-
-
Notifications
You must be signed in to change notification settings - Fork 760
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Api token updates #5664
Api token updates #5664
Conversation
- Has custom 'name' field - Has custom expiry date
✅ Deploy Preview for inventree-web-pui-preview canceled.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this would be a good point to address some things that are not optimal about the current design of tokens and change things to be more like best-practice examples like GitHub and stripe.
- No token without expiry
- Configurable max expiry (industry standard seems to be 1 year nowadays)
- Token events (creation, deletion, expert imminent)
- Use an identifiable token format (see https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/#identifiable-prefixes) - gives us the option to support multiple token formats in the future
- Add metadata support to the model and issuing API (ie. the app could start sending the model and name of the phone when requesting a token to make identifying easier)
It would be also good to add some scoping to the tokens. I imagine this would be easy if we use the existing permission sets as scopes. |
@wolflu05 it is not really easy as the tokens currently are basically impersonating their user so we would probably need separate users or change all permission checks (which are user based currently) |
- Correctly handles revoked tokens - Correctly handles expired tokens
- Check for token active status
- Can return tokens with custom names - Return more information on the token too
- An authenticated user must receive a token - Unauthenticated users cannot do this
name = request.query_params.get('name', '') | ||
|
||
# Delete any matching tokens | ||
ApiToken.objects.filter(user=user, name=name).delete() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment: I think it would be prudent to log it a token was actually deleted for development (maybe log the identifier)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call I'll add that.
InvenTree/users/admin.py
Outdated
list_display = ('token', 'user', 'name', 'expiry', 'active') | ||
fields = ('token', 'name', 'revoked', 'expiry') | ||
readonly_fields = ('token', 'created') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: Why is that changed? The key is normally used for identification in systems like this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "token" is the redacted version, once it is created the raw value is not shown in the admin interface - I believe this is what you requested?
- Allows raw token to be viewed in the admin interface when created - After created, no longer visible - Also provides ability to generate token with static prefix
- Prevent user and expiry from being edited after creation
- Prevent editing of "name" field after creation - Add isoformat date suffix to token
Fixes #2326
This PR implements a custom extension of the current API token implementation:
TODO
A key point here is to preserve backwards compatibility with any existing external systems (such as the mobile app) which use tokens and expect them to appear in a certain way on the API.
References