Add caveats to macaroons for expiration (time) and version

[alex]

What's the problem this feature will solve?

This will allow further attenuating the permissions granted by an API key

Describe the solution you'd like

Addition of two addition types of caveat, project version (for uploads) and time (expiry).

[brainwane]

This is a fine idea to add onto future work for #994 -- thank you! I believe it's out of scope for our current funding for security improvements to PyPI, sorry to say.

[woodruffw]

Another potentially useful caveat would be IP address/range, for future consideration.

[woodruffw]

@rcipkins is going to take a stab at this!

[brainwane]

@rcipkins -- how is this going?

[rachelcipkins]

@brainwane I am almost finished, I just need to fix a couple things and add tests!

[brainwane]

@rcipkins - Great to hear!

It's a good idea to push your branch to your GitHub fork and start a "work in progress" ("WIP") pull request. That way:

• in case your computer breaks or is lost/stolen, you haven't lost your progress
• other people can easily see that you're working on the issue, and avoid accidentally duplicating your effort
• it's easy to ask "am I on the right track?" questions about your general architectural approach, before spending time polishing stuff and fixing tests

To do this, push your branch to your fork, and create a pull request where the start of the PR title is "(WIP)".

Looking forward to seeing it!

[rachelcipkins]

Done! Thank you so much!

[woodruffw]

NB: This is addressed by #11122.

(We'll need separate UI work to make that caveat useable with user-minted macaroons, but that PR will add all of the backend logic needed.)