Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow admins to view full api keys #276

Closed
GUI opened this issue Sep 4, 2015 · 1 comment
Closed

Allow admins to view full api keys #276

GUI opened this issue Sep 4, 2015 · 1 comment
Labels
api-umbrella-v0.9

Comments

@GUI
Copy link
Member

GUI commented Sep 4, 2015

In order to help with support requests related to api keys not being delivered by e-mail (due to spam filtering), we need to adjust our logic for displaying the api keys to administrators. Currently the full keys are not displayed. Here's what I'm thinking in order to make this easier for agency admins to address these support requests themselves, while also maintaining security:

  • Superuser admins should always be able to view the full keys.
  • Agency admins can view full API keys for 2 weeks after its creation. I think this should strike a good balance between allowing an ample time for agency admins to deal with initial support while preventing a potentially naughty admin from harvesting a bunch of api keys.
  • Full API keys will be hidden from agency admins as soon as any roles are added to an API key. Since adding roles is what turns a key from being like any other public key into something that's potentially more sensitive, this seems like a good trigger for hiding it. We'll also assume that the user already has their key if an admin is adding a role to it.
GUI added a commit to NREL/api-umbrella-web that referenced this issue Sep 17, 2015
@GUI
Allow admins to view the full api keys.
d9b7a6f 
This is to allow for a bit easier support for admins needing to view the
full api key for users that recently registered (for example, if they
didn't receive their api key). The updated logic is:

- Superuser admins can always view the full api keys.
- Limited admins can view the full api key for 2 weeks after the key was
  created.
- If an api key has a role assigned to it by an admin, then the full api
  key will only be visible to the admin that created the key for 2
  weeks. The full key will be hidden from all other limited admins
  immediately.

See 18F/api.data.gov#276
@GUI GUI mentioned this issue Sep 17, 2015
Merged
@GUI
Copy link
Member Author

GUI commented Sep 17, 2015

This admin behavior has been changed by NREL/api-umbrella-web#23

@GUI GUI closed this as completed Sep 17, 2015
@GUI GUI mentioned this issue Nov 29, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api-umbrella-v0.9
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GUI