Allow generating multiple authentication tokens #688
Labels
A-accounts
C-enhancement ✨
Category: Adding new behavior or a change to the way an existing feature works
Comments
|
This is something I've been meaning to request for quite a while, but keep forgetting. Finally reminded at just the right time by
|
carols10cents
added
A-accounts
C-enhancement ✨
|
Assuming this is something that is wanted, I might submit a PR for it; been taking a look at the codebase and think I can find my way round everything that would be needed. Obviously there will be some areas that need some planning/design work, but those will probably be easier to evaluate with a working prototype. |
|
Awesome! Yes, I definitely want such a thing for a variety of reasons :) Let me know if you have any questions! |
10 tasks
Nemo157
added a commit
to Nemo157/crates.io
that referenced
this issue
May 15, 2017
Fixes rust-lang#688 Summary of changes: * Database: * Add new `api_tokens` table that stores the named tokens, their creation date and last used date * API: * Remove singular `api_token` field from `User`, it is still in the database for easy rollback, but should be removed from there as well soon. * Remove existing `/me/reset_token` endpoint. * Update user middleware to search incoming tokens via the `api_tokens` table, updating the last used date as it does so, and to record whether the current request was authenticated via an API token or a session cookie * This also changes this search to function via `diesel` where it was previously using `pg` * Add new set of endpoints at `/me/tokens` allowing creating, listing and revoking API tokens * Listing tokens doesn't return the tokens value, that's only available once in the response from creating the token. * Tests * Frontend: * Remove the special support for an `api_token` parameter coming back from the `/me` endpoint * Add new `api-token` model * Has a special `adapter` as the endpoints are namespaced under `/me/tokens` instead of the default `/api/v1/api_tokens` * Has a special `serializer` to set the key used when creating a new API token * Update `/me/index` controller and template * Render a sorted list of all API tokens in the data store instead of the single token * Remove button to reset the token * Add button to start creating a new API token * Add new `api-token-row` component for rendering the API tokens in the list on `/me/index` * Has three major states: * New token that has yet to be saved to the API, shows a text box to enter a name and button to save the token * Newly saved token, shows the normal token data + the actual token value and details on how to save it with cargo * Normal token, shows the name, creation date and last used date along with a button to revoke * In any of those states can have an error message shown below the token data if creating or revoking the token failed * Some small general CSS changes: * A small variant for buttons that reduces the padding * Support for disabled state on buttons making them a little lighter than the specified color
Nemo157
added a commit
to Nemo157/crates.io
that referenced
this issue
Jun 14, 2017
Fixes rust-lang#688 Summary of changes: * Database: * Add new `api_tokens` table that stores the named tokens, their creation date and last used date * API: * Remove singular `api_token` field from `User`, it is still in the database for easy rollback, but should be removed from there as well soon. * Remove existing `/me/reset_token` endpoint. * Update user middleware to search incoming tokens via the `api_tokens` table, updating the last used date as it does so, and to record whether the current request was authenticated via an API token or a session cookie * This also changes this search to function via `diesel` where it was previously using `pg` * Add new set of endpoints at `/me/tokens` allowing creating, listing and revoking API tokens * Listing tokens doesn't return the tokens value, that's only available once in the response from creating the token. * Tests * Frontend: * Remove the special support for an `api_token` parameter coming back from the `/me` endpoint * Add new `api-token` model * Has a special `adapter` as the endpoints are namespaced under `/me/tokens` instead of the default `/api/v1/api_tokens` * Has a special `serializer` to set the key used when creating a new API token * Update `/me/index` controller and template * Render a sorted list of all API tokens in the data store instead of the single token * Remove button to reset the token * Add button to start creating a new API token * Add new `api-token-row` component for rendering the API tokens in the list on `/me/index` * Has three major states: * New token that has yet to be saved to the API, shows a text box to enter a name and button to save the token * Newly saved token, shows the normal token data + the actual token value and details on how to save it with cargo * Normal token, shows the name, creation date and last used date along with a button to revoke * In any of those states can have an error message shown below the token data if creating or revoking the token failed * Some small general CSS changes: * A small variant for buttons that reduces the padding * Support for disabled state on buttons making them a little lighter than the specified color
carols10cents
pushed a commit
to Nemo157/crates.io
that referenced
this issue
Jun 15, 2017
Fixes rust-lang#688 Summary of changes: * Database: * Add new `api_tokens` table that stores the named tokens, their creation date and last used date * API: * Remove singular `api_token` field from `User`, it is still in the database for easy rollback, but should be removed from there as well soon. * Remove existing `/me/reset_token` endpoint. * Update user middleware to search incoming tokens via the `api_tokens` table, updating the last used date as it does so, and to record whether the current request was authenticated via an API token or a session cookie * This also changes this search to function via `diesel` where it was previously using `pg` * Add new set of endpoints at `/me/tokens` allowing creating, listing and revoking API tokens * Listing tokens doesn't return the tokens value, that's only available once in the response from creating the token. * Tests * Frontend: * Remove the special support for an `api_token` parameter coming back from the `/me` endpoint * Add new `api-token` model * Has a special `adapter` as the endpoints are namespaced under `/me/tokens` instead of the default `/api/v1/api_tokens` * Has a special `serializer` to set the key used when creating a new API token * Update `/me/index` controller and template * Render a sorted list of all API tokens in the data store instead of the single token * Remove button to reset the token * Add button to start creating a new API token * Add new `api-token-row` component for rendering the API tokens in the list on `/me/index` * Has three major states: * New token that has yet to be saved to the API, shows a text box to enter a name and button to save the token * Newly saved token, shows the normal token data + the actual token value and details on how to save it with cargo * Normal token, shows the name, creation date and last used date along with a button to revoke * In any of those states can have an error message shown below the token data if creating or revoking the token failed * Some small general CSS changes: * A small variant for buttons that reduces the padding * Support for disabled state on buttons making them a little lighter than the specified color
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I use Travis CI for publishing all my crates to avoid any chance of weird local settings influencing the package that gets published. At the moment that means all my repositories are sharing the one authentication token that crates.io makes available. I have accidentally leaked and had to revoke this token multiple times when trying to improve my CI scripts, this then provokes a round of replacing the token in all the repositories that use it. If I was instead able to generate a new token for each repository then I would be able to just revoke the one token that was leaked and update that one repository.
🌟 Bonus points for being able to restrict the tokens to only have access for publishing a subset of my crates, but I assume that would probably come in a second feature request after multiple full-access tokens are available.
The text was updated successfully, but these errors were encountered: