Prevent the retrieval of API tokens after creation

[jeremystretch]

NetBox version

v3.1.9

Feature type

New functionality

Proposed functionality

I'm opening this FR to explore the idea of preventing the export of API tokens after their creation. Upon creating a token, users would have one opportunity to copy the token out of NetBox, after which it will be functional but no longer accessible.

As there are likely use cases where retaining the ability to retrieve tokens is necessary, this should be implemented as a configuration parameter (e.g. ALLOW_TOKEN_RETRIEVAL = False). I don't anticipate any changes to the database, unless agreement is reached to remove this ability entirely.

Use case

Provides greater security, as users can no longer retrieve API tokens from NetBox. If a token is lost, it will need to be replaced and all API consumers which used it will need to be updated with the new token.

Database changes

No response

External dependencies

No response

[DanSheps]

Just to add, as I can potentially see it being an ask in the future, maybe also have a "Allow Token Retrieval" permission so that that can be locked down to a specific user/group.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our contributing guide.

[PieterL75]

you could show the first 4 and last 4 digits, so that there still is a way to link an token in a 'lost' script to an account

[abhi1693]

Would this also somehow scramble it in the DB? Because it's a simple query to retrieve it for anyone access to the shell.

[arthanson]

@jeremystretch do we want to encrypt this in the database? Or just mask it on the frontend?

[DanSheps]

I personally don't see the point. Anyone who has access to the Shell has access to do a lot more then simply obtain the API key, all without logging as well.