WebAPI: Add support for authenticating via API key

PR #23212.
Closes #13201.

Author: Piccirello

WebAPI_Changelog.md

@@ -1,5 +1,9 @@
 # WebAPI Changelog
 
+## 2.14.1
+* [#23212](https://github.com/qbittorrent/qBittorrent/pull/23212)
+  * Add `app/rotateAPIKey` endpoint for generating, and rotating, the WebAPI API key
+
 ## 2.14.0
 * [#23202](https://github.com/qbittorrent/qBittorrent/pull/23202)
   * WebAPI responds with the error message "Endpoint does not exist" when the endpoint does not exist, to better differentiate from unrelated Not Found (i.e. 404) responses

src/app/application.cpp

@@ -957,7 +957,7 @@ int Application::exec()
         const auto *pref = Preferences::instance();
 
         const QString tempPassword = pref->getWebUIPassword().isEmpty()
-                ? Utils::Password::generate() : QString();
+                ? Utils::Password::generate(9) : QString();
         m_webui = new WebUI(this, (!tempPassword.isEmpty() ? Utils::Password::PBKDF2::generate(tempPassword) : QByteArray()));
         connect(m_webui, &WebUI::error, this, [](const QString &message)
         {

src/base/CMakeLists.txt

@@ -103,6 +103,7 @@ add_library(qbt_base STATIC
     torrentfilter.h
     types.h
     unicodestrings.h
+    utils/apikey.h
     utils/bytearray.h
     utils/compare.h
     utils/datetime.h
@@ -200,6 +201,7 @@ add_library(qbt_base STATIC
     torrentfileguard.cpp
     torrentfileswatcher.cpp
     torrentfilter.cpp
+    utils/apikey.cpp
     utils/bytearray.cpp
     utils/compare.cpp
     utils/datetime.cpp

src/base/http/types.h

@@ -43,6 +43,7 @@ namespace Http
     inline const QString METHOD_GET = u"GET"_s;
     inline const QString METHOD_POST = u"POST"_s;
 
+    inline const QString HEADER_AUTHORIZATION = u"authorization"_s;
     inline const QString HEADER_CACHE_CONTROL = u"cache-control"_s;
     inline const QString HEADER_CONNECTION = u"connection"_s;
     inline const QString HEADER_CONTENT_DISPOSITION = u"content-disposition"_s;

src/base/preferences.cpp

@@ -898,6 +898,19 @@ void Preferences::setWebUIPassword(const QByteArray &password)
     setValue(u"Preferences/WebUI/Password_PBKDF2"_s, password);
 }
 
+QString Preferences::getWebUIApiKey() const
+{
+    return value<QString>(u"Preferences/WebUI/APIKey"_s);
+}
+
+void Preferences::setWebUIApiKey(const QString &apiKey)
+{
+    if (apiKey == getWebUIApiKey())
+        return;
+
+    setValue(u"Preferences/WebUI/APIKey"_s, apiKey);
+}
+
 int Preferences::getWebUIMaxAuthFailCount() const
 {
     return value<int>(u"Preferences/WebUI/MaxAuthenticationFailCount"_s, 5);

src/base/preferences.h

@@ -211,6 +211,8 @@ class Preferences final : public QObject
     void setWebUIUsername(const QString &username);
     QByteArray getWebUIPassword() const;
     void setWebUIPassword(const QByteArray &password);
+    QString getWebUIApiKey() const;
+    void setWebUIApiKey(const QString &apiKey);
     int getWebUIMaxAuthFailCount() const;
     void setWebUIMaxAuthFailCount(int count);
     std::chrono::seconds getWebUIBanDuration() const;

src/base/utils/apikey.cpp

@@ -0,0 +1,50 @@
+/*
+ * Bittorrent Client using Qt and libtorrent.
+ * Copyright (C) 2025  Thomas Piccirello <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ * In addition, as a special exception, the copyright holders give permission to
+ * link this program with the OpenSSL project's "OpenSSL" library (or with
+ * modified versions of it that use the same license as the "OpenSSL" library),
+ * and distribute the linked executables. You must obey the GNU General Public
+ * License in all respects for all of the code used other than "OpenSSL".  If you
+ * modify file(s), you may extend this exception to your version of the file(s),
+ * but you are not obligated to do so. If you do not wish to do so, delete this
+ * exception statement from your version.
+ */
+
+#include "apikey.h"
+
+#include <QString>
+
+#include "base/global.h"
+#include "base/utils/password.h"
+
+namespace
+{
+    const int keyLength = 28;
+    const QString prefix = u"qbt_"_s;
+}
+
+QString Utils::APIKey::generate()
+{
+    return prefix + Utils::Password::generate(keyLength);
+}
+
+bool Utils::APIKey::isValid(const QString &key)
+{
+    return key.startsWith(prefix) && (key.length() == (prefix.length() + keyLength));
+}

src/base/utils/apikey.h

@@ -0,0 +1,37 @@
+/*
+ * Bittorrent Client using Qt and libtorrent.
+ * Copyright (C) 2025  Thomas Piccirello <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ * In addition, as a special exception, the copyright holders give permission to
+ * link this program with the OpenSSL project's "OpenSSL" library (or with
+ * modified versions of it that use the same license as the "OpenSSL" library),
+ * and distribute the linked executables. You must obey the GNU General Public
+ * License in all respects for all of the code used other than "OpenSSL".  If you
+ * modify file(s), you may extend this exception to your version of the file(s),
+ * but you are not obligated to do so. If you do not wish to do so, delete this
+ * exception statement from your version.
+ */
+
+#pragma once
+
+class QString;
+
+namespace Utils::APIKey
+{
+    QString generate();
+    bool isValid(const QString &key);
+}

src/base/utils/password.cpp

@@ -67,10 +67,11 @@ bool Utils::Password::slowEquals(const QByteArray &a, const QByteArray &b)
     return (diff == 0);
 }
 
-QString Utils::Password::generate()
+QString Utils::Password::generate(const int passwordLength)
 {
+    Q_ASSERT(passwordLength > 0);
+
     const QString alphanum = u"23456789ABCDEFGHIJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz"_s;
-    const int passwordLength = 9;
     QString pass;
     pass.reserve(passwordLength);
     while (pass.length() < passwordLength)

src/base/utils/password.h

@@ -38,7 +38,7 @@ namespace Utils::Password
     // Taken from https://crackstation.net/hashing-security.htm
     bool slowEquals(const QByteArray &a, const QByteArray &b);
 
-    QString generate();
+    QString generate(int passwordLength);
 
     namespace PBKDF2
     {