-
-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Django Admin integation fix adding AuthToken #330
base: develop
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## develop #330 +/- ##
===========================================
- Coverage 91.70% 87.64% -4.07%
===========================================
Files 9 9
Lines 229 267 +38
Branches 35 40 +5
===========================================
+ Hits 210 234 +24
- Misses 16 30 +14
Partials 3 3 ☔ View full report in Codecov by Sentry. |
I don’t quite see the need for generating auth token in the admin like this… They should be generated by providing the user login/password combo.
|
Thanks for your review and comments. Regarding your comments:
Anyone with access to the admin interface can currently add a token over the admin interface for any user, as its possible to enter the digest and a token_key. he just has to calulate the digest of the desired key manually With default settings :
But i dont see any problem here: Additional note: maybe this was the reason why there was a salt ( see #188 ) because with the salt this would not be possible, as the salt would be needed to calculate the digest.
I have some API endpoints that are not meant for regular users but for "system operations". To authorize the 3rd party software the admin should be able to create a Auth Token manually and provide to the 3rd party software. As the 3rd party software has no way to automatically upgrade the token on a refresh, it would basically a Token with no expiry. Anyway, if you find this usecase scenario not relevant, and it was never meant to add AuthToken over the admin, i suggest hiding the "Add" button in the AuthToken admin. ( I can do the PR ) because its kinda missleading. |
@paulgueltekin Sorry took me a while to get back to this. Thanks for clarifying and in the light of your last comment I am now more in favor of merging this in. Can you look into the pre-commit errors maybe ? |
@giovannicimolin maybe you'd like to give this one a look as well? |
@johnraz Thanks for the heads up! I'll try reviewing this tomorrow. |
@johnraz Sorry for missing this here, spent a few days at the hospital and then things got hectic at my company and I had no time for this. Reviewing it now. |
@paulgueltekin @johnraz I think this is a reasonable change. Can you perform the following steps before we move this forward:
Thanks for the contribution! |
Hi, i will check this today, thanks for your review |
return the token as message to the user change MIDDLEWARE_CLASSES (obsolete) to MIDDLEWARE, add required apps, middleware and context processors for admin pages add admin urls to reference project Add admin form for creating AuthTokens, add admin filter for searching AuthTokens Refactor AuthTokenManager, separate methods for token/digest/expiry logic
for more information, see https://pre-commit.ci
The current state of the Django Admin integration for adding new AuthToken is not really functional.
I created a custom admin form for adding new tokens, that requires to specify a user and optionally a expiry date.
To get the django form save() method to work, which does internaly not use the managers create() method, but creates a AuthToken object and later calls .save() i had to extract the logic for generating the digest and token values from the AuthTokenManager.create() method to reuse it in the admin form.
The Token itself will be presented to the user using the django messaging framework ( which is a requirement for the admin anyway) after saving the AuthToken ( see attached image )
I also added a search filter to the AdminView to filter the list of AuthTokens for User.USERNAME_FIELD, token_key and digest value.
Finally i added the admin view dependencies to to reference project.