Zotero Integration: Scope "Connect Web Library" access to that of API key

[cboulanger]

Bug description

I want to collaboratively work on a .qmd file using a shared Zotero group library. I have generated an API Key scoped to that library with only read access, which I want to share with my collaborators. However, it seems Quarto expects an API key with access to all of the groups and the user library, which is not what I want.

Steps to reproduce

• Configure "Quarto › Zotero: Library" to "web"
• add the group's title to "Quarto › Zotero: Group Libraries",
• run "Quarto: Connect Zotero Web Library"

Actual behavior

I get an "unauthorized access" error for other group libraries which I do not want to share, and for the main user library, which I also do not want to share.

Expected behavior

Only the library/libraries specified in "Quarto › Zotero: Group Libraries" are accessed any synchronized.

Your environment

• VS Code:
  Version: 1.96.4 (user setup)
  Commit: cd4ee3b1c348a13bafd8f9ad8060705f6d4b9cba
  Date: 2025-01-16T00:16:19.038Z
  Electron: 32.2.6
  ElectronBuildId: 10629634
  Chromium: 128.0.6613.186
  Node.js: 20.18.1
  V8: 12.8.374.38-electron.0
  OS: Windows_NT x64 10.0.19045

• Quarto Version 1.118.0

[cderv]

I have generated an API Key scoped to that library with only read access

To be complete regarding the step you took, why did you choose for Default Group Permissions ?
https://quarto.org/docs/visual-editor/vscode/#api-access-key

Steps to reproduce

I think we need to have a bit more information about your Zotero library setup and group. I am just not sure how to setup a Zotero library to test this in your specific usage.

Did you try to look in VSCODE logging to see if there are more information about the function / step that is throwing the unauthorized ? I am no expert in VSCODE extension debugging but maybe there are more info that would help be sure of which is the wrong request.

You could also help us understand the problem by using your API key with an external client
I believe the Quarto extension is using Zotero API: https://www.zotero.org/support/dev/web_api/v3/start

For groups we are using the endpoint: /users/<userID>/groups documented at
https://www.zotero.org/support/dev/web_api/v3/basics#other_urls

quarto/packages/editor-server/src/core/zotero/web/groups.ts

Lines 55 to 58 in 57ed6fb

	// get existing group metadata
	progress.report("Syncing groups")
	const serverGroupVersions = await zotero.groupVersions(zotero.user.userID);
	const serverGroupIds = Object.keys(serverGroupVersions).map(Number);

quarto/packages/editor-server/src/core/zotero/web/api.ts

Lines 135 to 137 in 57ed6fb

	groupVersions: (userID: number) => {
	return zoteroRequest<ObjectVersions>(key, `/users/${userID}/groups?format=versions`, progress!);
	},

Doc says:

The set of groups the current API key has access to, including public groups the key owner belongs to even if the key doesn't have explicit permissions for them.

Could the last part be the problem ?

We iterate on all those group after

quarto/packages/editor-server/src/core/zotero/web/groups.ts

Lines 67 to 70 in 57ed6fb

	for (const serverGroupId of serverGroupIds) {
	const localGroup = groups.find(group => group.id === serverGroupId);
	if (!localGroup || (localGroup.version !== serverGroupVersions[localGroup.id])) {
	const serverGroup = await zotero.group(serverGroupId, localGroup?.version || 0);

quarto/packages/editor-server/src/core/zotero/web/api.ts

Lines 139 to 142 in 57ed6fb

	group: (groupID: number, since: number) => {
	return zoteroVersionedRequest<Group>(key, `/groups/${groupID}?since=${since}`, since, progress!, x => x.data);
	},

for this we use the endpoint /groups/<groupID> with search parameters

We do not seem to handle owner groups where the API key does not have access explicitly. And also we do not seem to query only the groups from the configuration...

Using your key with another lib like pyzotero could help us understand the problem if any with the API, and exactly how this should be queried.

Hope this helps understand current problem. Thanks a lot for the feedback !

[cboulanger]

Thank you for your quick response!

To be complete regarding the step you took, why did you choose for Default Group Permissions ? https://quarto.org/docs/visual-editor/vscode/#api-access-key

In my scenario, the Default Group Permissions is "None", since the API key should not allow access to any "current or future groups" except the one specifically mentioned in "Specific Groups". In "Specific Groups", I have given the Key "Read Only" permission to the group.

I think we need to have a bit more information about your Zotero library setup and group. I am just not sure how to setup a Zotero library to test this in your specific usage.

Did you try to look in VSCODE logging to see if there are more information about the function / step that is throwing the unauthorized ? I am no expert in VSCODE extension debugging but maybe there are more info that would help be sure of which is the wrong request.

Unfortunately, the only thing I can see is the error message. For a key that is only scoped to the group that is to be shared, I get

[zotero]: Syncing library (user-XXXXX)
[zotero]: https://api.zotero.org/users/XXXXX/deleted?since=53554 (403)
Error occurred during sync: Unauthorized: /users/XXXXX/deleted

Doc says:

The set of groups the current API key has access to, including public groups the key owner belongs to even if the key doesn't have explicit permissions for them.

Could the last part be the problem ?

Yes, that is probably it. Although I thought that the Zotero API would automatically exclude all libraries that a key does not grant access to. An easy solution would be to not fail when "unauthorized" errors are thrown, but simply log warnings. A more comprehensive solution of course would query which libraries the key has access to and only sync those. But I would be happy with the one that warns instead of throws on forbidden access.

We do not seem to handle owner groups where the API key does not have access explicitly. And also we do not seem to query only the groups from the configuration...

When I query https://api.zotero.org/keys/XXXXX , with XXXXX being the key that has only access to the group, I get

{
    "key": "<the key>",
    "userID": <my user id>,
    "username": "<my user name>",
    "displayName": <my display name>",
    "access": {
        "groups": {
            "<the group id>": {
                "library": true,
                "write": false
            }
        }
    }

For constrast, here is the response to a key that has access to everything:

{
    "key": "<the key>",
    "userID": <my user id>,
    "username": "<my user name>",
    "displayName": <my display name>",
    "access": {
        "user": {
            "library": true,
            "files": true
        },
        "groups": {
            "all": {
                "library": true,
                "write": false
            }
        }
    }
}

So it would be wonderful if the sync algorithm would use the "access" field of the json response to the keys/<key> api call, and then only sync the user library or any group that is contained in there.

[cderv]

So it would be wonderful if the sync algorithm would use the "access" field of the json response to the keys/ api call, and then only sync the user library or any group that is contained in there.

I don't find any use of api.zotero.org/keys/ endpoint in the extension. So possibly this would indeed be what to do before syncing.

This is bigger change that just handling unauthorized access knowing that /users/<userID>/group returns more groups that the one the key has access too; (which is quite unexpected behavior from the API TBH 🤷‍♂ ).

Thanks a lot for the aditional information. That will really help us