Closed Xpirix closed 5 months ago
Attention: 193 lines
in your changes are missing coverage. Please review.
Comparison is base (
a9dabb5
) 36.97% compared to head (d6b53ac
) 36.42%. Report is 2 commits behind head on master.
Files | Patch % | Lines |
---|---|---|
qgis-app/plugins/views.py | 26.08% | 102 Missing :warning: |
qgis-app/plugins/tests/test_token_auth.py | 22.72% | 68 Missing :warning: |
qgis-app/plugins/decorators.py | 30.30% | 23 Missing :warning: |
:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
Thank you very much. 🎉 Could you show a screenshot of the plugin config page, where plugin maintainers can manage tokens for specific plugins?
@m-kuhn My pleasure.
I've made some changes to make specific tokens for plugin. Please find below the updated description for this PR.
pyjwt
and djangorestframework-simplejwt
into the project's requirements files.Tokens
button in the plugin management tab, facilitating redirection to the Token Management page.Utilize a token for uploading or updating a plugin version via the following URLs:
https://plugins.qgis.org/plugins/api/<package_name>/version/add/
https://plugins.qgis.org/plugins/api/<package_name>/version/<version>/update
Tokens are exclusively valid for the specific plugin with which they are associated.
Tokens automatically become invalid upon deletion or upon reaching the expiration date.
Please find below a GIF demonstrating this feature.
Thanks for the update @Xpirix , this new screencast looks very promising!
If I understand correctly, there is a timeout on the token of 15 days and the token needs to be refreshed? The most typical use case I can think of is storing the token as a github secret and then creating CI/CD automations that make use of this token. There is no logic running, that could regularly refresh such a token and store a refreshed token (secrets are manually managed). Ideally I was thinking to acquire a token once and then have it available forever.
Additional ideas more "nice to have":
One example: https://help.transifex.com/en/articles/6248858-generating-an-api-token (even though this is linked to the user account like a personal access token rather than a resource specific token as here). Other similar examples would be "github repository deploy key" with the difference that this key is not generated, but the rest is very much the same.
I am also interested in opinions from @Gustry @Guts @3nids as qgis-plugin-ci contributors/maintainers
One more thing
showcasing only those associated with the authenticated user and the corresponding plugin
as a plugin maintainer I would like to see all tokens that are associated with a plugin I am responsible for, even if they were generated by others in the team. I think it's nice to show who created a token but a token should be completely detached from a user account after creation. I.e. if a someone leaves the development team, the token should be kept active, so any CI/CD pipelines continue to work and others in the team should then still be able to revoke this token.
Thank you for the feedback @m-kuhn .
If I understand correctly, there is a timeout on the token of 15 days and the token needs to be refreshed? The most typical use case I can think of is storing the token as a github secret and then creating CI/CD automations that make use of this token. There is no logic running, that could regularly refresh such a token and store a refreshed token (secrets are manually managed). Ideally I was thinking to acquire a token once and then have it available forever.
Yes, that makes sense. I will make every token available for a very long duration. They can always be revoked anytime.
Additional ideas more "nice to have":
- Show the token only once on the user interface and then hide it
- Show when the token was last used
- Ability to give a description to a token (so I can flag it as my "github action" token or "mkuhn local test" token or similar)
Thanks for theses ideas, I'm going to implement them.
as a plugin maintainer I would like to see all tokens that are associated with a plugin I am responsible for, even if they were generated by others in the team.
That's well noted.
I think it's nice to show who created a token but a token should be completely detached from a user account after creation. I.e. if a someone leaves the development team, the token should be kept active, so any CI/CD pipelines continue to work and others in the team should then still be able to revoke this token.
From what I understand from the basic process of uploading/updating a plugin version, a user is always needed. Indeed, a token contains the plugin information but also the user identity (user_id) because the user don't have to log in when using it. If we don't store the user identity in the token, we won't be able to retreive which user is uploading a plugin and the process will raise an error.
Please find bellow the description and a GIF of the latest changes according to the previous comments.
Thank you for these updates.
If we don't store the user identity in the token, we won't be able to retreive which user is uploading a plugin and the process will raise an error.
One question regarding this, if Anna creates a token for FancyPlugin and configures a release pipeline to use this token (e.g. stored in github action secrets). Later Anna leaves the dev team and removed permissions to upload new versions. If a new release is triggered via this pipeline, will the pipeline still work?
@m-kuhn You're welcome.
One question regarding this, if Anna creates a token for FancyPlugin and configures a release pipeline to use this token (e.g. stored in github action secrets). Later Anna leaves the dev team and removed permissions to upload new versions. If a new release is triggered via this pipeline, will the pipeline still work?
I see. You're right; the pipeline will not work anymore because this Token contains the user information, and Anna doesn't have the permission anymore.
To resolve this, I suggest editing the workflow when uploading a new version using a token:
PluginVersion
by adding a new column is_from_pipeline
and setting the column created_by
to nullable.This way, all created tokens will be independent from Anna, and the pipeline will continue to work even if Anna leaves the dev team and no longer has the permission.
I like this. Alternative to the current term: " Token {token_description}"? But it's a tiny detail, only if it's reasonable effort.
I've made the updates. Each created token is now independent from the user who created it.
Alternative to the current term: " Token {token_description}"?
Please find below the screenshot for the Uploaded by column for this.
This feature has been deployed. Please feel free to check and share your feedback.
Thanks.
Cool, what can I do with the Jti ?
I think it's something like an ID for the token. But we can hide that since we implemented the Description column.
Changes Summary
pyjwt
anddjangorestframework-simplejwt
in the requirements files./api/token/
) and refresh (/api/token/refresh/
) endpoints.Bearer the_access_token
is specified inHTTP_AUTHORIZATION
. The process involves:HTTP_AUTHORIZATION
starts withBearer
.Please find below a video demonstrating this feature in Postman. In this example, we specify the token in the GET request, and the cookies are set automatically. Thus, there's no need to specify the token in the POST request.
https://github.com/qgis/QGIS-Django/assets/43842786/dc49d70c-a49d-44a3-9e50-0852b52be15f