Api token updates #5664
Api token updates #5664
Conversation
- Has custom 'name' field - Has custom expiry date
✅ Deploy Preview for inventree-web-pui-preview canceled.
|
There was a problem hiding this comment.
I think this would be a good point to address some things that are not optimal about the current design of tokens and change things to be more like best-practice examples like GitHub and stripe.
- No token without expiry
- Configurable max expiry (industry standard seems to be 1 year nowadays)
- Token events (creation, deletion, expert imminent)
- Use an identifiable token format (see https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/#identifiable-prefixes) - gives us the option to support multiple token formats in the future
- Add metadata support to the model and issuing API (ie. the app could start sending the model and name of the phone when requesting a token to make identifying easier)
matmair
added
enhancement
|
It would be also good to add some scoping to the tokens. I imagine this would be easy if we use the existing permission sets as scopes. |
|
@wolflu05 it is not really easy as the tokens currently are basically impersonating their user so we would probably need separate users or change all permission checks (which are user based currently) |
- Correctly handles revoked tokens - Correctly handles expired tokens
- Check for token active status
- Can return tokens with custom names - Return more information on the token too
- An authenticated user must receive a token - Unauthenticated users cannot do this
| name = request.query_params.get('name', '') | ||
|
|
||
| # Delete any matching tokens | ||
| ApiToken.objects.filter(user=user, name=name).delete() |
There was a problem hiding this comment.
Comment: I think it would be prudent to log it a token was actually deleted for development (maybe log the identifier)
There was a problem hiding this comment.
Good call I'll add that.
InvenTree/users/admin.py
Outdated
| list_display = ('token', 'user', 'name', 'expiry', 'active') | ||
| fields = ('token', 'name', 'revoked', 'expiry') | ||
| readonly_fields = ('token', 'created') |
There was a problem hiding this comment.
Question: Why is that changed? The key is normally used for identification in systems like this
There was a problem hiding this comment.
The "token" is the redacted version, once it is created the raw value is not shown in the admin interface - I believe this is what you requested?
- Allows raw token to be viewed in the admin interface when created - After created, no longer visible - Also provides ability to generate token with static prefix
- Prevent user and expiry from being edited after creation
- Prevent editing of "name" field after creation - Add isoformat date suffix to token
Fixes #2326
This PR implements a custom extension of the current API token implementation:
TODO
A key point here is to preserve backwards compatibility with any existing external systems (such as the mobile app) which use tokens and expect them to appear in a certain way on the API.
References