User story #8304
closedGenerated API tokens are still visible in the settings after initial generation
Description
- The user asks for a new API token generation and enters some details
- The application displays a pop-up giving the token / secret / ... and warning about the fact that it will be displayed only once
- The user validates after copying the token and the token is created.
The token, after initial generation or renewal, is never displayed again and only known to the application itself and the user that created / renewed it. The only way to access it is to create another one or renew it, invalidating the first one.
This is a key security feature, preventing any impersonation of an API user (important especially when there is no read / write / read-write restriction for the tokens) and inviting users to create personal or project-related tokens instead of having everyone using the same easily accessible token, basically violating the non-repudiation paradigm.
We should do the same, by adding a pop-up at token creation / renewal with the "displayed only once" warning and never displaying the tokens.
Updated by Raphael GAUTHIER over 8 years ago
- Status changed from New to In progress
Updated by Raphael GAUTHIER over 8 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Raphael GAUTHIER to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/1124
Updated by François ARMAND over 8 years ago
- Assignee changed from François ARMAND to Vincent MEMBRÉ
- Priority changed from 1 (highest) to 4
This seems OK. Maybe need some kind of functional review. Vincent, I'm letting you check the angularjs implementation, to.
Updated by Vincent MEMBRÉ over 8 years ago
- Status changed from Pending technical review to New
After discussing it with Jon and Raphael, we decided to delay that fix and take time to think of a better approach
Updated by François ARMAND about 8 years ago
- Tracker changed from Bug to User story
- Target version changed from 4.0.0~rc2 to 4.1.0~beta1
Updated by Vincent MEMBRÉ almost 8 years ago
- Target version changed from 4.1.0~beta1 to 4.1.0~beta2
Updated by Vincent MEMBRÉ almost 8 years ago
- Target version changed from 4.1.0~beta2 to 4.1.0~beta3
Updated by Vincent MEMBRÉ almost 8 years ago
- Target version changed from 4.1.0~beta3 to 4.1.0~rc1
Updated by François ARMAND almost 8 years ago
- Target version changed from 4.1.0~rc1 to 4.2.0~beta1
Updated by Alexis Mousset over 7 years ago
- Target version changed from 4.2.0~beta1 to 4.2.0~beta2
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.2.0~beta2 to 4.2.0~beta3
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.2.0~beta3 to 4.2.0~rc1
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.2.0~rc1 to 4.2.0~rc2
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.2.0~rc2 to 4.2.0
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 4.2.0 to 4.2.1
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 4.2.1 to 4.2.2
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 4.2.2 to 4.2.3
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 4.2.3 to 4.2.4
Updated by Vincent MEMBRÉ almost 7 years ago
- Target version changed from 4.2.4 to 4.2.5
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.5 to 4.2.6
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.6 to 4.2.7
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.7 to 414
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 414 to 5.0.0~beta1
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 5.0.0~beta1 to 5.0.0~beta2
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 5.0.0~beta2 to 5.0.0~rc1
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 5.0.0~rc1 to 5.0.0
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 5.0.0 to 5.0.1
Updated by Vincent MEMBRÉ about 6 years ago
- Target version changed from 5.0.1 to 5.0.2
Updated by Vincent MEMBRÉ about 6 years ago
- Target version changed from 5.0.2 to 5.0.3
Updated by Vincent MEMBRÉ about 6 years ago
- Target version changed from 5.0.3 to 5.0.4
Updated by Vincent MEMBRÉ almost 6 years ago
- Target version changed from 5.0.4 to 5.0.5
Updated by Alexis Mousset almost 6 years ago
- Target version changed from 5.0.5 to 5.0.6
Updated by Vincent MEMBRÉ almost 6 years ago
- Target version changed from 5.0.6 to 5.0.7
Updated by François ARMAND almost 6 years ago
- Target version changed from 5.0.7 to 5.0.9
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 5.0.9 to 5.0.10
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 5.0.10 to 5.0.11
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 5.0.11 to 5.0.12
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 5.0.12 to 5.0.13
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 5.0.13 to 5.0.14
Updated by Vincent MEMBRÉ about 5 years ago
- Target version changed from 5.0.14 to 5.0.15
Updated by Vincent MEMBRÉ about 5 years ago
- Target version changed from 5.0.15 to 5.0.16
Updated by Alexis Mousset almost 5 years ago
- Target version changed from 5.0.16 to 5.0.17
Updated by Vincent MEMBRÉ over 4 years ago
- Target version changed from 5.0.17 to 5.0.18
Updated by Benoît PECCATTE over 4 years ago
- Target version changed from 5.0.18 to 6.2.0~beta1
Updated by Vincent MEMBRÉ about 4 years ago
- Target version changed from 6.2.0~beta1 to 6.2.0~rc1
Updated by François ARMAND about 4 years ago
- Target version deleted (
6.2.0~rc1)
Updated by Alexis Mousset over 2 years ago
- Subject changed from Generated API tokens are still visible in the settings after initial generation to Generated API tokens are still visible in the settings after initial generation (and stored as clear text)
- Private changed from No to Yes
- Regression set to No
Updated by Alexis Mousset over 2 years ago
- Category changed from API to Security
Updated by Alexis Mousset over 1 year ago
- Subject changed from Generated API tokens are still visible in the settings after initial generation (and stored as clear text) to Generated API tokens are still visible in the settings after initial generation
Updated by Alexis Mousset over 1 year ago
- Is duplicate of Architecture #23234: Hash API tokens added