Problem/Motivation

shurly_service generates a per-user API key but the access check and permission logic in DefaultController loads currentUser() instead of the user resolved from that key.

This makes the API unusable for unauthenticated (sessionless) clients — e.g. scripts or external tools — even when a valid API key is provided, defeating the purpose of per-user keys entirely.

Steps to reproduce

Call /shurly/api/shorten?apiKey=<valid-key>&longUrl=<url> without an active Drupal session. Access is denied despite the key being valid.

Proposed resolution

In the access check and permission evaluation, resolve the account from the provided apiKey parameter and use that account for all permission checks, consistent with how shurly_shorten() already handles it internally.

Remaining tasks

Patch DefaultController::shurly_service_access_api_key() and update the shorten/expand methods to use the API key-resolved account throughout.

User interface changes

None.

API changes

None. Existing request format is unchanged.

Data model changes

None.

Issue fork shurly-3593648

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

norman.lol created an issue. See original summary.

norman.lol opened merge request !24

norman.lol’s picture

norman.lol
he/him
Primary language German
Location Berlin
commented
Component: Documentation » Code
Status: Active » Needs review
yannickoo’s picture

yannickoo
Location Berlin
commented
Status: Needs review » Reviewed & tested by the community

Oh really nice fix! This works as expected 💪