized access and missing resources ### API Response Format All endpoints follow the standard RAGFlow response format: ```json { "code": 0, "data": {...}, "message": "Success message" } ``` ## Files Changed - `admin/client/admin_client.py` - CLI token management commands - `admin/server/routes.py` - New API endpoints - `admin/server/services.py` - Token management service methods - `docs/guides/admin/admin_cli.md` - CLI documentation updates - `test/testcases/test_admin_api/conftest.py` - Test fixtures - `test/testcases/test_admin_api/test_user_api_key_management/*` - Test suites ### Type of change - [x] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: Alexander Strasser <alexander.strasser@ondewo.com> Co-authored-by: Hetavi Shah <your.email@example.com>
2026-01-29 22:56:36 +08:00 · 2026-01-17 12:51:00 +05:30
parent bd9163904a
commit 46305ef35e
8 changed files with 1124 additions and 141 deletions
--- a/docs/guides/admin/admin_cli.md
+++ b/docs/guides/admin/admin_cli.md
@ -93,6 +93,21 @@ Commands are case-insensitive and must be terminated with a semicolon(;).
 - Changes the user to active or inactive.
 - [Example](#example-alter-user-active)

+`GENERATE KEY FOR USER <username>;`
+
+- Generates a new API key for the specified user.
+- [Example](#example-generate-key)
+
+`LIST KEYS OF <username>;`
+
+- Lists all API keys associated with the specified user.
+- [Example](#example-list-keys)
+
+`DROP KEY <key> OF <username>;`
+
+- Deletes a specific API key for the specified user.
+- [Example](#example-drop-key)
+
 ### Data and Agent Commands

 `LIST DATASETS OF <username>;`
@ -345,6 +360,44 @@ Delete done!

 Delete user's data at the same time.

+<span id="example-generate-key"></span>
+
+- Generate API key for user.
+
+```
+admin> generate key for user "example@ragflow.io";
+Generating API key for user: example@ragflow.io
+----------------------------------+-------------------------------+---------------+----------------------------------+-----------------------------------------------------+-------------+-------------+
+| beta                             | create_date                   | create_time   | tenant_id                        | token                                               | update_date | update_time |
+----------------------------------+-------------------------------+---------------+----------------------------------+-----------------------------------------------------+-------------+-------------+
+| Es9OpZ6hrnPGeYA3VU1xKUkj6NCb7cp- | Mon, 12 Jan 2026 15:19:11 GMT | 1768227551361 | 5d5ea8a3efc111f0a79b80fa5b90e659 | ragflow-piwVJHEk09M5UN3LS_Xx9HA7yehs3yNOc9GGsD4jzus | None        | None        |
+----------------------------------+-------------------------------+---------------+----------------------------------+-----------------------------------------------------+-------------+-------------+
+```
+
+<span id="example-list-keys"></span>
+
+- List all API keys for user.
+
+```
+admin> list keys of "example@ragflow.io";
+Listing API keys for user: example@ragflow.io
+----------------------------------+-------------------------------+---------------+-----------+--------+----------------------------------+-----------------------------------------------------+-------------------------------+---------------+
+| beta                             | create_date                   | create_time   | dialog_id | source | tenant_id                        | token                                               | update_date                   | update_time   |
+----------------------------------+-------------------------------+---------------+-----------+--------+----------------------------------+-----------------------------------------------------+-------------------------------+---------------+
+| Es9OpZ6hrnPGeYA3VU1xKUkj6NCb7cp- | Mon, 12 Jan 2026 15:19:11 GMT | 1768227551361 | None      | None   | 5d5ea8a3efc111f0a79b80fa5b90e659 | ragflow-piwVJHEk09M5UN3LS_Xx9HA7yehs3yNOc9GGsD4jzus | Mon, 12 Jan 2026 15:19:11 GMT | 1768227551361 |
+----------------------------------+-------------------------------+---------------+-----------+--------+----------------------------------+-----------------------------------------------------+-------------------------------+---------------+
+```
+
+<span id="example-drop-key"></span>
+
+- Drop API key for user.
+
+```
+admin> drop key "ragflow-piwVJHEk09M5UN3LS_Xx9HA7yehs3yNOc9GGsD4jzus" of "example@ragflow.io";
+Dropping API key for user: example@ragflow.io
+API key deleted successfully
+```
+
 <span id="example-list-datasets-of-user"></span>

 - List the specified user's dataset.
@ -499,19 +552,34 @@ admin> \help
 command: \help

 Commands:
-  LIST SERVICES
-  SHOW SERVICE <service>
-  STARTUP SERVICE <service>
-  SHUTDOWN SERVICE <service>
-  RESTART SERVICE <service>
-  LIST USERS
-  SHOW USER <user>
-  DROP USER <user>
-  CREATE USER <user> <password>
-  ALTER USER PASSWORD <user> <new_password>
-  ALTER USER ACTIVE <user> <on/off>
-  LIST DATASETS OF <user>
-  LIST AGENTS OF <user>
+LIST SERVICES
+SHOW SERVICE <service>
+STARTUP SERVICE <service>
+SHUTDOWN SERVICE <service>
+RESTART SERVICE <service>
+LIST USERS
+SHOW USER <user>
+DROP USER <user>
+CREATE USER <user> <password>
+ALTER USER PASSWORD <user> <new_password>
+ALTER USER ACTIVE <user> <on/off>
+LIST DATASETS OF <user>
+LIST AGENTS OF <user>
+CREATE ROLE <role>
+DROP ROLE <role>
+ALTER ROLE <role> SET DESCRIPTION <description>
+LIST ROLES
+SHOW ROLE <role>
+GRANT <action_list> ON <function> TO ROLE <role>
+REVOKE <action_list> ON <function> TO ROLE <role>
+ALTER USER <user> SET ROLE <role>
+SHOW USER PERMISSION <user>
+SHOW VERSION
+GRANT ADMIN <user>
+REVOKE ADMIN <user>
+GENERATE KEY FOR USER <user>
+LIST KEYS OF <user>
+DROP KEY <key> OF <user>

 Meta Commands:
  \?, \h, \help     Show this help
@ -525,4 +593,3 @@ admin> \q
 command: \q
 Goodbye!
 ```
-