-
-
Notifications
You must be signed in to change notification settings - Fork 760
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Api token updates #5664
Api token updates #5664
Changes from 10 commits
44e1d38
6e025b6
c2b4095
eff6e6a
0d4c595
b5f74ab
38ba505
ddfc563
91a9cc0
d59d5da
5965553
b45e640
d4428e7
089b19d
c4a2f74
1636cd4
459d835
33df61e
46cc71b
8c4b1c9
b8e64ed
3b5f3be
1c82920
29c5700
e3b7246
bf25344
243a68c
73682c3
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,15 +5,14 @@ | |
from django.urls import include, path, re_path | ||
|
||
from django_filters.rest_framework import DjangoFilterBackend | ||
from rest_framework import permissions, status | ||
from rest_framework.authtoken.models import Token | ||
from rest_framework import exceptions, permissions, status | ||
from rest_framework.response import Response | ||
from rest_framework.views import APIView | ||
|
||
from InvenTree.filters import InvenTreeSearchFilter | ||
from InvenTree.mixins import ListAPI, RetrieveAPI, RetrieveUpdateAPI | ||
from InvenTree.serializers import UserSerializer | ||
from users.models import Owner, RuleSet, check_user_role | ||
from users.models import ApiToken, Owner, RuleSet, check_user_role | ||
from users.serializers import GroupSerializer, OwnerSerializer | ||
|
||
|
||
|
@@ -187,15 +186,32 @@ class GetAuthToken(APIView): | |
def get(self, request, *args, **kwargs): | ||
"""Return an API token if the user is authenticated | ||
|
||
- If the user already has a token, return it | ||
- Otherwise, create a new token | ||
- If the user already has a matching token, delete it and create a new one | ||
- Existing tokens are *never* exposed again via the API | ||
- Once the token is provided, it can be used for auth until it expires | ||
""" | ||
|
||
if request.user.is_authenticated: | ||
# Get the user token (or create one if it does not exist) | ||
token, created = Token.objects.get_or_create(user=request.user) | ||
return Response({ | ||
|
||
user = request.user | ||
name = request.query_params.get('name', '') | ||
|
||
# Delete any matching tokens | ||
ApiToken.objects.filter(user=user, name=name).delete() | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Comment: I think it would be prudent to log it a token was actually deleted for development (maybe log the identifier) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good call I'll add that. |
||
|
||
# User is authenticated, and requesting a token against the provided name. | ||
token = ApiToken.objects.create(user=request.user, name=name) | ||
|
||
data = { | ||
'token': token.key, | ||
}) | ||
'name': token.name, | ||
'expiry': token.expiry, | ||
} | ||
|
||
return Response(data) | ||
|
||
else: | ||
raise exceptions.NotAuthenticated() | ||
|
||
def delete(self, request): | ||
"""User has requested deletion of API token""" | ||
|
matmair marked this conversation as resolved.
Show resolved
Hide resolved
|
This file was deleted.
This file was deleted.
This file was deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: Why is that changed? The key is normally used for identification in systems like this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "token" is the redacted version, once it is created the raw value is not shown in the admin interface - I believe this is what you requested?