Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API token default scope: user or project? #6266

Closed
brainwane opened this issue Jul 26, 2019 · 2 comments · Fixed by #6274
Closed

API token default scope: user or project? #6266

brainwane opened this issue Jul 26, 2019 · 2 comments · Fixed by #6274
Assignees
@nlhkabu
Labels
tokens Issues relating to API tokens UX/UI design, user experience, user interface
Milestone
OTF Security work

Comments

@brainwane
Copy link
Contributor

Followup to #994:

@brettcannon asks:

@ewdurbin said: By default, newly created tokens will have “user” scope, meaning that they’ll behave exactly like your password.

Are there plans to change this default so that using such a strong token is not the default so that people have to opt into it? (I’m no security expert so this is more inquisitive.)

As far as I know there are no such plans but I'd like @woodruffw and @nlhkabu to weigh in.
@brainwane brainwane added UX/UI design, user experience, user interface needs discussion a product management/policy issue maintainers and users should discuss labels Jul 26, 2019
@woodruffw
Copy link
Member

An idea: We could add some additional UI on creation of a user-scoped token, warning the user that their new token will have access to all of their projects. This would allow us to retain it as a default (which I think is sensible, at least insofar as it doesn't make sense to choose a random project from the user's list as a default) while also making the security properties clear.

@nlhkabu nlhkabu mentioned this issue Jul 26, 2019
Closed
@nlhkabu nlhkabu self-assigned this Jul 26, 2019
@woodruffw woodruffw mentioned this issue Jul 27, 2019
Merged
@nlhkabu
Copy link
Contributor

nlhkabu commented Jul 27, 2019

As per #6274, we are going to address this by:

  • Forcing users to explicitly select the token scope
  • Showing a "warning" message if "entire account" scope is selected

@nlhkabu nlhkabu removed the needs discussion a product management/policy issue maintainers and users should discuss label Jul 27, 2019
@nlhkabu nlhkabu added this to the OTF Security work milestone Jul 27, 2019
@brainwane brainwane mentioned this issue Jul 28, 2019
Closed
@di di added the tokens Issues relating to API tokens label Jul 29, 2019
@di di closed this as completed in #6274 Jul 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nlhkabu nlhkabu

Labels
tokens Issues relating to API tokens UX/UI design, user experience, user interface
Projects
None yet
Milestone
OTF Security work
4 participants
@di @brainwane @woodruffw @nlhkabu