Api token updates

InvenTree/users/admin.py

@@ -17,9 +17,9 @@
 class ApiTokenAdmin(admin.ModelAdmin):
     """Admin class for the ApiToken model."""
 
-    list_display = ('key', 'user', 'name', 'expiry', 'active')
-    fields = ('user', 'name', 'revoked', 'expiry')
-    readonly_fields = ('key', 'created')
+    list_display = ('token', 'user', 'name', 'expiry', 'active')
+    fields = ('token', 'name', 'revoked', 'expiry')
+    readonly_fields = ('token', 'created')
 
 
 class RuleSetInline(admin.TabularInline):

InvenTree/users/api.py

@@ -5,15 +5,14 @@
 from django.urls import include, path, re_path
 
 from django_filters.rest_framework import DjangoFilterBackend
-from rest_framework import permissions, status
-from rest_framework.authtoken.models import Token
+from rest_framework import exceptions, permissions, status
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from InvenTree.filters import InvenTreeSearchFilter
 from InvenTree.mixins import ListAPI, RetrieveAPI, RetrieveUpdateAPI
 from InvenTree.serializers import UserSerializer
-from users.models import Owner, RuleSet, check_user_role
+from users.models import ApiToken, Owner, RuleSet, check_user_role
 from users.serializers import GroupSerializer, OwnerSerializer
 
 
@@ -187,15 +186,32 @@ class GetAuthToken(APIView):
     def get(self, request, *args, **kwargs):
         """Return an API token if the user is authenticated
 
-        - If the user already has a token, return it
-        - Otherwise, create a new token
+        - If the user already has a matching token, delete it and create a new one
+        - Existing tokens are *never* exposed again via the API
+        - Once the token is provided, it can be used for auth until it expires
         """
+
         if request.user.is_authenticated:
-            # Get the user token (or create one if it does not exist)
-            token, created = Token.objects.get_or_create(user=request.user)
-            return Response({
+
+            user = request.user
+            name = request.query_params.get('name', '')
+
+            # Delete any matching tokens
+            ApiToken.objects.filter(user=user, name=name).delete()
+
+            # User is authenticated, and requesting a token against the provided name.
+            token = ApiToken.objects.create(user=request.user, name=name)
+
+            data = {
                 'token': token.key,
-            })
+                'name': token.name,
+                'expiry': token.expiry,
+            }
+
+            return Response(data)
+
+        else:
+            raise exceptions.NotAuthenticated()
 
     def delete(self, request):
         """User has requested deletion of API token"""

InvenTree/users/migrations/0008_apitoken.py

@@ -1,8 +1,9 @@
-# Generated by Django 3.2.21 on 2023-10-04 13:52
+# Generated by Django 3.2.22 on 2023-10-19 13:31
 
 from django.conf import settings
 from django.db import migrations, models
 import django.db.models.deletion
+import users.models
 
 
 class Migration(migrations.Migration):
@@ -17,16 +18,18 @@ class Migration(migrations.Migration):
             name='ApiToken',
             fields=[
                 ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
-                ('key', models.CharField(max_length=40, db_index=True, unique=True, verbose_name='Key')),
                 ('created', models.DateTimeField(auto_now_add=True, verbose_name='Created')),
+                ('key', models.CharField(db_index=True, max_length=40, unique=True, verbose_name='Key')),
                 ('name', models.CharField(blank=True, help_text='Custom token name', max_length=100, verbose_name='Token Name')),
-                ('expiry', models.DateField(blank=True, help_text='Token expiry date', null=True, verbose_name='Expiry Date')),
+                ('expiry', models.DateField(default=users.models.default_token_expiry, help_text='Token expiry date', verbose_name='Expiry Date')),
+                ('revoked', models.BooleanField(default=False, help_text='Token has been revoked', verbose_name='Revoked')),
                 ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='api_tokens', to=settings.AUTH_USER_MODEL, verbose_name='User')),
             ],
             options={
                 'verbose_name': 'API Token',
                 'verbose_name_plural': 'API Tokens',
                 'abstract': False,
+                'unique_together': {('user', 'name')},
             },
         ),
     ]

InvenTree/users/models.py

@@ -25,6 +25,14 @@
 logger = logging.getLogger("inventree")
 
 
+def default_token_expiry():
+    """Generate an expiry date for a newly created token"""
+
+    # TODO: Custom value for default expiry timeout
+    # TODO: For now, tokens last for 1 year
+    return datetime.datetime.now().date() + datetime.timedelta(days=365)
+
+
 class ApiToken(AuthToken):
     """Extends the default token model provided by djangorestframework.authtoken, as follows:
 
@@ -41,6 +49,10 @@ class Meta:
             ('user', 'name')
         ]
 
+    def __str__(self):
+        """String representation uses the redacted token"""
+        return self.token
+
     # Override the 'key' field - force it to be unique
     key = models.CharField(verbose_name=_('Key'), max_length=40, db_index=True, unique=True)
 
@@ -60,7 +72,7 @@ class Meta:
     )
 
     expiry = models.DateField(
-        blank=True, null=True,
+        default=default_token_expiry,
         verbose_name=_('Expiry Date'),
         help_text=_('Token expiry date'),
         auto_now=False, auto_now_add=False,
@@ -72,6 +84,19 @@ class Meta:
         help_text=_('Token has been revoked'),
     )
 
+    @property
+    @admin.display(description=_('Token'))
+    def token(self):
+        """Provide a redacted version of the token.
+
+        The *raw* key value should never be displayed anywhere!
+        """
+
+        N = 8
+        M = len(self.key) - N
+
+        return self.key[:N] + '*' * M
+
     @property
     @admin.display(boolean=True, description=_('Expired'))
     def expired(self):

src/frontend/src/components/nav/NotificationDrawer.tsx

@@ -81,12 +81,12 @@ export function NotificationDrawer({
       <Stack spacing="xs">
         <Divider />
         <LoadingOverlay visible={notificationQuery.isFetching} />
-        {notificationQuery.data?.results?.length == 0 && (
+        {(notificationQuery.data?.results?.length ?? 0) == 0 && (
           <Alert color="green">
             <Text size="sm">{t`You have no unread notifications.`}</Text>
           </Alert>
         )}
-        {notificationQuery.data?.results.map((notification: any) => (
+        {notificationQuery.data?.results?.map((notification: any) => (
           <Group position="apart">
             <Stack spacing="3">
               <Text size="sm">{notification.target?.name ?? 'target'}</Text>

src/frontend/src/functions/auth.tsx

@@ -21,7 +21,10 @@ export const doClassicLogin = async (username: string, password: string) => {
     .get(apiUrl(ApiPaths.user_token), {
       auth: { username, password },
       baseURL: host.toString(),
-      timeout: 5000
+      timeout: 5000,
+      params: {
+        name: 'inventree-web-app'
+      }
     })
     .then((response) => response.data.token)
     .catch((error) => {
@@ -114,7 +117,10 @@ export function handleReset(navigate: any, values: { email: string }) {
 export function checkLoginState(navigate: any, redirect?: string) {
   api
     .get(apiUrl(ApiPaths.user_token), {
-      timeout: 5000
+      timeout: 5000,
+      params: {
+        name: 'inventree-web-app'
+      }
     })
     .then((val) => {
       if (val.status === 200 && val.data.token) {