Update the BaseWebAPIToken model for API Tokens v2
Review Request #12341 — Created June 6, 2022 and submitted — Latest diff uploaded
This change is the first in a series of changes for improving our API Tokens
(which we'll refer to as API Tokens v2). Currently, Djblets generates tokens
using SHA1, which has the following disadvantages:
- Tokens aren't able to be validated or identified from other SHA1 tokens.
- Can't use secret scanning to detect leaked tokens
- Aren't as secure as some modern counterparts.In response, we are moving towards a new token format that contain a
vendor/category prefix and can be validated through a checksum. Additionally,
we want to be able to support token expiration and invalidation, which we
currently don't do. Since we are moving away from an old token format, we also
need support for token deprecation.In this change we modify the API tokens model to allow the possibility for
new token types, expiration, and invalidation. The following changes are made
to theBaseWebAPIToken
model:
- Addingexpires
field and anis_expired
method.
- Addingvalid
,invalid_date
andinvalid_reason
fields.
- Addingtoken_generator_id
field.
- Addinglast_used
field.
- Updating max length of token to 255 characters.The token authentication backends were also updated to block authentication
if an expired or invalid token was used. We also added help texts for all
of theBaseWebAPIToken
fields for better clarity.
- Ran unit tests in
djblets.webapi.tests
- Manually tested token authentication when making requests with
curl
andrbt api-get
Diff Revision 5
This is not the most recent revision of the diff. The latest diff is revision 17. See what's changed.
Commits
djblets/webapi/models.py |
---|
djblets/webapi/auth/backends/api_tokens.py |
---|
djblets/webapi/tests/test_api_auth_backend.py |
---|
djblets/webapi/tests/test_api_token.py |
---|