Implement Expiration and Revocation Options for API Keys

[Samk13]

Is your feature request related to a problem? Please describe.

Yes! :) Our security team has identified a risk where users could unintentionally submit their API keys on GitHub and other platforms. This would exposes the system to serious vulnerabilities, particularly if the user holds high privileges, potentially compromising security for an indefinite period.

Describe the solution you'd like

Introduce functionality within Invenio to enhance API key security by:

• Expiration Date: Allow users to set an expiration date when creating API keys. similar to the share link feature introduced in v12.
• Validity Limits: Enable the limitation of API key validity periods.
• Revocation Options: Provide both users and administrators the ability to revoke API keys as needed.

These features should be accessible from both user and admin interfaces to assert comprehensive control over API key management.

Describe alternatives you've considered

Manual Monitoring: Relying on manual monitoring of API key usage to detect and revoke compromised keys. However, this approach is reactive and inefficient. Short-Lived Tokens: Implementing short-lived tokens that require frequent renewal. While this increases security, it may negatively impact user experience due to the need for constant updates.

Additional context

During a recent meeting with the security team, it was highlighted that the accidental exposure of API keys poses a severe risk to our system's integrity. Implementing expiration and revocation features will significantly mitigate this risk by ensuring that compromised keys cannot be used indefinitely. Additionally, providing these options at both user and admin levels will enhance our overall security posture and provide flexibility in managing API access.

Related Issues:

https://github.com/inveniosoftware/invenio-oauth2server/issues/53 https://github.com/inveniosoftware/invenio-oauth2server/issues/186

Proposed Features:

Expiration Date Setting:

• Allow end users to specify an expiration date when generating a new API key.

• Display the expiration date prominently in the API key management interface. Validity Period Limits:

• Implement default validity periods for API keys (e.g., 30 days, 90 days).

• Allow administrators to set global policies for API key validity durations.

Revocation Mechanism:

• Provide a user interface for users to revoke their API keys.
• Enable administrators to revoke any user's API key through the admin dashboard.
• Send notifications to users when their API keys are revoked by an administrator.

Audit Logging:

• Maintain logs of API key creation, expiration, and revocation actions for auditing purposes. User Notifications:
• Notify users via email or in-app notifications when their API keys are about to expire.
• Inform users of any revocations and the reasons behind them.

Benefits:

• Enhanced Security: Reduces the risk of unauthorized access through compromised API keys.
• User Empowerment: Allows users to manage their own API keys proactively.
• Administrative Control: Gives administrators the tools to enforce security policies effectively.
• Compliance: Helps in adhering to security best practices and compliance requirements.

[github-actions[bot]]

This issue was automatically marked as stale.