From 83feade79422b6ef512429a09265567a7901e785 Mon Sep 17 00:00:00 2001
From: matthias <matthias@researchspace.com>
Date: Tue, 30 Jul 2024 17:26:34 +0100
Subject: [PATCH 1/5] blocking & removing 'Manage Api Key' fragment of my
 profile page for sysadmin 'operating as'; guarding API endpoint for apiKey
 retrieval with new deployment property 'sysadmin.apikey.access' which must be
 explicitly changed to 'true'

---
 ...dminApi.java => UserDetailsSysAdminApi.java} | 17 ++++++++++-------
 .../UserDetailsSysAdminApiController.java       | 14 ++++++++++----
 .../controller/UserProfileController.java       |  7 +++++++
 .../deployments/defaultDeployment.properties    |  2 ++
 .../deployments/dev/deployment.properties       |  4 +---
 src/main/webapp/WEB-INF/pages/userform.jsp      |  8 +-------
 src/main/webapp/scripts/pages/userform.js       |  5 +++++
 7 files changed, 36 insertions(+), 21 deletions(-)
 rename src/main/java/com/researchspace/api/v1/{UserDetailsSyadminApi.java => UserDetailsSysAdminApi.java} (63%)

diff --git a/src/main/java/com/researchspace/api/v1/UserDetailsSyadminApi.java b/src/main/java/com/researchspace/api/v1/UserDetailsSysAdminApi.java
similarity index 63%
rename from src/main/java/com/researchspace/api/v1/UserDetailsSyadminApi.java
rename to src/main/java/com/researchspace/api/v1/UserDetailsSysAdminApi.java
index 5a65a7b90..1c557cabc 100644
--- a/src/main/java/com/researchspace/api/v1/UserDetailsSyadminApi.java
+++ b/src/main/java/com/researchspace/api/v1/UserDetailsSysAdminApi.java
@@ -11,15 +11,18 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-/** returns user details available to sysadmins - only sysadmins will be allowed to use this API */
-@RequestMapping("/api/v1/syadmin/userDetails")
-public interface UserDetailsSyadminApi {
+/**
+ * returns user details available to sysadmins - only sysadmins will be allowed to use this API, and
+ * only if sysadmin.apikey.access deployment property is set to true
+ */
+@RequestMapping("/api/v1/sysadmin/userDetails")
+public interface UserDetailsSysAdminApi {
 
-  @GetMapping("/apiKeyInfo/all")
-  @ResponseBody
   /**
-   * returns a map of all users usernames to api keys. Request user must be a sysadmin or request
-   * will not be authorised
+   * returns a map of all users usernames to api keys. Request user must be a sysadmin, and
+   * sysadmin.apikey.access deployment property must be set to 'true', or request will be rejected
    */
+  @GetMapping("/apiKeyInfo/all")
+  @ResponseBody
   Map<String, String> getAllApiKeyInfo(@RequestAttribute(name = "user") User user);
 }
diff --git a/src/main/java/com/researchspace/api/v1/controller/UserDetailsSysAdminApiController.java b/src/main/java/com/researchspace/api/v1/controller/UserDetailsSysAdminApiController.java
index 223f0fc5e..7f4663a93 100644
--- a/src/main/java/com/researchspace/api/v1/controller/UserDetailsSysAdminApiController.java
+++ b/src/main/java/com/researchspace/api/v1/controller/UserDetailsSysAdminApiController.java
@@ -1,6 +1,6 @@
 package com.researchspace.api.v1.controller;
 
-import com.researchspace.api.v1.UserDetailsSyadminApi;
+import com.researchspace.api.v1.UserDetailsSysAdminApi;
 import com.researchspace.model.SignupSource;
 import com.researchspace.model.User;
 import com.researchspace.model.UserApiKey;
@@ -11,19 +11,25 @@
 import java.util.Optional;
 import org.apache.shiro.authz.AuthorizationException;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.RequestAttribute;
 
 @ApiController
-public class UserDetailsSysAdminApiController implements UserDetailsSyadminApi {
+public class UserDetailsSysAdminApiController implements UserDetailsSysAdminApi {
   @Autowired private UserManager userManager;
   @Autowired private UserApiKeyManager apiKeyMgr;
 
+  @Value("${sysadmin.apikey.access}")
+  private boolean sysadminApiKeyAccess;
+
   @Override
   public Map<String, String> getAllApiKeyInfo(@RequestAttribute(name = "user") User user) {
-    boolean isSysadmin = user.hasSysadminRole();
-    if (!isSysadmin) {
+    if (!user.hasSysadminRole()) {
       throw new AuthorizationException("Only sysadmin can use this API");
     }
+    if (!sysadminApiKeyAccess) {
+      throw new AuthorizationException("Reading apiKeys by sysadmin is not enabled on this server");
+    }
     Map<String, String> allUserInfo = new HashMap<>();
     for (User aUser : userManager.getUsers()) {
       Optional<UserApiKey> optKey = apiKeyMgr.getKeyForUser(aUser);
diff --git a/src/main/java/com/researchspace/webapp/controller/UserProfileController.java b/src/main/java/com/researchspace/webapp/controller/UserProfileController.java
index 01fa8690a..97ad78ad6 100644
--- a/src/main/java/com/researchspace/webapp/controller/UserProfileController.java
+++ b/src/main/java/com/researchspace/webapp/controller/UserProfileController.java
@@ -105,6 +105,8 @@
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authz.AuthorizationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.dao.DataIntegrityViolationException;
@@ -748,6 +750,10 @@ public static class ApiInfo {
 
   @GetMapping("/ajax/apiKeyInfo")
   public @ResponseBody AjaxReturnObject<ApiInfo> getApiKeyInfo() {
+    if (SecurityUtils.getSubject().isRunAs()) {
+      throw new AuthorizationException(
+          "apiKey cannot be accessed when 'operating' as another user");
+    }
     User user = userManager.getAuthenticatedUserInSession();
     Optional<UserApiKey> optKey = apiKeyMgr.getKeyForUser(user);
     ApiInfo rc = new ApiInfo();
@@ -761,6 +767,7 @@ public static class ApiInfo {
     if (!available.isSucceeded()) {
       rc.setMessage(available.getEntity());
     }
+    SECURITY_LOG.info("User [{}] asked to see their apiKey", user.getUsername());
     return new AjaxReturnObject<>(rc, null);
   }
 
diff --git a/src/main/resources/deployments/defaultDeployment.properties b/src/main/resources/deployments/defaultDeployment.properties
index 4d24b0708..1aceb60cf 100644
--- a/src/main/resources/deployments/defaultDeployment.properties
+++ b/src/main/resources/deployments/defaultDeployment.properties
@@ -121,6 +121,8 @@ sysadmin.delete.user=false
 sysadmin.delete.user.resourceList.folder=archive/deletedUserResourceListings
 # whether successful user deletion from DB should be immediately followed by filestore resources deletion
 sysadmin.delete.user.deleteResourcesImmediately=true
+# whether sysadmin should be able to see users' API keys. this shouldn't be changed unless in very specific scenarios
+sysadmin.apikey.access=false
 
 #Path to error log file
 sysadmin.errorfile.path=src/test/resources/TestResources/sampleLogs/RSLogs.txt
diff --git a/src/main/resources/deployments/dev/deployment.properties b/src/main/resources/deployments/dev/deployment.properties
index 4426ab7ec..404fce425 100644
--- a/src/main/resources/deployments/dev/deployment.properties
+++ b/src/main/resources/deployments/dev/deployment.properties
@@ -13,6 +13,7 @@ archive.folder.storagetime=1
 importArchiveFromServer.enabled=true
 
 sysadmin.delete.user=true
+sysadmin.apikey.access=true
 rs.dev.groupcreation=true
 ui.bannerImage.url=/workspace
 ui.bannerImage.loggedOutUrl=https://www.bbc.com/
@@ -63,9 +64,6 @@ nextcloud.secret=
 egnyte.client.id=
 egnyte.internal.app.client.id=
 
-pyrat.url=
-pyrat.client.token=
-
 # clustermarket
 clustermarket.client.id=
 clustermarket.secret=
diff --git a/src/main/webapp/WEB-INF/pages/userform.jsp b/src/main/webapp/WEB-INF/pages/userform.jsp
index bc73d583c..56c4a163e 100644
--- a/src/main/webapp/WEB-INF/pages/userform.jsp
+++ b/src/main/webapp/WEB-INF/pages/userform.jsp
@@ -14,12 +14,6 @@
 
 <input type="hidden" name="from" value="<c:out value=" ${param.from}" />" />
 
-<%-- commenting as seems unused (mk - 22/09/16) --%>
-<%-- <c:if test="${cookieLogin == 'true'}"> --%>
-<%-- 	<form:hidden path="password" /> --%>
-<%-- 	<form:hidden path="confirmPassword" /> --%>
-<%-- </c:if> --%>
-
 <c:if test="${empty user.version}">
 	<input type="hidden" name="encryptPass" value="true" />
 </c:if>
@@ -305,7 +299,7 @@
 <div class="bootstrap-custom-flat">
 	<div class="col-xs-9" style="padding: 0px">
 		<hr />
-		<c:if test="${canEdit}">
+		<c:if test="${canEdit and !sessionScope['rs.IS_RUN_AS']}">
 			<div class="api-menu__header col-xs-12">
 				<fmt:message key="user.apikey.label" />
 			</div>
diff --git a/src/main/webapp/scripts/pages/userform.js b/src/main/webapp/scripts/pages/userform.js
index 853e91594..006b46f81 100644
--- a/src/main/webapp/scripts/pages/userform.js
+++ b/src/main/webapp/scripts/pages/userform.js
@@ -500,6 +500,11 @@ function renderApiKeyMenu(serverResponse) {
 }
 
 function initApiKeyDisplay () {
+
+  if ($('#apiKeyInfo').size() == 0) {
+    return; // fragment not displayed
+  }
+
   function updateApiKeyMenu() {
     $.get('/userform/ajax/apiKeyInfo')
      .then(renderApiKeyMenu);

From c069f150f3f564868ae401ce08200760f1da87e2 Mon Sep 17 00:00:00 2001
From: matthias <matthias@researchspace.com>
Date: Wed, 31 Jul 2024 09:13:36 +0100
Subject: [PATCH 2/5] update the UI logic, api key is no longer implicitly
 loaded on 'my profile' page; also it should be fine for sysadmin to
 regenerate/revoke the key, just not to see pre-existing one

---
 .../controller/UserProfileController.java     | 35 ++++++++++------
 .../deployments/defaultDeployment.properties  |  2 +-
 .../deployments/dev/deployment.properties     |  1 -
 src/main/webapp/WEB-INF/pages/userform.jsp    | 12 +++---
 src/main/webapp/scripts/pages/userform.js     | 34 +++++++++++-----
 .../UserProfileControllerMVCIT.java           | 40 +++++++++++++++----
 6 files changed, 86 insertions(+), 38 deletions(-)

diff --git a/src/main/java/com/researchspace/webapp/controller/UserProfileController.java b/src/main/java/com/researchspace/webapp/controller/UserProfileController.java
index 97ad78ad6..66676d5c8 100644
--- a/src/main/java/com/researchspace/webapp/controller/UserProfileController.java
+++ b/src/main/java/com/researchspace/webapp/controller/UserProfileController.java
@@ -699,7 +699,7 @@ public AjaxReturnObject<String> updatePreferenceValue(
 
   @PostMapping("/ajax/apiKey")
   @IgnoreInLoggingInterceptor(ignoreRequestParams = "password")
-  public @ResponseBody AjaxReturnObject<ApiInfo> generateApiKey(
+  public @ResponseBody AjaxReturnObject<ApiKeyInfo> generateApiKey(
       @RequestParam("password") String pwd) {
     if (isEmpty(pwd)) {
       return new AjaxReturnObject<>(
@@ -714,7 +714,8 @@ public AjaxReturnObject<String> updatePreferenceValue(
 
     UserApiKey apiKey = apiKeyMgr.createKeyForUser(user);
     SECURITY_LOG.info("User {} created new API key", user.getUsername());
-    return new AjaxReturnObject<>(new ApiInfo(apiKey.getApiKey(), true, true, true, "", 0L), null);
+    return new AjaxReturnObject<>(
+        new ApiKeyInfo(apiKey.getApiKey(), true, true, true, "", 0L), null);
   }
 
   @DeleteMapping("/ajax/apiKey")
@@ -728,7 +729,7 @@ public AjaxReturnObject<String> updatePreferenceValue(
   @Data
   @AllArgsConstructor
   @NoArgsConstructor
-  public static class ApiInfo {
+  public static class ApiKeyInfo {
     /** The actual API key */
     private String key = null;
 
@@ -748,17 +749,12 @@ public static class ApiInfo {
     private long age;
   }
 
-  @GetMapping("/ajax/apiKeyInfo")
-  public @ResponseBody AjaxReturnObject<ApiInfo> getApiKeyInfo() {
-    if (SecurityUtils.getSubject().isRunAs()) {
-      throw new AuthorizationException(
-          "apiKey cannot be accessed when 'operating' as another user");
-    }
+  @GetMapping("/ajax/apiKeyDisplayInfo")
+  public @ResponseBody AjaxReturnObject<ApiKeyInfo> getApiKeyDisplayInfo() {
     User user = userManager.getAuthenticatedUserInSession();
     Optional<UserApiKey> optKey = apiKeyMgr.getKeyForUser(user);
-    ApiInfo rc = new ApiInfo();
+    ApiKeyInfo rc = new ApiKeyInfo();
     if (optKey.isPresent()) {
-      rc.setKey(optKey.get().getApiKey());
       rc.setRevokable(true);
       rc.setAge(calculateAge(optKey.get()));
     }
@@ -767,10 +763,25 @@ public static class ApiInfo {
     if (!available.isSucceeded()) {
       rc.setMessage(available.getEntity());
     }
-    SECURITY_LOG.info("User [{}] asked to see their apiKey", user.getUsername());
     return new AjaxReturnObject<>(rc, null);
   }
 
+  @GetMapping("/ajax/apiKeyValue")
+  public @ResponseBody AjaxReturnObject<String> getApiKeyValue() {
+    if (SecurityUtils.getSubject().isRunAs()) {
+      throw new AuthorizationException(
+          "API key details cannot be accessed when 'operating' as another user");
+    }
+    User user = userManager.getAuthenticatedUserInSession();
+    SECURITY_LOG.info("User [{}] asked to see their apiKey", user.getUsername());
+
+    Optional<UserApiKey> optKey = apiKeyMgr.getKeyForUser(user);
+    if (!optKey.isPresent()) {
+      return new AjaxReturnObject<>(null, ErrorList.of("API key is not set"));
+    }
+    return new AjaxReturnObject<>(optKey.get().getApiKey(), null);
+  }
+
   /** Shows a list of created OAuth apps on the user's profile page */
   @GetMapping("/ajax/oAuthApps")
   @ResponseBody
diff --git a/src/main/resources/deployments/defaultDeployment.properties b/src/main/resources/deployments/defaultDeployment.properties
index 1aceb60cf..9573de3b0 100644
--- a/src/main/resources/deployments/defaultDeployment.properties
+++ b/src/main/resources/deployments/defaultDeployment.properties
@@ -121,7 +121,7 @@ sysadmin.delete.user=false
 sysadmin.delete.user.resourceList.folder=archive/deletedUserResourceListings
 # whether successful user deletion from DB should be immediately followed by filestore resources deletion
 sysadmin.delete.user.deleteResourcesImmediately=true
-# whether sysadmin should be able to see users' API keys. this shouldn't be changed unless in very specific scenarios
+# whether sysadmin should be able to see users' API keys; this shouldn't be changed unless in very specific scenarios
 sysadmin.apikey.access=false
 
 #Path to error log file
diff --git a/src/main/resources/deployments/dev/deployment.properties b/src/main/resources/deployments/dev/deployment.properties
index 404fce425..1a02b7e78 100644
--- a/src/main/resources/deployments/dev/deployment.properties
+++ b/src/main/resources/deployments/dev/deployment.properties
@@ -13,7 +13,6 @@ archive.folder.storagetime=1
 importArchiveFromServer.enabled=true
 
 sysadmin.delete.user=true
-sysadmin.apikey.access=true
 rs.dev.groupcreation=true
 ui.bannerImage.url=/workspace
 ui.bannerImage.loggedOutUrl=https://www.bbc.com/
diff --git a/src/main/webapp/WEB-INF/pages/userform.jsp b/src/main/webapp/WEB-INF/pages/userform.jsp
index 56c4a163e..892a4e758 100644
--- a/src/main/webapp/WEB-INF/pages/userform.jsp
+++ b/src/main/webapp/WEB-INF/pages/userform.jsp
@@ -299,7 +299,7 @@
 <div class="bootstrap-custom-flat">
 	<div class="col-xs-9" style="padding: 0px">
 		<hr />
-		<c:if test="${canEdit and !sessionScope['rs.IS_RUN_AS']}">
+		<c:if test="${canEdit}">
 			<div class="api-menu__header col-xs-12">
 				<fmt:message key="user.apikey.label" />
 			</div>
@@ -561,14 +561,14 @@
 <script type="text/template" id="apiKeyDetailsTemplate">
 	{{#enabled}}
     <div class="api-menu__key col-xs-8">
-      {{#key}}
-        <strong>Key</strong>: <span id="api-menu__keyValue">{{key}}</span>
+      {{#revokable}}
+        <strong>Key</strong>: <span id="api-menu__keyValue"> ... </span>
           <a href="#" id="api-menu__showKey" onclick="return false;">Show Key</a>
           <a href="#" id="api-menu__hideKey" onclick="return false;">Hide Key</a>
-      {{/key}}
-      {{^key}}
+      {{/revokable}}
+      {{^revokable}}
         <strong>Key</strong>: Empty.
-      {{/key}}
+      {{/revokable}}
 
       <br />
       See <a href="/public/apiDocs" target="_blank">API Documentation</a>.
diff --git a/src/main/webapp/scripts/pages/userform.js b/src/main/webapp/scripts/pages/userform.js
index 006b46f81..159d0ac3a 100644
--- a/src/main/webapp/scripts/pages/userform.js
+++ b/src/main/webapp/scripts/pages/userform.js
@@ -389,7 +389,7 @@ function initPwdConfirmDlg () {
           var jqxhr = $.post('/userform/ajax/apiKey', {"password":pwd})
                        .done(function(data) {
                            showRSApiKey = true;
-                           renderApiKeyMenu(data); 
+                           renderApiKeyMenu(data);
                        })
                        .fail(function() {
                           RS.ajaxFailed("Creating a new API key", false, jqxhr);
@@ -495,21 +495,30 @@ function renderApiKeyMenu(serverResponse) {
   var keyInfoData = serverResponse.data;
   var htmlData = Mustache.render(apiKeyInfoTemplate, keyInfoData);
   $apiKeyInfo.html(htmlData);
+  if (keyInfoData.key) {
+    $('#api-menu__keyValue').text(keyInfoData.key);
+  }
   $('#api-menu__keyValue, #api-menu__hideKey').toggle(showRSApiKey);
   $('#api-menu__showKey').toggle(!showRSApiKey);
 }
 
-function initApiKeyDisplay () {
-
-  if ($('#apiKeyInfo').size() == 0) {
-    return; // fragment not displayed
+function showApiKeyValue(serverResponse) {
+  if (!serverResponse.data) {
+    apprise(getValidationErrorString(serverResponse.errorMsg));
+    return;
   }
+  $('#api-menu__keyValue').text(serverResponse.data);
+  $('#api-menu__keyValue, #api-menu__hideKey').toggle(showRSApiKey);
+  $('#api-menu__showKey').toggle(!showRSApiKey);
+}
+
+function initApiKeyDisplay () {
 
   function updateApiKeyMenu() {
-    $.get('/userform/ajax/apiKeyInfo')
+    $.get('/userform/ajax/apiKeyDisplayInfo')
      .then(renderApiKeyMenu);
-  }  
-  
+  }
+
   $(document).on("click", "#apiKeyRegenerateBtn", function(e) {
     e.preventDefault();
     e.stopPropagation();
@@ -535,8 +544,13 @@ function initApiKeyDisplay () {
   });
   
   $(document).on("click", "#api-menu__showKey, #api-menu__hideKey", function() {
-	  showRSApiKey = !showRSApiKey;
-	  updateApiKeyMenu();
+    showRSApiKey = !showRSApiKey;
+    if (showRSApiKey) {
+      $.get('/userform/ajax/apiKeyValue')
+        .then(showApiKeyValue);
+    }
+    $('#api-menu__keyValue, #api-menu__hideKey').toggle(showRSApiKey);
+    $('#api-menu__showKey').toggle(!showRSApiKey);
   });
 
   updateApiKeyMenu();
diff --git a/src/test/java/com/researchspace/webapp/controller/UserProfileControllerMVCIT.java b/src/test/java/com/researchspace/webapp/controller/UserProfileControllerMVCIT.java
index 560f568b5..4134f2af6 100644
--- a/src/test/java/com/researchspace/webapp/controller/UserProfileControllerMVCIT.java
+++ b/src/test/java/com/researchspace/webapp/controller/UserProfileControllerMVCIT.java
@@ -53,7 +53,7 @@
 import com.researchspace.service.UserProfileManager;
 import com.researchspace.testutils.RSpaceTestUtils;
 import com.researchspace.testutils.TestGroup;
-import com.researchspace.webapp.controller.UserProfileController.ApiInfo;
+import com.researchspace.webapp.controller.UserProfileController.ApiKeyInfo;
 import java.io.IOException;
 import java.security.Principal;
 import java.util.Date;
@@ -616,13 +616,22 @@ public void apiKeyManagement() throws Exception {
     User user = createAndSaveUser(CoreTestUtils.getRandomName(8));
     logoutAndLoginAs(user);
     mockPrincipal = new MockPrincipal(user.getUsername());
-    MvcResult result =
-        mockMvc.perform(get("/userform/ajax/apiKeyInfo").principal(mockPrincipal)).andReturn();
-    ApiInfo info = getFromJsonAjaxReturnObject(result, UserProfileController.ApiInfo.class);
+
+    // check responses before key is generated
+    MvcResult noKeyDetails =
+        mockMvc
+            .perform(get("/userform/ajax/apiKeyDisplayInfo").principal(mockPrincipal))
+            .andReturn();
+    ApiKeyInfo info = getFromJsonAjaxReturnObject(noKeyDetails, ApiKeyInfo.class);
     assertNull(info.getKey());
     assertTrue(info.isRegenerable());
     assertFalse(info.isRevokable());
+    noKeyDetails =
+        mockMvc.perform(get("/userform/ajax/apiKeyValue").principal(mockPrincipal)).andReturn();
+    ErrorList el = getErrorListFromAjaxReturnObject(noKeyDetails);
+    assertEquals("API key is not set", el.getAllErrorMessagesAsStringsSeparatedBy(""));
 
+    // create new API key
     MvcResult createdKey =
         mockMvc
             .perform(
@@ -630,25 +639,40 @@ public void apiKeyManagement() throws Exception {
                     .principal(mockPrincipal)
                     .param("password", TESTPASSWD))
             .andReturn();
-    ApiInfo created = getFromJsonAjaxReturnObject(createdKey, UserProfileController.ApiInfo.class);
+    ApiKeyInfo created = getFromJsonAjaxReturnObject(createdKey, ApiKeyInfo.class);
     assertNotNull(created.getKey());
     assertTrue(created.isRegenerable());
     assertTrue(created.isRevokable());
 
+    // retrieve details on created key
+    MvcResult retrievedKeyDetails =
+        mockMvc
+            .perform(get("/userform/ajax/apiKeyDisplayInfo").principal(mockPrincipal))
+            .andReturn();
+    info = getFromJsonAjaxReturnObject(retrievedKeyDetails, ApiKeyInfo.class);
+    assertNull(info.getKey()); // key not included in display info
+    assertTrue(info.isRegenerable());
+    assertTrue(info.isRevokable());
+    retrievedKeyDetails =
+        mockMvc.perform(get("/userform/ajax/apiKeyValue").principal(mockPrincipal)).andReturn();
+    String retrievedApiKey = getFromJsonAjaxReturnObject(retrievedKeyDetails, String.class);
+    assertEquals(created.getKey(), retrievedApiKey);
+
+    // delete key
     MvcResult deletedKey =
         mockMvc.perform(delete("/userform/ajax/apiKey").principal(mockPrincipal)).andReturn();
     Long revoked = Long.parseLong(deletedKey.getResponse().getContentAsString());
     assertTrue(revoked >= 1);
 
+    // error scenario - no password when generating the key
     MvcResult noPwd =
         mockMvc
             .perform(post("/userform/ajax/apiKey").principal(mockPrincipal).param("password", ""))
-
-            // .andExpect(status().is4xxClientError())
             .andReturn();
-    ErrorList el = getErrorListFromAjaxReturnObject(noPwd);
+    el = getErrorListFromAjaxReturnObject(noPwd);
     assertTrue(el.hasErrorMessages());
 
+    // error scenario - wrong password when generating the key
     MvcResult wrongPwd =
         mockMvc
             .perform(

From e97a77e02c762645158157a3a55416b2651f0438 Mon Sep 17 00:00:00 2001
From: matthias <matthias@researchspace.com>
Date: Wed, 31 Jul 2024 09:20:34 +0100
Subject: [PATCH 3/5] add empty defaults back, they can stay

---
 src/main/resources/deployments/dev/deployment.properties | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/main/resources/deployments/dev/deployment.properties b/src/main/resources/deployments/dev/deployment.properties
index 1a02b7e78..4426ab7ec 100644
--- a/src/main/resources/deployments/dev/deployment.properties
+++ b/src/main/resources/deployments/dev/deployment.properties
@@ -63,6 +63,9 @@ nextcloud.secret=
 egnyte.client.id=
 egnyte.internal.app.client.id=
 
+pyrat.url=
+pyrat.client.token=
+
 # clustermarket
 clustermarket.client.id=
 clustermarket.secret=

From 0ab6858e19f38a24999da584243fefbd1ed8d0b0 Mon Sep 17 00:00:00 2001
From: matthias <matthias@researchspace.com>
Date: Wed, 31 Jul 2024 13:14:47 +0100
Subject: [PATCH 4/5] minor fixes

---
 .../webapp/controller/UserProfileController.java             | 2 +-
 src/main/webapp/scripts/pages/userform.js                    | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/researchspace/webapp/controller/UserProfileController.java b/src/main/java/com/researchspace/webapp/controller/UserProfileController.java
index 66676d5c8..c8aaf3db7 100644
--- a/src/main/java/com/researchspace/webapp/controller/UserProfileController.java
+++ b/src/main/java/com/researchspace/webapp/controller/UserProfileController.java
@@ -773,7 +773,7 @@ public static class ApiKeyInfo {
           "API key details cannot be accessed when 'operating' as another user");
     }
     User user = userManager.getAuthenticatedUserInSession();
-    SECURITY_LOG.info("User [{}] asked to see their apiKey", user.getUsername());
+    SECURITY_LOG.info("User [{}] asked to see their API key", user.getUsername());
 
     Optional<UserApiKey> optKey = apiKeyMgr.getKeyForUser(user);
     if (!optKey.isPresent()) {
diff --git a/src/main/webapp/scripts/pages/userform.js b/src/main/webapp/scripts/pages/userform.js
index 159d0ac3a..f0bef4dc0 100644
--- a/src/main/webapp/scripts/pages/userform.js
+++ b/src/main/webapp/scripts/pages/userform.js
@@ -521,7 +521,6 @@ function initApiKeyDisplay () {
 
   $(document).on("click", "#apiKeyRegenerateBtn", function(e) {
     e.preventDefault();
-    e.stopPropagation();
 
 	  $.get('/vfpwd/ajax/checkVerificationPasswordNeeded', function(response) {  
       	if (response.data) {
@@ -532,7 +531,9 @@ function initApiKeyDisplay () {
 	  });
   });
   
-  $(document).on("click", "#apiKeyRevokeBtn", function(e) { 
+  $(document).on("click", "#apiKeyRevokeBtn", function(e) {
+    e.preventDefault();
+
     $.post('/userform/ajax/apiKey', {"_method":"DELETE"}, function (intDeleted){
       if (intDeleted > 0) {
         RS.defaultConfirm("Key deleted");

From f1f1634b60ef534d4efd784319d55dae72256ad4 Mon Sep 17 00:00:00 2001
From: matthias <matthias@researchspace.com>
Date: Thu, 1 Aug 2024 09:25:26 +0100
Subject: [PATCH 5/5] report 'operate as' issue as a standard error, so it's
 displayable to the user

---
 .../webapp/controller/UserProfileController.java             | 5 ++---
 src/main/webapp/WEB-INF/pages/userform.jsp                   | 2 +-
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/main/java/com/researchspace/webapp/controller/UserProfileController.java b/src/main/java/com/researchspace/webapp/controller/UserProfileController.java
index c8aaf3db7..e50319b1c 100644
--- a/src/main/java/com/researchspace/webapp/controller/UserProfileController.java
+++ b/src/main/java/com/researchspace/webapp/controller/UserProfileController.java
@@ -106,7 +106,6 @@
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.authz.AuthorizationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.dao.DataIntegrityViolationException;
@@ -769,8 +768,8 @@ public static class ApiKeyInfo {
   @GetMapping("/ajax/apiKeyValue")
   public @ResponseBody AjaxReturnObject<String> getApiKeyValue() {
     if (SecurityUtils.getSubject().isRunAs()) {
-      throw new AuthorizationException(
-          "API key details cannot be accessed when 'operating' as another user");
+      return new AjaxReturnObject<>(
+          null, ErrorList.of("API key value cannot be accessed when 'operating as' another user"));
     }
     User user = userManager.getAuthenticatedUserInSession();
     SECURITY_LOG.info("User [{}] asked to see their API key", user.getUsername());
diff --git a/src/main/webapp/WEB-INF/pages/userform.jsp b/src/main/webapp/WEB-INF/pages/userform.jsp
index 892a4e758..dca1d8ef0 100644
--- a/src/main/webapp/WEB-INF/pages/userform.jsp
+++ b/src/main/webapp/WEB-INF/pages/userform.jsp
@@ -562,7 +562,7 @@
 	{{#enabled}}
     <div class="api-menu__key col-xs-8">
       {{#revokable}}
-        <strong>Key</strong>: <span id="api-menu__keyValue"> ... </span>
+        <strong>Key</strong>: <span id="api-menu__keyValue"> &lt;hidden&gt; </span>
           <a href="#" id="api-menu__showKey" onclick="return false;">Show Key</a>
           <a href="#" id="api-menu__hideKey" onclick="return false;">Hide Key</a>
       {{/revokable}}