Closed lee-dohm closed 10 years ago
@lee-dohm just wanted to update you on this issue: First of all, this is a great suggestion, I saw that I was creating many tokens when testing but never thought of fixing it on the watson side as opposed to the user knowing to only create one.
First, I've added the ability to add a label when creating a token in 5878f1af2e7f601702dec287c72d212337c497d4 so that you can associate the tokens created by watson better.
In terms of having a central location for all the API tokens, along with 032c946b2eda07d12a47f88356526a49fde578ca, I have implemented this ability, however, have not commited the changes yet. I still need to tidy it up, test to make sure I haven't broken anything, and also apply the same thing to the other remote types (currently only implemented with GitHub)
I will hopefully have this done in the next release :)
Sounds great! :beers: One bit of clarification ...
It sounds like you have a ~/.watsonrc
that then gets copied to each individual project directory. Any updates never make it back to the central configuration file. Or am I misunderstanding and OAuth tokens will only ever be stored in the central location and not read from the project-specific configuration? I think that only storing them in the central location would be best because while project-specific settings might be good to share amongst team members, OAuth tokens should not. Keeping them out of a file in the project directory would help avoid security mishaps like accidentally checking in OAuth tokens.
@lee-dohm I finally got around to pushing this out! (But still only for GitHub, thought I would get that out first since it was requested).
Originally I had the OAuth tokens stored both in the central $HOME/.watsonrc
as well as locally, but your previous suggestion regarding accidentally checking in OAuth tokens was a good point so I incorporated that also.
Currently, the OAuth tokens are only stored in $HOME/.watsonrc
and only the associated username for the project is stored in the local .watsonrc
. The OAuth token is then retrieved from the central location and used during runtime, it is never stored in the file.
Let me know if you find any problems or have any other suggestions!
As it stands, if you have n projects on GitHub that you use Watson with, Watson will request n OAuth tokens. And since it submits only "watson" as the name, one doesn't even have the visibility into which is which if one wants to invalidate a specific token. Watson should store OAuth tokens in a central location and only store one per user: