posthog icon indicating copy to clipboard operation
posthog copied to clipboard
verified publisher icon PostHog

feat(auth): Add key previews to personal API keys

Open mishushakov opened this issue 1 year ago • 2 comments

Problem

Fixes issue #22360

Changes

  • Changes PersonalAPIKey data model
  • Adds function to mask keys
  • Returns masked value in API
  • Displays the masked value in the frontend Settings > Personal API keys:
Screenshot 2024-05-20 at 17 19 32

Does this work well for both Cloud and self-hosted?

Works on self-hosted.

How did you test this code?

Ran in codespaces on localhost.

mishushakov avatar May 20 '24 14:05 mishushakov

The mask was inspired by OpenAI API keys page, let me know if you want this changed

mishushakov avatar May 20 '24 14:05 mishushakov

Ah @benjackwhite This is not is clear in the code, but the PersonalAPIKey.value field is not used. We no longer store non-hashed values of keys, to prevent a leak of the table's contents from granting any malicious actor access to user accounts. So we do need a migration to facilitate this

Twixes avatar May 20 '24 14:05 Twixes

Hey @benjackwhite, I have updated the migration code 😄

mishushakov avatar May 21 '24 11:05 mishushakov

I could imagine some of the tests failing as they check the returned payload so that might be the final thing to get this over the line https://github.com/PostHog/posthog/blob/master/posthog/api/test/test_personal_api_keys.py#L27

benjackwhite avatar May 21 '24 11:05 benjackwhite

Have updated the tests as you pointed out, just in case 👍

mishushakov avatar May 21 '24 12:05 mishushakov