Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      story #12266 use an API key rather than a login / password
    Actions
    Summary
    API consumer
    use an API key rather than a login / password

    I don't have to write down my password in a file

    Functional overview

    As a user

    in my preferences, I have a section "API Keys" where I can

    • Generate a new key with a description

    This key will be a random string and is displayed only once at generation.

    Bellow the key generation I have a table that lists all the keys already generated with their description, creation date, last used date and last used IP address + action to revoke (delete) key.

    API key is made with prefixed with 'tlp-k1-' for audit purpose.

    A key can only be used for REST accesses.

    As a REST api user

    I can use the generated API key in my REST call headers:

    curl -H 'X-Auth-AccessKey: stuff' https://tuleap.example.com/...

    When using API Key there is no need to generate a token to access the REST API.

    While tokens remains accessible, the documentation of the route and the documentation of Tuleap is updated to inform people about API keys being the prefered way to access the API.

    Technical overview

    Ensure that 'last_access_date' for corresponding user is properly updated when using API key instead of tokens

    Empty
    axel.bodoignet@st.com, Nouha Terzi (terzino), Denis PILAT (denis_pilat)
    Status
    Empty
    Done
    Development
    • [ ] Does it involves User Interface? 
    • [ ] Are there any mockups?
    • [ ] Are permissions checked?
    • [ ] Does it need Javascript development?
    • [ ] Does it need a forge upgrade bucket?
    • [ ] Does it need to execute things in system events?
    • [ ] Does it impact project creation (templates)?
    • [ ] Is it exploratory?
    Empty
    Details
    #12266
    Manuel Vacelet (vaceletm)
    2018-10-05 15:31
    2018-09-13 14:16
    4309

    References
    Artifact links
    Empty
    Referencing story #12266

    Artifact Tracker v5

    rel #12154 10.6
    story #14023 access Git repositories with a personal access key

    Git commit

    tuleap/tuleap/stable

    API access keys can be generated 593b767469
    User avatar Thomas Gerbet (tgerbet) , 2018-09-25 12:14
    Use the namespace Tuleap\User everywhere 2b8c079d96
    User avatar Thomas Gerbet (tgerbet) , 2018-09-25 16:27
    Generated access keys are saved in the database d2818bac07
    User avatar Thomas Gerbet (tgerbet) , 2018-09-26 12:26
    Generated access keys are displayed in the user's account page 427e4b98ee
    User avatar Thomas Gerbet (tgerbet) , 2018-09-27 12:22
    A user can revoke its own access keys a993b433fa
    User avatar Thomas Gerbet (tgerbet) , 2018-09-27 18:01
    Move the last file under src/common/user/ to src/common/User/ 62d27fcf03
    User avatar Thomas Gerbet (tgerbet) , 2018-09-27 19:52
    Notify the user when a new access key is created for his account c4910ece9b
    User avatar Thomas Gerbet (tgerbet) , 2018-09-28 12:01
    Access keys can be used to access the REST API as an authenticated user c19f7b9807
    User avatar Thomas Gerbet (tgerbet) , 2018-10-01 11:17
    Update last access date of an access key according to the last_access_resolution setting 23ec72f7e4
    User avatar Thomas Gerbet (tgerbet) , 2018-10-01 18:35
    Use sodium_(bin2hex|hex2bin) instead of paragonie/constant_time_encoding 1bebce0f8c
    User avatar Thomas Gerbet (tgerbet) , 2018-10-02 09:03
    Mark the REST token routes as deprecated 08ba1bedce
    User avatar Thomas Gerbet (tgerbet) , 2018-10-02 14:02
    Add REST tests to cover access keys authentication aebf5af2ce
    User avatar Thomas Gerbet (tgerbet) , 2018-10-03 16:10
    Access keys REST tests are played without depending on a user ID constant 5299e97732
    User avatar Thomas Gerbet (tgerbet) , 2018-10-05 14:38
    task #12266: Handle executions without category 22b825ee82
    User avatar Benjamin Dauton (bdauton_enalean) , 2014-08-21 10:43
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-10-03 09:03
    Marking the story has done, all the acceptance criteria has been covered.
    • Status changed from On going to Done
    User avatar
    Thomas Gerbet (tgerbet)2018-09-28 11:21
    Updating the name of header to match used everywhere else for this feature.
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Manuel Vacelet (vaceletm)2018-09-14 10:39

    APIkey + token is overkill and brings no security gain so API key be used instead of token
     

    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • CC list set to Denis PILAT (denis_pilat), Nouha Terzi (terzino), axel.bodoignet@st.com
    User avatar
    Thomas Gerbet (tgerbet)2018-09-13 14:37
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Manuel Vacelet (vaceletm)2018-09-13 14:17
    • So that
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes