New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API keys #1359
Merged
Merged
API keys #1359
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pfeuffer
force-pushed
the
feature/api_keys
branch
from
October 5, 2020 07:58
abdc3de
to
e3112ad
Compare
pfeuffer
force-pushed
the
feature/api_keys
branch
from
October 5, 2020 08:53
bcf6d20
to
b357c1d
Compare
eheimbuch
requested changes
Oct 6, 2020
scm-webapp/src/test/java/sonia/scm/security/ApiKeyTokenHandlerTest.java
Outdated
Show resolved
Hide resolved
Kudos, SonarCloud Quality Gate passed! 0 Bugs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
This adds so called "API keys" aka Tokens a user can create as an alternative for his usual credentials to access the REST API and for scm client access (git, hg and svn).
The essential part of an API key is a random 20 digit passphrase. Together with the user name and an id this is packed as a json representation and encoded as a base64 string. This is presented once to the user (or as the result of the REST api call to create the key), but will be stored nowhere. Only a hashed value of this random passphrase is stored (like the normal user passwords), so that such a token can more or less be checked the same way (after extraction) a password is checked.
For this, a new realm has been added, that takes these api keys either as a bearer token or as a password for basic authentication.
API keys are limited to repositories and a specific role. Therefore they cannot be used for global configuration or user and group administration.
Your checklist for this pull request
Put an
x
in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.Checklist for branch merge request (not required for forks)