System creates unwanted API token

[philippconzett]

During the past two years or so I've experienced several times that an API token was created for my user (superuser) without me clicking on the Create Token button.

To illustrate the latest occurrence of this behavior: This morning I created an API token which I needed to run a regular API script. After I ran the script, I revoked the token. I even clicked on other buttons on the page, refreshed the page, and navigated back to check whether no token was defined anymore. The token I used in the script started with "7d2a". When I checked this evening, a new token starting with "2c4d" was displayed.

What steps does it take to reproduce the issue?

1. Click on your username on the top right of the Dataverse page.
2. Click on API token.
3. Create a token and run an API call.
4. Revoke the token.
5. After a while, return to the API token page.

• When does this issue occur?
  Sporadically, as described above.

• Which page(s) does it occurs on?
  The API Token page.

• What happens?
  See description above.

• To whom does it occur (all users, curators, superusers)?
  I've only tested this as a superuser.

• What did you expect to happen?
  The token being permanently revoked and no new token being created until I create a new one.

Which version of Dataverse are you using?
5.13

Any related open or closed issues to this bug report?
No.

Screenshots:
No.

[qqmyers]

FWIW:
Right now, tokens get created when you use something like a previewer that would require one to exist. As we switch to using signedUrls for external tools, it would be easier to change this behavior. If we changed it today, previewers/explore/config tools for files in draft versions and restricted files would fail unless/until you create an API key manually.

[philippconzett]

Ah, thanks. I guess this explains the behavior described above. Should we close the issue?

[jggautier]

Since it's not easier to change this behavior now, would it be possible to let users know that this might happen? For example, if someone revokes their api token, can they be told that the repository will recreate the token when they use certain external tools?

Otherwise it's misleading. And maybe a security issue?

[pdurbin]

I do think we should somehow inform users that an API token is being created for them. Here's how we talk about these tokens in the User Guide (i.e. treat them with care!):

How Your API Token Is Like a Password

In many cases, such as when depositing data, an API Token is required to interact with Dataverse Software APIs. The word “token” indicates a series of letters and numbers such as c6527048-5bdc-48b0-a1d5-ed1b62c8113b. Anyone who has your API Token can add and delete data as you so you should treat it with the same care as a password.

[philippconzett]

Thanks. Yes, that's why I'm kind of paranoid with my superuser API tokens being revoked whenever I don't need them anymore. ;-)

[jggautier]

@donsizemore's also been cautious about managing API tokens, especially tokens belonging to superuser accounts since they're able to do so much on a repository.

[pdurbin]

Related:

• Auto generate USER API Token to enable External Tool GET/POST metadata #10045