Project

General

Profile

Actions

User story #8304

closed

Generated API tokens are still visible in the settings after initial generation

Added by Matthieu CERDA over 8 years ago. Updated over 1 year ago.

Status:
Rejected
Priority:
4
Category:
Security
Target version:
-
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:
No

Description

In current best-practice abiding API applications, creating a new API key goes as follows:
  • The user asks for a new API token generation and enters some details
  • The application displays a pop-up giving the token / secret / ... and warning about the fact that it will be displayed only once
  • The user validates after copying the token and the token is created.

The token, after initial generation or renewal, is never displayed again and only known to the application itself and the user that created / renewed it. The only way to access it is to create another one or renew it, invalidating the first one.

This is a key security feature, preventing any impersonation of an API user (important especially when there is no read / write / read-write restriction for the tokens) and inviting users to create personal or project-related tokens instead of having everyone using the same easily accessible token, basically violating the non-repudiation paradigm.

We should do the same, by adding a pop-up at token creation / renewal with the "displayed only once" warning and never displaying the tokens.


Related issues 1 (0 open1 closed)

Is duplicate of Rudder - Architecture #23234: Hash API tokensReleasedFrançois ARMANDActions
Actions #1

Updated by François ARMAND over 8 years ago

  • Assignee deleted (François ARMAND)
Actions #2

Updated by Jonathan CLARKE over 8 years ago

  • Assignee set to Raphael GAUTHIER
Actions #3

Updated by Jonathan CLARKE over 8 years ago

  • Target version set to 4.0.0~rc2
Actions #4

Updated by Raphael GAUTHIER over 8 years ago

  • Status changed from New to In progress
Actions #5

Updated by Raphael GAUTHIER over 8 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Raphael GAUTHIER to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/1124
Actions #6

Updated by François ARMAND over 8 years ago

  • Assignee changed from François ARMAND to Vincent MEMBRÉ
  • Priority changed from 1 (highest) to 4

This seems OK. Maybe need some kind of functional review. Vincent, I'm letting you check the angularjs implementation, to.

Actions #7

Updated by Vincent MEMBRÉ over 8 years ago

  • Status changed from Pending technical review to New

After discussing it with Jon and Raphael, we decided to delay that fix and take time to think of a better approach

Actions #8

Updated by François ARMAND about 8 years ago

  • Tracker changed from Bug to User story
  • Target version changed from 4.0.0~rc2 to 4.1.0~beta1
Actions #9

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 4.1.0~beta1 to 4.1.0~beta2
Actions #10

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 4.1.0~beta2 to 4.1.0~beta3
Actions #11

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 4.1.0~beta3 to 4.1.0~rc1
Actions #12

Updated by François ARMAND almost 8 years ago

  • Target version changed from 4.1.0~rc1 to 4.2.0~beta1
Actions #13

Updated by Alexis Mousset over 7 years ago

  • Target version changed from 4.2.0~beta1 to 4.2.0~beta2
Actions #14

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.2.0~beta2 to 4.2.0~beta3
Actions #15

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.2.0~beta3 to 4.2.0~rc1
Actions #16

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.0~rc1 to 4.2.0~rc2
Actions #17

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.0~rc2 to 4.2.0
Actions #18

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.0 to 4.2.1
Actions #19

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.1 to 4.2.2
Actions #20

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.2 to 4.2.3
Actions #21

Updated by Vincent MEMBRÉ almost 7 years ago

  • Target version changed from 4.2.3 to 4.2.4
Actions #22

Updated by Vincent MEMBRÉ almost 7 years ago

  • Target version changed from 4.2.4 to 4.2.5
Actions #23

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 4.2.5 to 4.2.6
Actions #24

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 4.2.6 to 4.2.7
Actions #25

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 4.2.7 to 414
Actions #26

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 414 to 5.0.0~beta1
Actions #27

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 5.0.0~beta1 to 5.0.0~beta2
Actions #28

Updated by Vincent MEMBRÉ about 6 years ago

  • Target version changed from 5.0.0~beta2 to 5.0.0~rc1
Actions #29

Updated by Vincent MEMBRÉ about 6 years ago

  • Target version changed from 5.0.0~rc1 to 5.0.0
Actions #30

Updated by Vincent MEMBRÉ about 6 years ago

  • Target version changed from 5.0.0 to 5.0.1
Actions #31

Updated by Vincent MEMBRÉ about 6 years ago

  • Target version changed from 5.0.1 to 5.0.2
Actions #32

Updated by Vincent MEMBRÉ about 6 years ago

  • Target version changed from 5.0.2 to 5.0.3
Actions #33

Updated by Vincent MEMBRÉ almost 6 years ago

  • Target version changed from 5.0.3 to 5.0.4
Actions #34

Updated by Vincent MEMBRÉ almost 6 years ago

  • Target version changed from 5.0.4 to 5.0.5
Actions #35

Updated by Alexis Mousset almost 6 years ago

  • Target version changed from 5.0.5 to 5.0.6
Actions #36

Updated by Vincent MEMBRÉ almost 6 years ago

  • Target version changed from 5.0.6 to 5.0.7
Actions #37

Updated by François ARMAND over 5 years ago

  • Target version changed from 5.0.7 to 5.0.9
Actions #38

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 5.0.9 to 5.0.10
Actions #39

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 5.0.10 to 5.0.11
Actions #40

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 5.0.11 to 5.0.12
Actions #41

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 5.0.12 to 5.0.13
Actions #42

Updated by Vincent MEMBRÉ about 5 years ago

  • Target version changed from 5.0.13 to 5.0.14
Actions #43

Updated by Vincent MEMBRÉ about 5 years ago

  • Target version changed from 5.0.14 to 5.0.15
Actions #44

Updated by Vincent MEMBRÉ almost 5 years ago

  • Target version changed from 5.0.15 to 5.0.16
Actions #45

Updated by Alexis Mousset almost 5 years ago

  • Target version changed from 5.0.16 to 5.0.17
Actions #46

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 5.0.17 to 5.0.18
Actions #47

Updated by Benoît PECCATTE over 4 years ago

  • Target version changed from 5.0.18 to 6.2.0~beta1
Actions #48

Updated by Vincent MEMBRÉ about 4 years ago

  • Target version changed from 6.2.0~beta1 to 6.2.0~rc1
Actions #49

Updated by François ARMAND about 4 years ago

  • Target version deleted (6.2.0~rc1)
Actions #50

Updated by Alexis Mousset about 2 years ago

  • Subject changed from Generated API tokens are still visible in the settings after initial generation to Generated API tokens are still visible in the settings after initial generation (and stored as clear text)
  • Private changed from No to Yes
  • Regression set to No
Actions #51

Updated by Alexis Mousset about 2 years ago

  • Category changed from API to Security
Actions #52

Updated by Alexis Mousset over 1 year ago

  • Subject changed from Generated API tokens are still visible in the settings after initial generation (and stored as clear text) to Generated API tokens are still visible in the settings after initial generation
Actions #53

Updated by Alexis Mousset over 1 year ago

  • Status changed from New to Rejected
Actions #54

Updated by Alexis Mousset over 1 year ago

Actions #55

Updated by Alexis Mousset over 1 year ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF