epompeii
commented
4 months ago These scoped API tokens should also be revokable. Currently, all API tokens are non-revocable.
Open epompeii opened 11 months ago
epompeii
commented
4 months ago These scoped API tokens should also be revokable. Currently, all API tokens are non-revocable.
epompeii
commented
4 months ago Currently, the API tokens are tied to a users email. This means if a user changes their email, their API tokens still appear however they will no longer be valid. The new API tokens should be tied to the user's UUID to avoid this issue.
However for testing purposes, we will still want to be able to have an API token that is set to the users email and not their UUID.
epompeii
commented
2 months ago Consider using API keys instead of API tokens. The difference being that an API key is just a simple identifier, which will fit better with the prefixed IDs. For example: key_abcd1234
Right now tokens are unscoped. Add scoped tokens and also make them only available at the time of creation.
The Pereto solution to this would be having a single toggle that is just for CI (and likely make this selected by default). This would only allow for any GET queries and POST for all dimensions (Branches, Testbeds, Benchmarks, and Measures) and Reports. That is the minimum set of permissions required to run in CI.
It's likely anything past that would only make sense down the road as a Plus feature.