Add button to regenerate API Token and regenerate the token automatically when the password is changed

[paglias]

The settings page should have a button to regenerate API Token.

This will require a new route (that asks for the user password or checks that the user is correctly authenticated in case of a social account where no password exist) and relative tests.

Some initial code can be found in these two commit https://github.com/HabitRPG/habitica/pull/9202/commits/077e93e66e7eb4dcc46af7471e1039ff10a8627c and https://github.com/HabitRPG/habitica/pull/9202/commits/b0c1d41526d7e3e647d4bfa37b4134acfb6f4f59 that were part of a related PR but were never merged #9202

The API Token should also be regenerated automatically when an user changes their password

[TNychka]

@paglias Willing to take a look at this.

[lemoness]

@TNychka Thank you very much! Let us know if you have any questions.

I've updated the labels on this ticket.

[Alys]

A note for myself for when the fix for this goes live: The "notify helpers" label is for me to tell the Socialites that the API Token will change every time a player changes their password, so if a player reports that an extension or other third party tool has suddenly stopped working, they should check to see if their API Token has changed. If it's reported often, we should clarify it further to the users.

[Alys]

This commit: https://github.com/HabitRPG/habitica/commit/077e93e66e7eb4dcc46af7471e1039ff10a8627c contains some new locales strings. Below are some suggestions for changes to those strings that I proposed to the staff back when this was first being discussed. The staff didn't comment either way about my suggestions so @TNychka don't consider my words below to be approved, but I'd still like us to consider these points so I'm copying them here for discussion.

Can we use the phrase "third-party tools" rather than "3rd party integrations" in all messages? "Tools" is a more common term on the wiki and in the guilds, and is more understandable for non-tech users. "Integration" tends to be used on the wiki in a less general context.

Also, can we use "API Token" everywhere, instead of just "Token"? I know it will be repetitious, but it will help avoid confusion in the far future when a different feature using the word "token" will be introduced.

For this text: "Once it is reset you will need to re-authorize everything by logging out of the website and mobile app and by providing the new Token to any other Habitica tools that you use. For further assistance contact <%= hrefTechAssistanceEmail %> with your User ID and current Token.", I'm not sure that all users will understand "re-authorize". What about: "Once it is reset you must log out of the website and mobile app and log back in - the website and apps won't work properly until you do. You will also have to provide the new API Token to any other Habitica tools or third-party tools that you use. For further assistance contact <%= hrefTechAssistanceEmail %> with your User ID."

The final sentence shouldn't ask them to email the API Token to us. We sometimes ask for the first few characters of it when we reply to an email that needs proof of ownership but we don't want to make the users accustomed to seeing requests for the API Token - it's dangerous if they think it's a safe thing to provide.

[beffymaroo]

@TNychka Is this issue still in progress? Please let us know. Thank you!

[TNychka]

@beffymaroo yep, there is a PR in progress here that's waiting on some input: https://github.com/HabitRPG/habitica/issues/9320

[beffymaroo]

@TNychka Great, thank you for the update!

[SabreCat]

Given the age of this and the associated PR, and its proximity to some outstanding projects, I'm marking this for the staff to review.

[benmezger]

@SabreCat any news on this? If someone gets hacked and needs to ping admins to regenerate their token, maybe at the time the admin replies the damage might have already been done. I see there was a PR, but closed due to staff discussion.