patchwork
patchwork copied to clipboard
dlespiau
Token based authentication for the REST API
-
REST API to create/delete/revoke tokens:
GET /api/tokens/ -> the list of tokens for the current user (need HTTPS) POST /api//tokens/ -> create a new for the logged in user DELETE /api//tokens/$id -> delete token PATCH/PUT /api/tokens/$id -> modify the token, only revocation reason can be modified
unit tests for the API.
-
The Token model can be taken from rest_framework/authtoken (compatible license)
-
Tokens have:
- A name, so people can remember what they created the token for
- a secret (hashed?)
- a string with revocation reason. Null if token is valid.
- foreign key to user
- created time
-
Store the tokens hashed? See https://docs.djangoproject.com/en/1.8/topics/auth/passwords/#module-django.contrib.auth.hashers
-
Token are given to the API request through a HTTP header over HTTPS only (needs unit test)
-
On the web UI side. The list of tokens is shown in the user profile. User profile must only be accessible through HTTPs. Each token has:
- name
- revoke status
- revoke button
- delete button
We can create API tokens from the profile page as well. The flow is:
- enter a token name, click create button
- API call
- insert the new token at the end of the list, showing the secret with a note saying that's the only time we'll show the token (because it's hashed)
Why do we need both revoke and delete? Gabriel had the idea that if we see the token over regular HTTP, patchwork would revoke the token automatically. To not be too brutal to the user, we'll need to show the token as revoked in the profile so he can see what happened to it. I'd do the automatic revocation as a separate commit.
