Menu

#310 Store api token with user data

x.y
open
nobody
None
2022-12-19
2022-12-19
Timothy Anyona
No

Have api token/key field in the users table. Visible as plain text in edit user page? Store as is? or encrypt? of hash?
Have Generate button beneath to generate a new token. Also have Revoke button to clear any existing token. Then remove login api endpoint? Will allow revoking of individual tokens.
In diff helper, clear contents if field contains "token". or "apitoken"?

Allow having several tokens? e.g. up to 3? Allow setting expiry dates for individual tokens?

Or only display the token once on generation and ask the admin to copy it. So that you don't store it in the database?

Prefix the token with some identifier for art to identify/differentiate the token as an art token?

Resources
https://blog.mergify.com/api-keys-best-practice/
https://ramesh-lingappan.medium.com/best-practices-for-building-api-keys-97c26eabfea9
https://support.google.com/googleapi/answer/6310037?hl=en
https://www.freecodecamp.org/news/how-to-securely-store-api-keys-4ff3ea19ebda/
https://www.doppler.com/
https://sd18spring.github.io/notes/storing-api-keys

Discussion

  • Timothy Anyona

    Timothy Anyona - 2022-12-19
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -1,3 +1,5 @@
 Have api token/key field in the users table. Visible as plain text in edit user page? Store as is? or encrypt? of hash?
 Have Generate button beneath to generate a new token. Also have Revoke button to clear any existing token. Then remove login api endpoint? Will allow revoking of individual tokens.
 In diff helper, clear contents if field contains "token". or "apitoken"?
+
+Allow having several tokens? e.g. up to 3? Allow setting expiry dates for individual tokens?
     

  • Timothy Anyona

    Timothy Anyona - 2022-12-19
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -3,3 +3,7 @@
 In diff helper, clear contents if field contains "token". or "apitoken"?

 Allow having several tokens? e.g. up to 3? Allow setting expiry dates for individual tokens?
+
+Or only display the token once on generation and ask the admin to copy it. So that you don't store it in the database?
+
+Prefix the token with some identifier for art to identify/differentiate the token as an art token?
     

  • Timothy Anyona

    Timothy Anyona - 2022-12-19
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -7,3 +7,11 @@
 Or only display the token once on generation and ask the admin to copy it. So that you don't store it in the database?

 Prefix the token with some identifier for art to identify/differentiate the token as an art token?
+
+Resources
+https://blog.mergify.com/api-keys-best-practice/
+https://ramesh-lingappan.medium.com/best-practices-for-building-api-keys-97c26eabfea9
+https://support.google.com/googleapi/answer/6310037?hl=en
+https://www.freecodecamp.org/news/how-to-securely-store-api-keys-4ff3ea19ebda/
+https://www.doppler.com/
+https://sd18spring.github.io/notes/storing-api-keys
     

Log in to post a comment.

MongoDB Logo MongoDB