Source system authentication needs better refresh of tokens

[elfjes]

The synchronization worker of our correlator (effectively an Argus source system) is authenticating itself against the api through an api token. Our workflow is as following

• create and setup a correlator user and source system (once)
• create a token in argus django admin console for this correlator user
• put the token in some configuration so that the correlator (sync worker) can authenticate itself against the api

While this works, it is not ideal:

1. In order to not have to reissue a token every two weeks, we need to set AUTH_TOKEN_EXPIRES_AFTER_DAYS to a very high value. This poses a security risk since now all tokens are valid for this long time, also tokens created by users
2. After this long time period (let's say 365 days), the token still expires and suddenly source system stops managing its Argus issues. Other than manually setting a calendar event, we have no way of being reminded that we need to update the token
3. There can be only one token active for a given user/source system, so there is no grace period in which we can create and provision the new token before expiring the old one, so there is always some down time

I was wondering if there was a better way to do this? Things I can imagine:

• Source systems might login through the api. There appears to be some commented code in Argus of login api endpoints for local users. They can then create their own api tokens.
• Our correlator synchronization workers update their own token regularly. I guess they can do this through the /api/v2/token-auth/ endpoint (although I haven't tried this). This could technically work, but is quite complex. We have multiple correlator synchronization workers running at the same time so we'd need to have a shared state between them for the current token. IMHO this adds needless complexity and I do not favour this.
• A way to customize token expiration through the admin console. There would be a default AUTH_TOKEN_EXPIRES_AFTER_DAYS value, but it is possible to set a different value when creating a token directly through the admin console. In order to deal with the token reprovisioning issue noted above we should also then either be able to create tokens with an infinite lifetime, or better: allow multiple active tokens per user/source-system

A nice to have would be that (certain) admins get an email when a token is about to expire (some time before expiration, such as 14 days) so that they can reprovision a new token in time

Or is there already a better way to handle authentication for source systems?