Update the WebAPIToken model for API Tokens v2
Review Request #12342 — Created June 6, 2022 and submitted — Latest diff uploaded
This change is the first in a series of changes for improving our API Tokens
(which we'll refer to as API Tokens v2). Currently, Review Board uses a SHA1
token format, which has the following disadvantages:
- Tokens aren't able to be validated or identified from other SHA1 tokens.
- Can't use secret scanning to detect leaked tokens.
- They aren't as secure as some modern counterparts.In response, we are moving towards a new token format that contains a
vendor/category prefix and can be validated through a checksum. Additionally,
we want to be able to support token expiration and invalidation, which we
currently don't do. Since we are moving away from an old token format, we also
need support for token deprecation.In this change we modify the API tokens model to allow the possibility for
new token types, expiration, and invalidation. The following changes are made
to theWebAPIToken
model:
- Addingexpires
field
- Addingvalid
,invalid_date
andinvalid_reason
fields
- Addingtoken_generator_id
field
- Addinglast_used
field
- Updating max length of token to 255 characters.
Successfully upgraded the database and successfully created a new database.