Update the WebAPIToken model for API Tokens v2

Review Request #12342 — Created June 6, 2022 and updated

maubin
Review Board
release-5.0.x
12341
reviewboard

This change is the first in a series of changes for improving our API Tokens
(which we'll refer to as API Tokens v2). Currently, Review Board uses a SHA1
token format, which has the following disadvantages:
- Tokens aren't able to be validated or identified from other SHA1 tokens.
- Can't use secret scanning to detect leaked tokens.
- They aren't as secure as some modern counterparts.

In response, we are moving towards a new token format that contains a
vendor/category prefix and can be validated through a checksum. Additionally,
we want to be able to support token expiration and invalidation, which we
currently don't do. Since we are moving away from an old token format, we also
need support for token deprecation.

In this change we modify the API tokens model to allow the possibility for
new token types, expiration, and invalidation. The following changes are made
to the WebAPIToken model:
- Adding expires field
- Adding valid, invalid_date and invalid_reason fields
- Adding token_generator_id field
- Adding last_used field
- Updating max length of token to 255 characters.

Successfully upgraded the database and successfully created a new database.

Summary
Updating the WebAPIToken model for API Tokens v2
Description From Last Updated

For database changes, suitable testing would, at a minimum, be to upgrade a database with this evolution, and to create …

chipx86chipx86

Since this is the starting point for this body of work in Review Board, this would be a good place …

chipx86chipx86

This must be one line. You can put more details in the description.

chipx86chipx86
maubin
maubin
chipx86
  1. 
      
  2. For database changes, suitable testing would, at a minimum, be to upgrade a database with this evolution, and to create a brand-new database with this change.

  3. Since this is the starting point for this body of work in Review Board, this would be a good place to describe the high-level goals of this project, in the description. That'd help down the road with code archaeology, and avoid needing to know the details or any links to the API Tokens v2 project.

  4. This must be one line. You can put more details in the description.

  5. 
      
maubin
Review request changed

Description:

~  

As part of our move to API Tokens v2, we need to open API tokens for new token

~   types, expiration, and invalidation. The following changes are made to the
~   WebApiToken model:

  ~

This change is the first in a series of changes for improving our API Tokens

  ~ (which we'll refer to as API Tokens v2). Currently, Review Board uses a SHA1
  ~ token format, which has the following disadvantages:
  + - Tokens aren't able to be validated or identified from other SHA1 tokens.
  + - Can't use secret scanning to detect leaked tokens.
  + - They aren't as secure as some modern counterparts.

   
~  
  • Adding expires field
~  
  • Adding valid, invalid_date and invalid_reason fields
~  
  • Adding token_generator_id field
~  
  • Adding last_used field
~  
  • Updating max length of token to 255 characters.
  ~

In response, we are moving towards a new token format that contains a

  ~ vendor/category prefix and can be validated through a checksum. Additionally,
  ~ we want to be able to support token expiration and invalidation, which we
  ~ currently don't do. Since we are moving away from an old token format, we also
  ~ need support for token deprecation.

  +
  +

In this change we modify the API tokens model to allow the possibility for

  + new token types, expiration, and invalidation. The following changes are made
  + to the WebAPIToken model:
  + - Adding expires field
  + - Adding valid, invalid_date and invalid_reason fields
  + - Adding token_generator_id field
  + - Adding last_used field
  + - Updating max length of token to 255 characters.

Testing Done:

~  

None.

  ~

Successfully upgraded the database and successfully created a new database.

Commits:

Summary
-
Updating the WebAPIToken model for API Tokens v2
+
Updating the WebAPIToken model for API Tokens v2

Diff:

Revision 2 (+50)

Show changes

Checks run (2 succeeded)

flake8 passed.
JSHint passed.
chipx86
  1. Ship It!
  2. 
      
Loading...