API tokens with expiration date#23859
Conversation
API tokens can now get an optional expiration date. Added a select drop down from where you can choose from predefined durations, a custom date (max 1 year) and no expiration. Expiration date is shown in the list. Not expiring tokens are marked with warning. fixes jenkinsci#16695
comment-ops-bot
bot
added
the
rfe
mawinter69
changed the title
|
The SetupWizard allows to generate an API Token. Should that be automatically an expiring token maybe? |
how do you generate one in the setup wizard? |
core/src/main/resources/jenkins/security/ApiTokenProperty/config.properties
Show resolved
Hide resolved
|
Would it be possible/desirable to have even shorter periods like 1 hour? I'm thinking about tokens that could be used for short-lived jobs. |
| this.isLegacy = token.isLegacy(); | ||
| LocalDate expirationDate = token.getExpirationDate(); | ||
| if (expirationDate == null) { | ||
| this.expirationDate = "never"; |
There was a problem hiding this comment.
That would be a breaking change maybe for later, but how about having a short-lived token generated by default instead of an eternal one to prevent mistakes, and to ensure eternal token creation is a conscencious and deliberate choice?
(EDIT: The line I put this comment on isn't the proper one, sorry)
There was a problem hiding this comment.
In the UI the default is set to 30 days.
|
What is default expiration ? Is it "never" or some sane time like 1 month ? |
You can set a system property then it generates an api token or uses a given one. See |
Technically possible, though not sure how much sense this makes. How do you get to this token? You would need to use your password in some way or another token. And by default I think even the SYSTEM account is not able to generate new token for a user. |
In the UI I set the default to 30 days. Notifications make sense. Maybe I can add some badge to the user icon in the header to inform about expiring tokens. |
Could be an extension point but probably not worth it? Those emails just annoy me I've intentionally set it short for a one-off / temporary thing don't bug me about it |
When you have tokens that run for several month some kind of notification besides an icon might be useful. I see the main purpose of the expiring tokens when a user wants to do some experiments. For automation purposes I would anyway assume that those are usually technical users where an email address might not be available and where hardly anyone logs on in the UI in Jenkins. So they will probably stick to not expiring tokens. |
|
Should expired tokens be automatically removed? Instantly, after a week, configurable or never? |
I would leave them, most systems I can think of leave them around. |
|
The balance of this feels a bit off: Adding a third line really throws off alignment, especially with the buttons being on the middle line. Date format is inconsistent: 
Date picker appears to use a locale based format, where-as the two places the date is shown are using YYYY-MM-DD. Apart from above looks great. |
the date picker is the browser-built-in. So I'm not able to change that. |
|
How about this: That removes the creation string. Adding the creation timestamp as a tooltip to the span with the expiration |
|
That looks better |
Can you convert from LocalDate to date then use it? |
|
I actually do the locale formatting already in Java now. And working with the |
make the creation date a tooltip of the expiration
|
Do we need some kind of admin monitor for tokens that are about to expire or have expired? That might be useful when api tokens with expiration date are set for technical users, where usually nobody logs in via the UI. |
I don’t think so. Not for user tokens. some systems have the concept of system or resource owner tokens where ownership isn’t by an individual so that when someone leaves they don’t break and it might make sense there but I don’t think it makes sense at an individual level. Maybe there could be a page listing API tokens and their statuses. An admin monitor shouldn’t be for a normal everyday activity though of expiring tokens |
|
Looking great - couple points:
|
|
| dateInput.min = now.toISOString().split("T")[0]; | ||
| dateInput.max = nextYear.toISOString().split("T")[0]; | ||
| dateInput.value = presetDate.toISOString().split("T")[0]; | ||
| form.appendChild(formTemplate); |
There was a problem hiding this comment.
not sure if worth fixing, but when a new api token is added to the list it is always added to the bottom.
but when you refresh the page the tokens are sorted alphabetically.
Bit strange that they jump around
There was a problem hiding this comment.
That hasn't changed. It was like that before.
core/src/main/resources/jenkins/security/ApiTokenProperty/config.properties
Show resolved
Hide resolved
| <option value="never">No Expiration</option> | ||
| </select> | ||
| </div> | ||
| <input type="date" name="tokenExpiration" class="jenkins-hidden jenkins-input token-expiration-date"/> |
There was a problem hiding this comment.
this should have a min set to today and it should be validated server side that the expiry is not in the past.
Convenient for testing but I don't think it should be allowed.
There was a problem hiding this comment.
I programmatically set min and max in javascript. Which is properly applied in the picker but that doesn't prevent you from manually changing the date to something in the past directly in the input field.
I can add validation in java
There was a problem hiding this comment.
added a validation on server side. When in the past the token is not added and an alert is shown
There was a problem hiding this comment.
Interestingly in Chrome when you select the year and then use the arrow up/down buttons, it respects the limits from minand max. Firefox does not.
There was a problem hiding this comment.
It only respects the year weirdly with up and down buttons. I tested by adjusting the month to later in the year and I can adjust day and month into the past and just type a date in the past too.
Good enough I guess, unless we want to add client side validation too
don't add token when choosing date in the past directly warn after creation when about to expire
janfaracik
left a comment
janfaracik
left a comment
There was a problem hiding this comment.
Thanks for the changes :) LGTM.
timja
left a comment
timja
left a comment
There was a problem hiding this comment.
Re-tested, changes looks good
/label ready-for-merge
This PR is now ready for merge, after ~24 hours, we will merge it if there's no negative feedback.
Thanks!
comment-ops-bot
bot
added
the
ready-for-merge
* API tokens with expiration API tokens can now get an optional expiration date. Added a select drop down from where you can choose from predefined durations, a custom date (max 1 year) and no expiration. Expiration date is shown in the list. Not expiring tokens are marked with warning. fixes jenkinsci#16695 * revert changes in SetupWizard * fix linter * fix ordering * show when token expired * notify on expiring and expired tokens * format * 2 lines only make the creation date a tooltip of the expiration * feedback * feedback 2 don't add token when choosing date in the past directly warn after creation when about to expire * prettier --------- Co-authored-by: Tim Jacomb <timjacomb1@gmail.com>
6 participants
API tokens can now get an optional expiration date. Added a select drop down from where you can choose from predefined durations (default is 30 days), a custom date (max 1 year in the selector from the date input field) and no expiration. Expiration date is shown in the list. Not expiring tokens and tokens that expire in less than 7 days are marked with warning, expired tokens are marked with error.
The sidepanel on the user page now has a badge for the security action when there are tokens that expired or are about to expire. In the header the user avatar has a badge and in the dropdown is a badge.
Fixes #16695
Testing done
Interactive testing for the UI part
Added tests for the scripting part, ensuring that expired tokens are not accepted
Proposed changelog entries
Proposed changelog category
/label rfe
Proposed upgrade guidelines
N/A
Submitter checklist
@Restrictedor have@since TODOJavadocs, as appropriate.@Deprecated(since = "TODO")or@Deprecated(forRemoval = true, since = "TODO"), if applicable.evalto ease future introduction of Content Security Policy (CSP) directives (see documentation).Desired reviewers
@mention
Before the changes are marked as
ready-for-merge:Maintainer checklist
upgrade-guide-neededlabel is set and there is a Proposed upgrade guidelines section in the pull request title (see example).lts-candidateto be considered.