[Project-scoped API tokens] should be accessible from project settings

[webknjaz]

What's the problem this feature will solve?

I think that it'd be convenient if I could see a list of tokens having access to the chosen project page. Even ones created by someone else.
This'd result in better visibility of the security aspects of managing the project.

Describe the solution you'd like

I'm thinking of one of these pages:

• https://pypi.org/manage/project/{project}/collaboration/
• https://pypi.org/manage/project/{project}/settings/

It'd look like:

[ Create a new token ] <-- links to https://pypi.org/manage/account/token with a project pre-selected

* token1 (created by you) [ Revoke ]
* token2 (created by some_maintainer) [~Revoke~] <-- not sure whether owner should be able to revoke this
* to...3 (created by some_maintainer_2) [~Revoke~]  <-- maybe even mostly hide their names if created by someone else

[ Create a new token ] <-- links to https://pypi.org/manage/account/token with a project pre-selected

Additional context

N/A

[brainwane]

Thanks for your note and for the feature idea of displaying an inventory, somewhere within project settings, of project-scoped API tokens, viewable by project owners (and maybe maintainers).

Right now I think this is out of scope for the OTF-funded security work on our development roadmap -- we need to be pretty frugal with scope for this to make sure we get through all our milestones.

But I think that the creation of a token would probably go into the audit log in #5863. So that would help with the visibility concern.

[brainwane]

If someone makes a pull request to implement this, please ping @nlhkabu to ask her to review it. :)