vufind-org · demiankatz · Oct 24, 2025 · Jun 27, 2025 · Jul 10, 2025 · Jul 10, 2025
diff --git a/config/vufind/config.ini b/config/vufind/config.ini
@@ -2694,6 +2694,23 @@ description = "The REST API provides access to search functions and records cont
 ; URL pointing to a Terms of Service page (optional, default is none):
 ;termsOfServiceUrl = "https://something"
 
+; These settings control usage of API keys
+[API_Keys]
+; Mode for using API keys.
+; 'disabled' means API keys are not in use and cannot be created. Default.
+; 'optional' allows users to create API keys and use them, but it is not mandatory.
+; 'enforced' forces users to create and provide an API key in a header field (see
+; header_field setting below).
+;mode = 'optional'
+; Token salt to add when generating a new API key for a user.
+; Minimum allowed length for salt is 10 characters.
+; Example how to create a salt: echo hash('sha256', $random_string_to_use_for_the_salt);
+;token_salt = 
+; The header field key that should be used to provide the API key. Default is X-API-KEY.
+;header_field = 'X-API-KEY'
+; How many API keys can a user have at maximum. Default is 5.
+;key_limit = 5
+
 [Sorting]
 ; By default, VuFind sorts text in a locale-agnostic way; if this setting is
 ; turned on, the current user-selected locale will impact sort order.

diff --git a/config/vufind/permissionBehavior.ini b/config/vufind/permissionBehavior.ini
@@ -83,6 +83,10 @@ defaultDeniedTemplateBehavior = false
 [access.EITModule]
 deniedTemplateBehavior = showTemplate:error/loginForAccess
 
+; Configuration for developer settings
+[feature.Developer]
+deniedTemplateBehavior = "showTemplate:error/developer-settings-denied"
+
 ; Example configuration for non-standard favorites permission behavior:
 ;[feature.Favorites]
 ;deniedTemplateBehavior = "showMessage:Login for Favorites"

diff --git a/config/vufind/permissions.ini b/config/vufind/permissions.ini
@@ -13,6 +13,10 @@
 ;              combined may vary from provider to provider (see below).
 ; permission - The name(s) of the permission(s) to grant. May be a single string or
 ;              an array of strings.
+; assertion  - The name(s) of the assertion(s) class(es) to check for permission.
+;              May be a single assertion name or an array of assertion names.
+;            - Currently supported assertions:
+;               - VerifiedEmail: Asserts that the user has a verified email.
 ;
 ; Any other keys in the section should be the names of permission provider services.
 ; The values associated with these keys will be passed along to the services.
@@ -75,6 +79,7 @@
 ; ipRange[] = "1.2.3.7-1.2.5.254"
 ; insecureCookie = "VUFIND_CUSTOM_COOKIE_NAME"
 ; permission = sample.permission
+; assertion[] = VerifiedEmail
 ; sessionKey = "VUFIND_SESSION_KEY_NAME"
 
 ; Example configuration (grants the "sample.permission" permission to users
@@ -118,6 +123,13 @@ permission = access.StaffViewTab
 role[] = loggedin
 permission = feature.Favorites
 
+; By default, logged in users are allowed to use developer settings.
+; See DeveloperPermissionAssertion class. 
+[default.Developer]
+role[] = loggedin
+permission = feature.Developer
+assertion[] = VerifiedEmail
+
 ; Example for dynamic debug mode
 ;[default.DebugMode]
 ;username[] = admin

diff --git a/languages/Developer/en.ini b/languages/Developer/en.ini
@@ -0,0 +1,8 @@
+api_key_deletion_success = "API key was deleted successfully."
+api_key_generate = "Generate new key"
+api_key_generation_success = "API key was generated successfully. Key will be displayed only once, so save it now: %%TOKEN%%"
+api_key_locked = "API key is locked. Please contact support if you have questions."
+api_keys = "API keys"
+settings = "Developer settings"
+show_developer_settings = "Show developer settings"
+verify_email_address = "Please verify your email address to use developer settings"
diff --git a/languages/Developer/fi.ini b/languages/Developer/fi.ini
@@ -0,0 +1,8 @@
+api_key_deletion_success = "API-avaimen poistaminen onnistui"
+api_key_generate = "Luo uusi avain"
+api_key_generation_success = "API-avaimen luonti onnistui. Avain näytetään vain kerran, joten tallenna se muistiin: %%TOKEN%%"
+api_key_locked = "API-avain on lukittu. Ota yhteyttä tukeen, jos sinulla on kysyttävää"
+api_keys = "API-avaimet"
+settings = "Kehittäjäasetukset"
+show_developer_settings = "Näytä kehittäjäasetukset"
+verify_email_address = "Vahvista sähköpostiosoitteesi käyttääksesi kehittäjäasetuksia"
diff --git a/languages/Developer/se.ini b/languages/Developer/se.ini
@@ -0,0 +1,8 @@
+api_key_deletion_success = "API-čoavdaga sihkkun lihkostuvai"
+api_key_generate = "Ráhkat ođđa čoavdaga"
+api_key_generation_success = "API-čoavdaga ráhkadeapmi lihkostuvai. Čoavdda čájehuvvo dušše oktii, vurke dan muitui: %%TOKEN%%"
+api_key_locked = "API-čoavdda lea lohkkaduvvon. Váldde oktavuođa doarjagii, jus dus leat jearaldagat"
+api_keys = "API-čoavdda"
+settings = "Ovddideaddjiásahusat"
+show_developer_settings = "Čájet ovddideaddjiásahusaid"
+verify_email_address = "Nanne šleađgapoastta vai beasat geavahit ovddideaddjiásahusaid"
diff --git a/languages/Developer/sv.ini b/languages/Developer/sv.ini
@@ -0,0 +1,8 @@
+api_key_deletion_success = "API-nyckeln har tagits bort."
+api_key_generate = "Skapa en ny nyckel"
+api_key_generation_success = "API-nyckeln har skapats. Nyckeln visas bara en gång så se till att spara nyckeln: %%TOKEN%%"
+api_key_locked = "API-nyckeln har låsts. Kontakta supporten om du har frågor."
+api_keys = "API-nycklar"
+settings = "Utvecklarinställningar"
+show_developer_settings = "Visa utvecklarinställningar"
+verify_email_address = "Bekräfta din e-postadress för att använda utvecklarinställningar"
diff --git a/module/VuFind/config/module.config.php b/module/VuFind/config/module.config.php
@@ -168,6 +168,7 @@
             'VuFind\Controller\AjaxController' => 'VuFind\Controller\AjaxControllerFactory',
             'VuFind\Controller\AlmaController' => 'VuFind\Controller\AbstractBaseFactory',
             'VuFind\Controller\AlphabrowseController' => 'VuFind\Controller\AbstractBaseFactory',
+            'VuFind\Controller\DeveloperSettingsController' => 'VuFind\Controller\AbstractBaseFactory',
             'VuFind\Controller\AuthorController' => 'VuFind\Controller\AbstractBaseFactory',
             'VuFind\Controller\AuthorityController' => 'VuFind\Controller\AbstractBaseFactory',
             'VuFind\Controller\AuthorityRecordController' => 'VuFind\Controller\AbstractBaseFactory',
@@ -244,6 +245,8 @@
             'alma' => 'VuFind\Controller\AlmaController',
             'Alphabrowse' => 'VuFind\Controller\AlphabrowseController',
             'alphabrowse' => 'VuFind\Controller\AlphabrowseController',
+            'DeveloperSettings' => 'VuFind\Controller\DeveloperSettingsController',
+            'developersettings' => 'VuFind\Controller\DeveloperSettingsController',
             'Author' => 'VuFind\Controller\AuthorController',
             'author' => 'VuFind\Controller\AuthorController',
             'Authority' => 'VuFind\Controller\AuthorityController',
@@ -422,6 +425,7 @@
             'League\CommonMark\MarkdownConverter' => 'VuFind\Service\MarkdownFactory',
             'VuFind\Account\UserAccountService' => 'VuFind\Account\UserAccountServiceFactory',
             'VuFind\AjaxHandler\PluginManager' => 'VuFind\ServiceManager\AbstractPluginManagerFactory',
+            'VuFind\DeveloperSettings\DeveloperSettingsService' => 'VuFind\DeveloperSettings\DeveloperSettingsServiceFactory',
             'VuFind\Auth\EmailAuthenticator' => 'VuFind\Auth\EmailAuthenticatorFactory',
             'VuFind\Auth\ILSAuthenticator' => 'VuFind\Auth\ILSAuthenticatorFactory',
             'VuFind\Auth\LoginTokenManager' => 'VuFind\Auth\LoginTokenManagerFactory',
@@ -569,6 +573,7 @@
             'VuFindHttp\HttpService' => 'VuFind\Service\HttpServiceFactory',
             'VuFindSearch\Service' => 'VuFind\Service\SearchServiceFactory',
             'Laminas\Session\SessionManager' => 'VuFind\Session\ManagerFactory',
+            'Lmc\Rbac\Mvc\Service\AuthorizationService' => 'VuFind\Service\AuthorizationServiceFactory',
         ],
         'delegators' => [
             'Laminas\Mvc\I18n\Translator' => [
@@ -785,6 +790,14 @@
             ],
         ],
         'vufind_permission_provider_manager' => [ /* see VuFind\Role\PermissionProvider\PluginManager for defaults */ ],
+        'assertion_manager' => [
+            'factories' => [
+                'VuFind\Role\Assertion\HasVerifiedEmailAssertion' => 'Laminas\ServiceManager\Factory\InvokableFactory',
+            ],
+            'aliases' => [
+                'VerifiedEmail' => 'VuFind\Role\Assertion\HasVerifiedEmailAssertion',
+            ],
+        ],
     ],
 ];
 
@@ -887,6 +900,9 @@
     'Confirm/Confirm',
     'Cover/Show',
     'Cover/Unavailable',
+    'DeveloperSettings/DeleteApiKey',
+    'DeveloperSettings/DisplaySettings',
+    'DeveloperSettings/GenerateApiKey',
     'EDS/Advanced',
     'EDS/Home',
     'EDS/Search',

diff --git a/module/VuFind/sql/migrations/mysql/11.0/010-add-api-key-table.sql b/module/VuFind/sql/migrations/mysql/11.0/010-add-api-key-table.sql
@@ -0,0 +1,14 @@
+CREATE TABLE IF NOT EXISTS `api_key` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `user_id` int(11) DEFAULT NULL,
+  `title` varchar(255) NOT NULL,
+  `token` varchar(255) NOT NULL,
+  `revoked` tinyint(1) NOT NULL DEFAULT 0,
+  `created` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  `last_used` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  PRIMARY KEY (`id`),
+  KEY `api_key_user_id_idx` (`user_id`),
+  KEY `api_key_token_idx` (`token`),
+  KEY `api_key_last_used_idx` (`last_used`),
+  CONSTRAINT `api_key_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE utf8mb4_unicode_ci;
diff --git a/module/VuFind/sql/migrations/pgsql/11.0/010-add-api-key-table.sql b/module/VuFind/sql/migrations/pgsql/11.0/010-add-api-key-table.sql
@@ -0,0 +1,13 @@
+CREATE TABLE api_key (
+  id int(11) unsigned NOT NULL AUTO_INCREMENT,
+  user_id int(11) DEFAULT NULL,
+  title varchar(255) NOT NULL,
+  token varchar(255) NOT NULL,
+  revoked tinyint(1) NOT NULL DEFAULT '0',
+  created timestamp NOT NULL DEFAULT '2000-01-01 00:00:00',
+  last_used timestamp NOT NULL DEFAULT '2000-01-01 00:00:00',
+  PRIMARY KEY (id),
+);
+CREATE INDEX api_key_user_id_idx ON api_key (user_id);
+CREATE INDEX api_key_token_idx ON api_key (token);
+CREATE INDEX api_key_last_used_idx ON api_key (last_used);
diff --git a/module/VuFind/sql/mysql.sql b/module/VuFind/sql/mysql.sql
@@ -417,6 +417,28 @@ CREATE TABLE `access_token` (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE utf8mb4_unicode_ci;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
+--
+-- Table structure for table `api_key`
+--
+
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8mb4 */;
+CREATE TABLE `api_key` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `user_id` int(11) DEFAULT NULL,
+  `title` varchar(255) NOT NULL,
+  `token` varchar(255) NOT NULL,
+  `revoked` tinyint(1) NOT NULL DEFAULT 0,
+  `created` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  `last_used` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  PRIMARY KEY (`id`),
+  KEY `api_key_user_id_idx` (`user_id`),
+  KEY `api_key_token_idx` (`token`),
+  KEY `api_key_last_used_idx` (`last_used`),
+  CONSTRAINT `api_key_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE utf8mb4_unicode_ci;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
 --
 -- Table structure for table `login_token`
 --

diff --git a/module/VuFind/sql/pgsql.sql b/module/VuFind/sql/pgsql.sql
@@ -389,6 +389,22 @@ PRIMARY KEY (id, type)
 );
 CREATE INDEX access_token_user_id_idx ON access_token (user_id);
 
+DROP TABLE IF EXISTS "api_key";
+
+CREATE TABLE api_key (
+  id int(11) unsigned NOT NULL AUTO_INCREMENT,
+  user_id int(11) DEFAULT NULL,
+  title varchar(255) NOT NULL,
+  token varchar(255) NOT NULL,
+  revoked tinyint(1) NOT NULL default '0',
+  created timestamp NOT NULL default '2000-01-01 00:00:00',
+  last_used timestamp NOT NULL default '2000-01-01 00:00:00',
+  PRIMARY KEY (id),
+);
+CREATE INDEX api_key_user_id_idx ON api_key (user_id);
+CREATE INDEX api_key_token_idx ON api_key (token);
+CREATE INDEX api_key_last_used_idx ON api_key (last_used);
+
 --
 -- Table structure for table `login_token`
 --

diff --git a/module/VuFind/src/VuFind/Controller/AbstractBase.php b/module/VuFind/src/VuFind/Controller/AbstractBase.php
@@ -459,12 +459,26 @@ protected function catalogLogin()
      * @param string $id Configuration identifier (default = main VuFind config)
      *
      * @return \VuFind\Config\Config
+     *
+     * @deprecated Use AbstractBase::getConfigArray
      */
     public function getConfig($id = 'config')
     {
         return $this->getService(\VuFind\Config\ConfigManagerInterface::class)->getConfigObject($id);
     }
 
+    /**
+     * Get a VuFind configuration as an associative array.
+     *
+     * @param string $id Configuration identifier (default = config)
+     *
+     * @return array
+     */
+    public function getConfigArray(string $id = 'config'): array
+    {
+        return $this->getService(\VuFind\Config\ConfigManagerInterface::class)->getConfigArray($id);
+    }
+
     /**
      * Get the ILS connection.
      *
@@ -918,4 +932,21 @@ protected function getAuditEventService(): AuditEventServiceInterface
         }
         return $this->auditEventService;
     }
+
+    /**
+     * Get params from post or query.
+     *
+     * @param ?string $key     Parameter key to get. If omitted and no default value
+     *                         is set, will return all parameters as an associative array.
+     * @param mixed   $default Default value to return if not found. If $key is omitted, has no effect.
+     *
+     * @return mixed
+     */
+    protected function fromPostAndQuery(?string $key = null, mixed $default = null): mixed
+    {
+        if (!$key) {
+            return $this->params()->fromPost() + $this->params()->fromQuery();
+        }
+        return $this->params()->fromPost($key) ?? $this->params()->fromQuery($key) ?? $default;
+    }
 }