Add TokenHash and Label to AuthToken, allow revoke by hash #492

neelvirdy · 2022-10-26T19:55:44Z

Implements Phase 1/4 of #343, which tracks the switch to only store hashes of API Tokens in DB.

The end-user experiences no change in behavior from this PR, but newly created tokens will have a TokenHash and Label stored in DB. The Label is an arbitrary string that does not need to be unique, but allows the user to track the keys that are in use and know which to revoke when needed.

Allowing revoke by hash is necessary to ensure keys can still be revoked after we stop storing the raw token itself.

For info on follow-up PRs to complete the switch, see the issue linked above.

Demonstrating creating a new key with a label, as well as revoking keys by hash and by key. The listed tokens with the censored token are the keys that have no token value stored in the db, and are being revoked via their hash.

Screen.Recording.2022-11-07.at.12.08.59.PM.mov

en0ma · 2022-10-27T04:10:40Z

@neelvirdy can the label address this requirement #471 ?

handlers.go

neelvirdy · 2022-10-27T17:22:11Z

@neelvirdy can the label address this requirement #471 ?

@en0ma yep! didn't see that issue till now but it seems identical except these 2 differences:

Label vs name for field name - i have no strong preference with which way we go. Label is slightly more intuitive to me but clearly not for everyone! I don't see any convention from a quick google search. Open to adjusting it if someone shouts
I intend to make the label a required input when generating a key, so the user is encouraged to provide a meaningful label and remember what the key is for, rather than auto-generating a random label and relying on the user to do their due diligence proactively to have good key management.

en0ma · 2022-11-04T08:15:12Z

2. I intend to make the label a required input when generating a key, so the user is encouraged to provide a meaningful label and remember what the key is for, rather than auto-generating a random label and relying on the user to do their due diligence proactively to have good key management.

If this is done, I think it will completely address that issue. I am ok with using "label" too.

en0ma · 2022-11-04T08:15:36Z

@alvin-reyes can you have a look at this PR

handlers.go

main.go

util/users.go

alvin-reyes

Great work @neelvirdy!

Can you add some verification tests and post it in this PR? Just add a new section on the description part

## Verification 
### revoke user by hash
<screen shot of the UI or the cli>
### revoke user by key
<screen shot of the UI or the cli>

…irdy/token-hash-label

alvin-reyes

LGTM

neelvirdy requested review from 10d9e and en0ma October 26, 2022 22:17

en0ma reviewed Oct 27, 2022

View reviewed changes

handlers.go Outdated Show resolved Hide resolved

en0ma reviewed Oct 27, 2022

View reviewed changes

handlers.go Outdated Show resolved Hide resolved

en0ma reviewed Oct 27, 2022

View reviewed changes

handlers.go Outdated Show resolved Hide resolved

neelvirdy force-pushed the nvirdy/token-hash-label branch from 64c4c49 to b633f3b Compare October 27, 2022 17:04

neelvirdy changed the base branch from master to dev October 27, 2022 17:08

neelvirdy requested a review from alvin-reyes October 27, 2022 17:31

neelvirdy and others added 5 commits October 31, 2022 17:29

Add TokenHash and Label to AuthToken, allow revoke by hash

63354d6

Don't omit token yet

65d470c

docs: update swagger docs

be7c98c

key-or-hash to key_to_hash per convention

06f0935

Use RawURLEncoding for token hash to be url safe

e229a07

neelvirdy force-pushed the nvirdy/token-hash-label branch from 8eb200e to e229a07 Compare October 31, 2022 17:30