Make tokens more reliable

[apex-omontgomery]

https://blog.miguelgrinberg.com/post/restful-authentication-with-flask

After discussing with people in #help

uuid is not a good usage of tokens:

This is how the father of flask Miguel Grinberg recommends:

import base64
from datetime import datetime, timedelta
import os

class User(UserMixin, PaginatedAPIMixin, db.Model):
    # ...
    token = db.Column(db.String(32), index=True, unique=True)
    token_expiration = db.Column(db.DateTime)

    # ...

    def get_token(self, expires_in=3600):
        now = datetime.utcnow()
        if self.token and self.token_expiration > now + timedelta(seconds=60):
            return self.token
        self.token = base64.b64encode(os.urandom(24)).decode('utf-8')
        self.token_expiration = now + timedelta(seconds=expires_in)
        db.session.add(self)
        return self.token

    def revoke_token(self):
        self.token_expiration = datetime.utcnow() - timedelta(seconds=1)

    @staticmethod
    def check_token(token):
        user = User.query.filter_by(token=token).first()
        if user is None or user.token_expiration < datetime.utcnow():
            return None
        return user

[apex-omontgomery]

Per jz should probably use the secrets module.

[lord-cant-even]

Are you wanting to add a whole new model to be able to do revocation/checking/etc? Or is the desire just to use something other than uuid?

[aaron-junot]

API keys and tokens are different. API keys don't really expire unless the user wants to revoke it for some reason (speaking of which, key revocation and rotation should make it into this API at some point).

There are really just two reasons that the API keys exist.

1. To show our intent that resources should only be added or updated by OC members (but realistically, the YAML file has been public for most of it's existence, so its not like "private" or "sensitive")

2. To attribute troll-like actions to a specific user so that if someone adds a bogus resource or updates resources with the intent to destroy information, we can block that user and revoke their API key. Speaking of which, we probably need a way to blacklist users who should not be allowed to use the API anymore, because at the moment, any valid OC member (even a troll) could just generate (or regenerate) an API key

[aaron-junot]

Because of #325 (which does check for an expiration), I no longer expect this to be a problem. UUIDs are unique enough for the amount of users I expect to have, and we already have a safeguard in case of a collision. I can be convinced otherwise, but for now I think that #325 and the setup with the front end solves this problem. Let me know if anyone disagrees.