crates.io icon indicating copy to clipboard operation
crates.io copied to clipboard

Published 20 hours ago verified publisher icon rust-lang

API token expiry warning emails

Open Turbo87 opened this issue 1 year ago • 5 comments
trafficstars

Some time last year we introduced optional expiration periods for API tokens. One caveat of the existing system is that users don't get notified when their tokens expire and they have to proactively monitor this if they use expiration.

In our team meeting on Friday we discussed how we could improve the situation and one idea was to automatically send out warning emails when an API token expires.

As https://github.com/rust-lang/crates.io/issues/6664#issuecomment-1952208242 states, such emails are seen as a requirement before we can change the default expiration setting on the API token creation page.

A couple of open questions:

  • When should we send these emails? At the time when the token expires? A week before? A day before?
  • Should we offer a way to create a new token based on the settings from an existing token?
  • Should we use a feature flag while testing this out on the staging environment?

In terms of implementation:

  • We will probably need to track for what tokens we have sent out warnings already. One way to do this would be to add another column to the api_tokens table.
  • A new background job could then be implemented that scans the api_tokens table for tokens that have expired (or are going to expire) and where a warning has not been sent yet, and then sends out such a warning email.

Turbo87 avatar Feb 19 '24 11:02 Turbo87

  • Should we offer a way to create a new token based on the settings from an existing token?

I haven't seen this feature on other products and platforms. Do you have any examples we can refer to?

Are you working on this? If not, do you mind me to take it and help implement it?

0xPoe avatar Feb 20 '24 13:02 0xPoe

I haven't seen this feature on other products and platforms. Do you have any examples we can refer to?

can't think of one, but what I have in mind is a "Duplicate" button on each of the existing tokens that would take you to the "Create API token" page with the scopes from the other token filled in and a name of e.g. "XXX (Copy)".

Are you working on this? If not, do you mind me to take it and help implement it?

Sure, go ahead! :)

Turbo87 avatar Feb 21 '24 20:02 Turbo87

I'll follow up with the infra team on Zulip in regards to hardening our DMARC and SPF configurations in preparation for sending these emails. 🙂

mdtro avatar Mar 01 '24 22:03 mdtro

I was too busy last week, but I will begin working on the design and implementation this week.

0xPoe avatar Mar 04 '24 12:03 0xPoe

I haven't seen this feature on other products and platforms. Do you have any examples we can refer to?

GitHub has this feature, for instance: image The UI looks like this:

image

0xPoe avatar Apr 07 '24 02:04 0xPoe

Since the API token expiry notification emails have been implemented I will close this issue now. The token copy functionality has its own issue now: https://github.com/rust-lang/crates.io/issues/8717 :)

Turbo87 avatar May 24 '24 09:05 Turbo87