Expose 'user' scoped API tokens in project security history?

[nlhkabu]

From https://github.com/pypa/warehouse/pull/6339#issuecomment-520879774

We currently record project:api_token:added and project:api_token:removed whenever a token with the given project in-scope is added or removed, but we don't do the same when a user-scoped token is added or removed (we only record that for the user). Adding that to the project would constitute a minor info-leak (other project owners would be able to see token creation/deletion events for potentially unrelated tokens created by other owners), but that might be an acceptable tradeoff.

Further discussion here: https://github.com/pypa/warehouse/pull/6339#discussion_r314009955

One minor issue with recording project events on a "user scoped" token's creation is that only preexisting projects will receive the creation event, while future projects will silently allow the token but not contain the corresponding event. That's not necessarily worse than the current PR behavior, just something to keep in mind. We could also generally mitigate the problem by listing associated API tokens separately somewhere in the project management view.

[nlhkabu]

My thoughts on this:

• I think it would be useful to have a place in the project management area where maintainers can view all active API tokens. We could potentially expose this information in the "collaborators" page by listing the API tokens associated with each user (in the table)

• We should expose the creation of new user scoped tokens on the project security history, when that user is already associated with the project

• When a new user is added to a project (project:role:add), we should list any user scoped API tokens they have as additional data. Same for when a user is removed (project:role:delete). E.g.

• It could also be useful to raise a warning when a new collaborator is added, e.g.

[nlhkabu]

@brainwane I've added this to the OTF security milestone, but I'm not sure if it's in scope. Please remove the milestone if not :)

[brainwane]

@nlhkabu Let's discuss this in the bug triage & work prioritization meeting I'm scheduling (within the next few business days).

[brainwane]

Yes, per our meeting last week, this is in the milestone, and Will says it shouldn't take too long.

[brainwane]

Contractors on the OTF-funded work need to de-prioritize work on the security features in order to ensure we complete the accessibility and internationalization work by the end of the month. Therefore, while this is a great feature to have, and I understand Will might still complete it this month, I'm removing it from the milestone.