Closes #2240: Return api-token on user login #2539
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch modifies the session/login endpoint slightly so that it will, when hit by a non-default tempate (e.g. API), will generate and return the logged in user's API token. API onboarding is hard, and asking individual users to generate OAuth2 applications or enter a long api token string is not feasible. I believe the solution is to generate and retrieve the api-token on session/login, after the login process has been completed successfully. I believe this is not a security hole as the user will have passed security checks at this point, and this is no different to hitting the api token endpoint. Well, that's not actually quite true (see idno#831), tokens are stored clear in the database and so if that is compromised is will cause problems. Scope for this is limited with this patch as token is only generated for people who hit the login page as an API user. Long term or in a hosted environment, these tokens should be stored in a secure key store.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Here's what I fixed or added:
This patch modifies the session/login endpoint slightly so that it will, when hit by a non-default tempate (e.g. API), will generate and return the logged in user's API token.
Here's why I did it:
API onboarding is hard, and asking individual users to generate OAuth2 applications or enter a long api token string is not feasible.
I believe the solution is to generate and retrieve the api-token on session/login, after the login process has been completed successfully. I believe this is not a security hole as the user will have passed security checks at this point, and this is no different to hitting the api token endpoint.
Well, that's not actually quite true (see #831), tokens are stored clear in the database and so if that is compromised is will cause problems. Scope for this is limited with this patch as token is only generated for people who hit the login page as an API user. Long term or in a hosted environment, these tokens should be stored in a secure key store.
Checklist: