Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the ability to mint new API tokens through the UI #330

Merged
merged 19 commits into from
Jul 10, 2024
Merged

Conversation

nleroy917
Copy link
Member

This PR adds the ability for users to create new API tokens on the fly for yourself through the PEPhub user interface. This is just a little easier than using a cli to do the same thing.

Directly addresses: #313

Features

  • New "developer settings" modal that users can view on their namespace page
  • New endpoints to mint new tokens, delete minted tokens, and view current suite of minted tokens. In theory, this can be done programmatically as well assuming you have an already-valid JWT

Caveats

  • these JWT's live in memory on the server with a secret key created at server start time. Therefore, a server restart prior to the expiry of the token would revoke all tokens for all users

The revoking problem

Revoking a token doesn't invalidate it! Because the JWT is a self-contained entity, revoking it does nothing. As long as it was minted with the appropriate secret, it is valid!

A potential workaround is to keep a list of "bad"/"revoked" JWTs and check these on the server when the authorization header is parsed for authorized requests:

authorization = Authorization.replace("Bearer ", "")
if authorization in BAD_JWTS_LIST:
    return {"code": 401, "message": "This token is invalid"}
else:
    # parse

A downside to this is it sets the stage for a nefarious actor to pollute the "bad tokens" in-memory store by continuously minting and revoking tokens until memory runs out. This could be solved via rate limiting the minting of tokens.

@nleroy917 nleroy917 changed the base branch from master to dev June 28, 2024 20:20
@nleroy917 nleroy917 requested a review from khoroshevskyi June 28, 2024 20:21
@nleroy917
Copy link
Member Author

the "bad tokens" implementation is easy and with the help of a library like slowapi, could be only a few lines of code.

@nleroy917
Copy link
Member Author

A user can only mint 5 tokens max is another great idea proposed by @khoroshevskyi

@nleroy917
Copy link
Member Author

Maybe a combination of everything would be sufficient to deter anyone from being mean and crashing pephub :)

@nleroy917
Copy link
Member Author

Ok -- I have implemented:

  1. rate limiting for minting tokens
  2. A bad JWTs list that checks for "revoked" tokens

I suppose yet another option we could employ is periodically purging the "bad jwts" list and checking for expired keys (they can be removed since they will be rejected anyways on the basis that they are expired).

@nleroy917
Copy link
Member Author

nleroy917 commented Jul 3, 2024

Last question I have is what to do here:
image

@nleroy917
Copy link
Member Author

Last thing: clean up the dev modal

@nleroy917
Copy link
Member Author

nleroy917 commented Jul 10, 2024

@khoroshevskyi this is ready for review. Only thing that I haven't tested is deleting all PEPs -- I am afraid too since i have a couple I want to keep 😃 It should work though....

Copy link
Member

@khoroshevskyi khoroshevskyi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some changes needed,
but works really good

pephub/dependencies.py Show resolved Hide resolved
pephub/dependencies.py Show resolved Hide resolved
pephub/helpers.py Show resolved Hide resolved
pephub/limiter.py Show resolved Hide resolved
pephub/routers/auth/base.py Outdated Show resolved Hide resolved
pephub/developer_keys.py Outdated Show resolved Hide resolved
pephub/developer_keys.py Show resolved Hide resolved
pephub/developer_keys.py Outdated Show resolved Hide resolved
pephub/routers/auth/base.py Outdated Show resolved Hide resolved
@khoroshevskyi khoroshevskyi self-requested a review July 10, 2024 15:18
@nleroy917 nleroy917 merged commit 83e7fe5 into dev Jul 10, 2024
1 check passed
@khoroshevskyi khoroshevskyi deleted the 313_mint_tokens branch July 19, 2024 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants