[FR] Multiple tokens and scopes for API access per user

[matmair]

Problem We currently do not support access scopes (see Github) for tokens and only one token per user.

Suggested solution Tying a token to a user is fine, you just should never show the token again after initial creation. Also, tokens give users no option to make restrictions for tokens so there must be 100% trust in the device and app a token gets added to.

Needed:

• [ ] multiple tokens per user
• [ ] maschine identifiable token format (GH token format -> detection through GitHub sec team)
• [ ] scopes per token
• [ ] new flows that never exposes a token to an API or UI after creation
• [ ] token creation endpoint
• [ ] scope endpoint needs to be checked

Describe alternatives you've considered The current solution with very limited app selection by core contributors should be fine.

Examples of other systems Github, Gitlab, Nextcloud

Do you want to develop this? Yes

[SchrodingersGat]

@matmair very good point.

The mobile app will need to be updated too, it makes use of the persistent tokens

[matmair]

@SchrodingersGat the flow should not change too much. I have never used the app but I think it should be fine. In a further step, a modern web-based auth workflow would be great.

• a webview popup to the inventree instance opens
• the user logs in (with basic auth, SSO, MFA or whatever)
• grants the app all needed privileges
• the webview closes and returns the app token to the token

This is how OAuth flows handle auth. I like it because it is very seamless to the user, the app never gets credentials and new auth methods/flows are only implemented in web. When requirements change the token gets revoked and the app just calls up the auth flow again. thoughts @SchrodingersGat ?

[rkalman]

Please also consider using WebAuthn for authentication, as it is supported by most browsers. It will open possibilities like using hardware security keys and touch/face id. Quick guide: https://webauthn.guide Demo: https://webauthn.io

[matmair]

@rkalman that has nothing to do with this FR, please open a separate FR if you want this implemented. WebAuthn is for interactive user authentication, this FR is about long-lived m2m/app access.

If you want to have WebAuthn, fido2 or u2f you will have to implement/sponsor it as I personally looked into it and find the hassle of implementing it securely not worth the time with TOTP already present.

[SchrodingersGat]

Ref: https://github.com/inventree/inventree-app/issues/351

[SchrodingersGat]

This might be a good library to use: https://florimondmanca.github.io/djangorestframework-api-key/

[matmair]

Looks good

[SchrodingersGat]

One limitation of the library linked above is the tokens are not internally linked to users.

This post might be a good reference, it extends the model we are already using:

https://idiomaticprogrammers.com/post/how-to-implement-auto-expiring-token-in-django-rest-framework/

[matmair]

Looks interesting - we could use this with some simple additions. I will mark this for Hacktober and tackle it after the end of the event if no one is interested in implementing.

[SchrodingersGat]

I have a WIP underway for this :)