Summary

Introduce client API tokens.

Review Request #13032 — Created May 19, 2023 and submitted June 16, 2023, 4:06 p.m.

Information

Owner

maubin

Repository

Review Board

Branch

release-5.0.x

Bugs

Depends On

Blocks

12982

Reviewers

Groups

reviewboard

People

Description

This change introduces client API tokens which are API tokens that belong
specifically to a given client. Clients (e.g. RBTools) will use these tokens
to authenticate to Review Board. These tokens are important for an upcoming
change that allows users to authenticate clients to Review Board via a
web-based login flow.

During the web-based login flow, client API tokens are automatically created
if they do not exist or if previous client tokens are expired. Each client
will have their own client tokens, and the tokens will be marked with a note
that says the token was automatically created for the given client.

Testing Done


Ran unit tests.
Tested creating a normal token and saw the right email being sent.
Tested creating a client token and saw the right email being sent.
Manually tested with the upcoming client web-based login flow change.

Commits

Summary	ID
Add support for client API tokens.	98e1dc56139935bbc7bb26c58727b00680da7888

Issues

Description	From	Last Updated
To help with readability, can you update this to uncollapse newlines? So, one '\n' for each blank line, instead of …	chipx86	May 24, 2023, 11:39 a.m.
The {% should be unindented. Same with the closing tag.	chipx86	May 24, 2023, 11:39 a.m.
Let's move these together onto the same line, to reduce the number of newlines we end up with. Text e-mails …	chipx86	May 24, 2023, 11:40 a.m.
We only use this for typing, so let's move this into TYPE_CHECKING.	chipx86	May 24, 2023, 11:42 a.m.
For now, we need to use Union[...] instead of \|. The \| syntax is new as of Python 3.10 (technically …	chipx86	May 24, 2023, 11:44 a.m.
Can we call this client_name?	chipx86	May 24, 2023, 11:45 a.m.
Hmm, I don't think this is particularly future-proof. This only works if the only thing in extra data is the …	david	May 24, 2023, 11:12 a.m.
This can fail with a WebAPITokenGenerationError exception. We should either document a re-raise, or handle it.	chipx86	May 24, 2023, 12:11 p.m.
Can we call this client_name? I want to give us some room to expand on this if we need to …	chipx86	May 24, 2023, 11:45 a.m.
Swap these.	chipx86	May 24, 2023, 11:47 a.m.
datetime and typing should be in their own import group at the top.	chipx86	May 24, 2023, 11:48 a.m.
This can just be super().setUp().	chipx86	May 24, 2023, 11:48 a.m.
It doesn't look like this ever changes. Maybe just make it a constant on the class?	chipx86	May 24, 2023, 11:57 a.m.

flake8 passed.

JSHint passed.

reviewboard/webapi/managers.py (Diff revision 1)

The issue has been resolved. Show all issues

Hmm, I don't think this is particularly future-proof. This only works if the only thing in extra data is the client name, but we don't have exclusive control of this--a big part of the point of extra data is that any third party can do what they want with it.

I think in this case it probably makes sense to add a new field to the token model that we can query on.

maubin May 23, 2023, 12:16 p.m.

Woops, I see. Another thing that would work is using this query instead extra_data__contains=f'"client": "{client}"' (querying for the key and value pair instead of the dictionary as a whole). However, I can see that these types of queries have a dependency on our DjbletsJSONEncoder. Our DjbletsJSONEncoder (which encodes the data for our JSONFields) uses : to separate keys and values, but if we were to ever change that (for example to : with no space), then the query would break. It seems unlikely that we would ever change that, but still something to think about.

I'm leaning towards avoiding adding a new field. I think the above solution would work well, I've added a unit test for it and tested it out manually with tokens that have multiple things in their extra_data. What do you think? Also, is it ok to warrant a database upgrade for point releases, or is this something that should only happen for major releases?

chipx86 May 23, 2023, 8:22 p.m.

__contains on an extra_data can be very slow. The database has to read the contents of every single field and do a string search, and depending on how it decides to do this, the result can be a full table scan. We want to avoid those wherever possible. On top of this, the above query will match:

{
  "extension-provided key": {
    "client": "foo"
  }
}

Instead, a faster and safer way to accomplish this is by handling matching on the Python side. We query all tokens for the user and then check within extra_data for the matching value.

I think that's fast enough. Most users will only have a handful of tokens, so this won't add any noticeable overhead. Plus we're only using this during a login flow, not per-request or anything.

Since this is informational, I think we're okay using extra_data and just doing this sort of lookup this way. If we needed to filter based off the field per-request or something, I'd say we introduce one in RB6. But I don't see us needing to do that for anything currently planned.

reviewboard/notifications/tests/test_email_sending.py (Diff revision 1)

The issue has been resolved. Show all issues

To help with readability, can you update this to uncollapse newlines? So, one '\n' for each blank line, instead of ...\n\n'.

reviewboard/templates/notifications/api_token_created.html (Diff revision 1)
The issue has been resolved. Show all issues
```
The {% should be unindented. Same with the closing tag.
```

reviewboard/templates/notifications/api_token_created.txt (Diff revision 1)

The issue has been resolved. Show all issues

Let's move these together onto the same line, to reduce the number of newlines we end up with.

Text e-mails are a bit annoying to templatize.

reviewboard/webapi/managers.py (Diff revision 1)
The issue has been resolved. Show all issues
```
We only use this for typing, so let's move this into TYPE_CHECKING.
```

reviewboard/webapi/managers.py (Diff revision 1)

The issue has been resolved. Show all issues

For now, we need to use Union[...] instead of |. The | syntax is new as of Python 3.10 (technically mypy can deal with it, but it's not safe otherwise).

reviewboard/webapi/managers.py (Diff revision 1)
The issue has been resolved. Show all issues
```
Can we call this client_name?
```

reviewboard/webapi/managers.py (Diff revision 1)

The issue has been resolved. Show all issues

Can we call this client_name? I want to give us some room to expand on this if we need to later (say, introduce a client dictionary with additional information, if we later find we need to track more than this).

reviewboard/webapi/models.py (Diff revision 1)
The issue has been resolved. Show all issues
```
Swap these.
```

reviewboard/webapi/tests/test_managers.py (Diff revision 1)

The issue has been resolved. Show all issues

datetime and typing should be in their own import group at the top.

reviewboard/webapi/tests/test_managers.py (Diff revision 1)
The issue has been resolved. Show all issues
```
This can just be super().setUp().
```
reviewboard/webapi/tests/test_managers.py (Diff revision 1)
The issue has been resolved. Show all issues
```
It doesn't look like this ever changes. Maybe just make it a constant on the class?
```

reviewboard/webapi/managers.py (Diff revision 1)

The issue has been resolved. Show all issues

This can fail with a WebAPITokenGenerationError exception. We should either document a re-raise, or handle it.

Change Summary:


Fix up some formatting for emails and their tests.
Better querying for getting client tokens.
Switch to client_name instead of client.
Document that get_or_create_client_token raises WebAPITokenGenerationError.

Description:

~		This change introduces client API tokens which are tokens that clients such as
~		RBTools can use to authenticate to Review Board. These tokens are important
~		for an upcoming change that allows users to authenticate clients to Review
~		Board via a web-based login flow.
	~	This change introduces client API tokens which are API tokens that belong
	~	specifically to a given client. Clients (e.g. RBTools) will use these tokens
	~	to authenticate to Review Board. These tokens are important for an upcoming
	~	change that allows users to authenticate clients to Review Board via a
	+	web-based login flow.

		During the web-based login flow, client API tokens are automatically created
		if they do not exist or if previous client tokens are expired. Each client
		will have their own client tokens, and the tokens will be marked with a note
		that says the token was automatically created for the given client.

Commits:

	Summary	ID
	Add support for client API tokens.	3964adb643332b05aee8ff74d4df3722e8326b6e
	Add support for client API tokens.	98e1dc56139935bbc7bb26c58727b00680da7888

Diff:

Revision 2 (+1016 -50)

Show changes

	reviewboard/notifications/email/message.py
	reviewboard/notifications/tests/test_email_sending.py
	reviewboard/templates/notifications/api_token_created.txt
	reviewboard/templates/notifications/api_token_created.html
	reviewboard/webapi/managers.py
	reviewboard/webapi/models.py
	reviewboard/webapi/tests/test_managers.py

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Ship it!

```
Ship It!
```

Status: Closed (submitted)

Change Summary:

Pushed to release-5.0.x (877bd91)