Admin Ability to Create API Keys for Integration with External Systems

[mastercactapus]

What problem would you like to solve? Please describe:
External systems and teams often want to build tools that integrate with GoAlert directly but currently lack the ability to authenticate and securely access GoAlert's API.

Describe the solution you'd like:
Allow administrators to create and manage API keys for external system integration. Offer direct tokens with optional expiration time and support for tokens generated by an OAuth server. Limit the ability to generate keys to users with admin access, but the keys themselves may not have admin-level access. For now, keep the ability to limit keys to specific resources out of scope, as the current auth model doesn't support it.

Describe alternatives you've considered:
User-generated API keys can be considered, but starting with user access limited to admins can help with adoption and maintain security.

Additional context:
Some use cases for API keys include:

• External systems subscribing to alert events for improved communication and reporting
• Building a Terraform plugin for GoAlert
• Integrating with external scheduling systems
• Synchronizing multiple GoAlert instances

[mastercactapus]

[mastercactapus]

UI Design Notes:

New page Admin > API Keys as a list page displaying keys:

• no search
• no pagination
• Name, Expiration, # of fields, is read-only (no Mutation.*), time last used
• CREATE API KEY button (top on wide, FAB on mobile)
• Can edit keys (name and description only)
• Clicking on a key opens a details pane (like the Admin > Message Logs page) to allow edit & delete
  • Show allowed fields
  • Show creation time
  • Show created by user
  • Show last user agent string

New API Key form/dialog:

• input: Name
• input: Description
• input: Expiration time
• input: Allowed fields (multi-select)
  • Optional query input (paste/enter gql query, update selected fields)
• Upon creation show non-click-away dialog state with copy button (only way to get the token)

API Reqs:

• apiKeys query to list all API keys
• createAPIKey mutation to generate a new key
• queryFields query to list the fields of a provided query
• allowedFields query to list all available schema fields

[mastercactapus]

Remaining items:

• Create key dialog enter query field (query -> allowed fields)
• Denote expired keys
• Add "duplicate" key option that's also available for expired keys
• Add playwright integration test
• remove experimental flag

[mastercactapus]

• duplicate should open the create dialog with all the values pre-populated
• expired keys should probably have a warning icon
• integration test can wait until the query field is done (so it can be a full test)

[Forfold]

@mastercactapus How do we use this interface with input variables and how are input variables intended to be sent as a request to this API?

i.e. a Service query requires an ID as an input

[mastercactapus]

Query doc would look something like this:

The actual request payload would be like this:

{
  "variables": {
    "id": "11111111-1111-1111-1111-111111111111"
  },
  "operationName": "Service"
}

Note that the query field can be omitted with API keys, otherwise it would look like this:

{
  "query": "query Service($id: ID!) {\n\tservice(id: $id) {\n    name\n  }\n}",
  "variables": {
    "id": "11111111-1111-1111-1111-111111111111"
  },
  "operationName": "Service"
}

[mastercactapus]

More info on variables here:
https://graphql.org/learn/queries/#variables