Personal access token #4540
Personal access token #4540
Conversation
|
I'm still planning to redesign the old API functions for token handling, because they return the token, and can't handle the unique name of a token. |
bruntib
force-pushed
the
access_tokens
branch
2 times, most recently
from
dc90bc4 to
01a6b3e
Compare
| @@ -38,7 +38,7 @@ def handle_add_token(args): | |||
| client = init_auth_client(protocol, host, port) | |||
|
|
|||
| description = args.description if 'description' in args else None | |||
| session = client.newToken(description) | |||
| session = client.newPersonalAccessToken(args.name, description) | |||
There was a problem hiding this comment.
Shouldn't this variable be called token since function name suggests it returns a new personal access token?
There was a problem hiding this comment.
Thanks, I fixed it!
There was a problem hiding this comment.
Couple usability snags I found skimming over it:
- The no-permission error when creating tokens is always
The server must be start by using privilaged access to execute this action., even when the user is not logged in. - You can log in with a PAT from the web interface via the username/password login flow. This causes the browser to stay logged in until the PAT expires. This is existing behavior, but I'm not sure if it's a good idea.
| self.description = description | ||
| self.auth_session_id = auth_session_id | ||
| self.last_access = datetime.now() | ||
| self.expiration = self.last_access + timedelta(days=365) |
There was a problem hiding this comment.
This default expiration should be configurable, and ideally, user-selectable (with a configurable upper limit).
There was a problem hiding this comment.
Will be done later.
| after closing this window. | ||
| </p> | ||
| </template> | ||
| </confirm-dialog> |
There was a problem hiding this comment.
It would be nice if instead of a Cancel button here, there was a Copy to clipboard button, or something similar.
bruntib
force-pushed
the
access_tokens
branch
3 times, most recently
from
0e97090 to
3ddfad2
Compare
There was a problem hiding this comment.
When LDAP and Oauth authentication is allowed, the personal access token based login does not work from the CLI. The reason is likely that authentication is tried through LDAP first and then when it fails because the personal access token does not match the LDAP password. So personal access based authentication should always be tried first and successful, the user should be let in, otherwise the other password based authentication methods can be tried.
bruntib
force-pushed
the
access_tokens
branch
2 times, most recently
from
0b2c756 to
4d5318f
Compare
A separate table is created for personal access tokens in the database. This table contains a unique name per user that identifies the token. The token is visible only once at generation. No access is allowed later. For this reason the old token handler API functions (getTokens(), newToken(), removeToken()) are deprecated. Other API functions are introduced instead: getPersonalAccessTokens(), newPersonalAccessToken() and removePersonalAccessToken(). The old clients are using the old API functions, but an empty string returns instead of the token. Personal access tokens can be created in the web GUI, too.
[feat] Personal access token
A separate table is created for personal access tokens in the database.
This table contains a unique name per user that identifies the token.
The token is visible only once at generation. No access is allowed later.
For this reason the old token handler API functions (getTokens(),
newToken(), removeToken()) are deprecated.
Other API functions are introduced instead: getPersonalAccessTokens(),
newPersonalAccessToken() and removePersonalAccessToken(). The old clients
are using the old API functions, but an empty string returns instead of
the token.
Personal access tokens can be created in the web GUI, too.