Update the BaseWebAPIToken model for API Tokens v2

Review Request #12341 — Created June 6, 2022 and submitted — Latest diff uploaded

maubin
Djblets
release-3.x
12419, 12415, 12342
djblets

This change is the first in a series of changes for improving our API Tokens
(which we'll refer to as API Tokens v2). Currently, Djblets generates tokens
using SHA1, which has the following disadvantages:
- Tokens aren't able to be validated or identified from other SHA1 tokens.
- Can't use secret scanning to detect leaked tokens
- Aren't as secure as some modern counterparts.

In response, we are moving towards a new token format that contain a
vendor/category prefix and can be validated through a checksum. Additionally,
we want to be able to support token expiration and invalidation, which we
currently don't do. Since we are moving away from an old token format, we also
need support for token deprecation.

In this change we modify the API tokens model to allow the possibility for
new token types, expiration, and invalidation. The following changes are made
to the BaseWebAPIToken model:
- Adding expires field and an is_expired method.
- Adding valid, invalid_date and invalid_reason fields.
- Adding token_generator_id field.
- Adding last_used field.
- Updating max length of token to 255 characters.

The token authentication backends were also updated to block authentication
if an expired or invalid token was used. We also added help texts for all
of the BaseWebAPIToken fields for better clarity.

  • Ran unit tests in djblets.webapi.tests
  • Manually tested token authentication when making requests with curl
    and rbt api-get

Commits

Files

    Loading...