Skip to content

[DevPortal] Implement API Keys page#2729

Open
Piumal1999 wants to merge 3 commits into
wso2:mainfrom
Piumal1999:apikey
Open

[DevPortal] Implement API Keys page#2729
Piumal1999 wants to merge 3 commits into
wso2:mainfrom
Piumal1999:apikey

Conversation

@Piumal1999

Copy link
Copy Markdown
Contributor

Purpose

Implementing a page to display the user's api keys

Approach

Implemented the page with the same design as in the api's api-keys page

Automation tests

  • Integration tests
    • Added rest api tests

Samples

image

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@Piumal1999, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 32 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bb21b0a2-7610-464b-b331-c50b88fe3a36

📥 Commits

Reviewing files that changed from the base of the PR and between cf888f3 and ae09162.

📒 Files selected for processing (18)
  • docs/rest-apis/devportal/README.md
  • docs/rest-apis/devportal/api-keys.md
  • docs/rest-apis/devportal/mcp-server-keys.md
  • docs/rest-apis/devportal/schemas.md
  • portals/developer-portal/docs/devportal-openapi-spec-v0.9.yaml
  • portals/developer-portal/it/rest-api/api-keys/api-keys.spec.js
  • portals/developer-portal/it/rest-api/api-keys/webhook-events.spec.js
  • portals/developer-portal/it/rest-api/mcp-servers/mcp-servers.spec.js
  • portals/developer-portal/src/app.js
  • portals/developer-portal/src/controllers/apiContentController.js
  • portals/developer-portal/src/controllers/apiKeyController.js
  • portals/developer-portal/src/controllers/apiKeysOverviewController.js
  • portals/developer-portal/src/defaultContent/partials/sidebar.hbs
  • portals/developer-portal/src/pages/api-keys-overview/page.hbs
  • portals/developer-portal/src/routes/api/handlers/apiKeysHandler.js
  • portals/developer-portal/src/routes/pages/apiKeysOverviewRoute.js
  • portals/developer-portal/src/scripts/api-keys-overview.js
  • portals/developer-portal/src/scripts/common.js
📝 Walkthrough

Walkthrough

Adds a global API-key listing endpoint and Developer Portal overview page, removes internal keyId from API-key responses and documentation, standardizes API-key navigation visibility, and expands integration tests for response disclosure, listing filters, metadata, and webhook identifiers.

Changes

API key contracts and portal experience

Layer / File(s) Summary
API-key contracts and documentation
docs/rest-apis/devportal/*, portals/developer-portal/docs/devportal-openapi-spec-v0.9.yaml
Documents GET /api-keys, updates pagination and metadata schemas, and removes keyId from API-key examples and response contracts.
API-key controller and route wiring
portals/developer-portal/src/controllers/apiKeyController.js, portals/developer-portal/src/routes/api/handlers/apiKeysHandler.js
Adds authenticated global listing with status validation, pagination, and owning-API metadata; mutation responses no longer expose internal UUIDs.
Portal routing and navigation state
portals/developer-portal/src/app.js, portals/developer-portal/src/controllers/apiContentController.js, portals/developer-portal/src/defaultContent/partials/sidebar.hbs, portals/developer-portal/src/scripts/common.js
Registers API-key overview content, adds sidebar navigation, centralizes API-key visibility decisions, and uses first-path-segment matching for active navigation.
API-key overview page and actions
portals/developer-portal/src/controllers/apiKeysOverviewController.js, portals/developer-portal/src/routes/pages/apiKeysOverviewRoute.js, portals/developer-portal/src/pages/api-keys-overview/page.hbs, portals/developer-portal/src/scripts/api-keys-overview.js
Adds the authenticated overview page with key listing, read-only rendering, regeneration, revocation, application association, secret display, and clipboard support.
API-key response and webhook validation
portals/developer-portal/it/rest-api/api-keys/*, portals/developer-portal/it/rest-api/mcp-servers/mcp-servers.spec.js
Tests non-disclosure of keyId and secrets, global listing metadata and invalid filters, application association, MCP responses, and webhook aggregate_uuid mapping.

Estimated code review effort: 4 (Complex) | ~45 minutes

Possibly related PRs

  • wso2/api-platform#2561: Updates the backend user API-key list response with pagination fields related to the global API-key listing contract.

Suggested reviewers: renuka-fernando, malinthaprasan, pubudu538, chamilaadhi, ashera96

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is on-topic but missing several required template sections, including Goals, Documentation, Security checks, Related PRs, and Test environment. Add the missing template sections and briefly fill each one, especially goals, docs, security checks, related PRs, and test environment.
Docstring Coverage ⚠️ Warning Docstring coverage is 56.41% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main change: adding an API Keys page in DevPortal.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (3)
portals/developer-portal/src/controllers/apiContentController.js (1)

581-582: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Remove the redundant API definition fetch.

The resolveShowApiKeysNav helper internally encapsulates the exact same logic to lazily fetch the API definition if the preloadedDefinition argument is omitted. You can simplify this controller method by removing the manual apiDefinitionForNav fetch block above this line and allowing the helper to handle it natively. This also resolves a minor discrepancy where SOAP APIs were not excluded from the manual fetch attempt.

♻️ Proposed refactor
-            let apiDefinitionForNav = null;
-            if (apiType !== constants.API_TYPE.GRAPHQL && apiType !== constants.API_TYPE.MCP) {
-                try {
-                    apiDefinitionForNav = await getApiDefinitionFileContent(orgId, apiId);
-                } catch (definitionErr) {
-                    logger.debug('Could not load API definition for API keys nav check', {
-                        orgId,
-                        apiId,
-                        error: definitionErr.message
-                    });
-                }
-            }
-
             const templateContent = {
                 baseUrl: '/' + orgName + '/views/' + viewName + "/api/" + apiHandle,
                 baseDocUrl: '/' + orgName + '/views/' + viewName + "/api/" + apiHandle,
                 docTypes: docNames,
                 apiType: apiType,
                 apiName: apiMetadata[0].dataValues.name || '',
                 profile: req.isAuthenticated() ? profile : null,
                 devportalMode: devportalMode,
-                showApiKeysNav: await resolveShowApiKeysNav(orgId, apiId, apiType, metaForNav, apiDefinitionForNav),
+                showApiKeysNav: await resolveShowApiKeysNav(orgId, apiId, apiType, metaForNav),
             };
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@portals/developer-portal/src/controllers/apiContentController.js` around
lines 581 - 582, Remove the manual apiDefinitionForNav fetch block from the
controller method and call resolveShowApiKeysNav without passing that preloaded
definition, allowing the helper to perform its native lazy fetch and preserve
SOAP API handling.
portals/developer-portal/src/controllers/apiKeysOverviewController.js (1)

42-44: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Remove redundant req.user check.

The ensureAuthenticated middleware already validates the session and handles the redirect to the login page for unauthenticated users. Based on learnings, direct req.user checks and redirects are redundant in controllers protected by this middleware.

♻️ Proposed refactor
-        if (!req.user) {
-            return res.redirect(`/${orgName}${constants.ROUTE.VIEWS_PATH}${viewName}/login`);
-        }
         const devportalMode = orgDetails.configuration?.devportalMode || constants.DEVPORTAL_MODE.DEFAULT;
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@portals/developer-portal/src/controllers/apiKeysOverviewController.js` around
lines 42 - 44, Remove the redundant req.user conditional and redirect from the
controller, relying on the ensureAuthenticated middleware to handle
unauthenticated requests while leaving the authenticated controller flow
unchanged.

Source: Learnings

portals/developer-portal/src/controllers/apiKeyController.js (1)

230-238: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Use util.sendError for consistent error responses.

Instead of manually constructing the JSON error payload and hardcoding code: 'INTERNAL_SERVER_ERROR', use util.sendError to ensure the error response is formatted consistently with the rest of the controller and automatically uses the appropriate error code.

♻️ Proposed refactor
     } catch (err) {
         logger.error('Failed to list all API keys', { error: err.message, orgId });
-        return res.status(errorStatus(err)).json({
-            status: 'error',
-            code: 'INTERNAL_SERVER_ERROR',
-            message: 'Failed to list API keys',
-            errors: [],
-        });
+        return util.sendError(res, errorStatus(err), 'Failed to list API keys');
     }
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@portals/developer-portal/src/controllers/apiKeyController.js` around lines
230 - 238, Update the catch block in the API-key listing controller to call
util.sendError with the response, error, and existing failure context instead of
manually constructing the status and JSON payload. Preserve the current logging
and ensure util.sendError determines the appropriate status and error code.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@portals/developer-portal/src/pages/api-keys-overview/page.hbs`:
- Around line 65-68: Update the apiType conditional in the API link within the
overview template to apply the lowercase helper before comparing against “mcp”,
ensuring MCP values in any casing generate the /mcp/ path while other types
continue using /api/.

---

Nitpick comments:
In `@portals/developer-portal/src/controllers/apiContentController.js`:
- Around line 581-582: Remove the manual apiDefinitionForNav fetch block from
the controller method and call resolveShowApiKeysNav without passing that
preloaded definition, allowing the helper to perform its native lazy fetch and
preserve SOAP API handling.

In `@portals/developer-portal/src/controllers/apiKeyController.js`:
- Around line 230-238: Update the catch block in the API-key listing controller
to call util.sendError with the response, error, and existing failure context
instead of manually constructing the status and JSON payload. Preserve the
current logging and ensure util.sendError determines the appropriate status and
error code.

In `@portals/developer-portal/src/controllers/apiKeysOverviewController.js`:
- Around line 42-44: Remove the redundant req.user conditional and redirect from
the controller, relying on the ensureAuthenticated middleware to handle
unauthenticated requests while leaving the authenticated controller flow
unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 430f5590-1206-4751-8f76-b1ed7c3145c2

📥 Commits

Reviewing files that changed from the base of the PR and between 90ba4ba and 0913037.

📒 Files selected for processing (33)
  • docs/rest-apis/devportal/README.md
  • docs/rest-apis/devportal/api-keys.md
  • docs/rest-apis/devportal/labels.md
  • docs/rest-apis/devportal/mcp-server-keys.md
  • docs/rest-apis/devportal/schemas.md
  • portals/developer-portal/configs/config-platform-api.toml.example
  • portals/developer-portal/docs/devportal-openapi-spec-v0.9.yaml
  • portals/developer-portal/it/Makefile
  • portals/developer-portal/it/configs/config-platform-api-it.toml
  • portals/developer-portal/it/docker-compose.test.postgres.yaml
  • portals/developer-portal/it/docker-compose.test.yaml
  • portals/developer-portal/it/rest-api/api-content/api-content.spec.js
  • portals/developer-portal/it/rest-api/api-keys/api-keys.spec.js
  • portals/developer-portal/it/rest-api/apis/artifact-zip-apis.spec.js
  • portals/developer-portal/it/rest-api/apis/rest-apis.spec.js
  • portals/developer-portal/it/rest-api/jest.config.js
  • portals/developer-portal/it/rest-api/subscriptions/webhook-events.spec.js
  • portals/developer-portal/it/rest-api/support/autoCleanup.js
  • portals/developer-portal/it/rest-api/support/cleanup.js
  • portals/developer-portal/it/rest-api/support/client.js
  • portals/developer-portal/it/rest-api/support/fixtures.js
  • portals/developer-portal/src/app.js
  • portals/developer-portal/src/controllers/apiContentController.js
  • portals/developer-portal/src/controllers/apiKeyController.js
  • portals/developer-portal/src/controllers/apiKeysOverviewController.js
  • portals/developer-portal/src/dao/apiDao.js
  • portals/developer-portal/src/defaultContent/partials/sidebar.hbs
  • portals/developer-portal/src/pages/api-keys-overview/page.hbs
  • portals/developer-portal/src/routes/api/handlers/apiKeysHandler.js
  • portals/developer-portal/src/routes/pages/apiKeysOverviewRoute.js
  • portals/developer-portal/src/scripts/api-keys-overview.js
  • portals/developer-portal/src/scripts/common.js
  • portals/developer-portal/src/services/apiMetadataService.js
💤 Files with no reviewable changes (2)
  • docs/rest-apis/devportal/mcp-server-keys.md
  • portals/developer-portal/src/dao/apiDao.js

Comment thread portals/developer-portal/src/pages/api-keys-overview/page.hbs
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 17, 2026
@Piumal1999
Piumal1999 dismissed coderabbitai[bot]’s stale review July 17, 2026 06:39

The merge-base changed after approval.

lasanthaS
lasanthaS previously approved these changes Jul 17, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@portals/developer-portal/src/scripts/api-keys-overview.js`:
- Around line 154-166: Update loadApps so failed /applications requests return
an empty array without assigning [] to _apps; preserve caching only for
successfully parsed application data, allowing later modal opens to retry
transient failures.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fefd03c1-87a0-41a8-b41a-c7f8e98bbcfd

📥 Commits

Reviewing files that changed from the base of the PR and between 6c3f41a and cf888f3.

📒 Files selected for processing (18)
  • docs/rest-apis/devportal/README.md
  • docs/rest-apis/devportal/api-keys.md
  • docs/rest-apis/devportal/mcp-server-keys.md
  • docs/rest-apis/devportal/schemas.md
  • portals/developer-portal/docs/devportal-openapi-spec-v0.9.yaml
  • portals/developer-portal/it/rest-api/api-keys/api-keys.spec.js
  • portals/developer-portal/it/rest-api/api-keys/webhook-events.spec.js
  • portals/developer-portal/it/rest-api/mcp-servers/mcp-servers.spec.js
  • portals/developer-portal/src/app.js
  • portals/developer-portal/src/controllers/apiContentController.js
  • portals/developer-portal/src/controllers/apiKeyController.js
  • portals/developer-portal/src/controllers/apiKeysOverviewController.js
  • portals/developer-portal/src/defaultContent/partials/sidebar.hbs
  • portals/developer-portal/src/pages/api-keys-overview/page.hbs
  • portals/developer-portal/src/routes/api/handlers/apiKeysHandler.js
  • portals/developer-portal/src/routes/pages/apiKeysOverviewRoute.js
  • portals/developer-portal/src/scripts/api-keys-overview.js
  • portals/developer-portal/src/scripts/common.js
💤 Files with no reviewable changes (1)
  • docs/rest-apis/devportal/mcp-server-keys.md
🚧 Files skipped from review as they are similar to previous changes (12)
  • portals/developer-portal/src/routes/pages/apiKeysOverviewRoute.js
  • portals/developer-portal/src/routes/api/handlers/apiKeysHandler.js
  • portals/developer-portal/src/defaultContent/partials/sidebar.hbs
  • docs/rest-apis/devportal/README.md
  • portals/developer-portal/src/controllers/apiKeysOverviewController.js
  • portals/developer-portal/src/app.js
  • portals/developer-portal/it/rest-api/api-keys/api-keys.spec.js
  • portals/developer-portal/it/rest-api/mcp-servers/mcp-servers.spec.js
  • portals/developer-portal/src/controllers/apiKeyController.js
  • portals/developer-portal/it/rest-api/api-keys/webhook-events.spec.js
  • portals/developer-portal/src/pages/api-keys-overview/page.hbs
  • portals/developer-portal/src/controllers/apiContentController.js

Comment thread portals/developer-portal/src/scripts/api-keys-overview.js
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants