Remove API key on gem signout

rubygems / rubygems.org

The Ruby community's gem hosting service.

https://rubygems.org

MIT License

2.32k stars 917 forks source link

Remove API key on gem signout #2844

Open jenshenny opened 2 years ago

jenshenny commented 2 years ago

Is your feature request related to a problem?

An API key is created on every gem signin. When gem signout is called, the API credentials are removed from the local machine, but are not removed from the rubygems.org host. This might be intended behaviour, but I would expect the API key to be removed on rubygems.org as it probably won't be used anymore.

Describe the solution you'd like

On gem signout, delete the associated remote API key. This would be done in the rubygems repo.

ecnelises commented 2 years ago

This might be confusing because not every gem signout is paired with gem signin. Maybe we can set expiry to API keys so that a key unused for a long time will be automatically revoked.

sonalkr132 commented 2 years ago

yeah, the user may have created the key from our web UI. The same API key may also be used in multiple environments. What we can do is perhaps give a prompt or add a flag for deleting the key from the server-side as well. When we use to have only one key per account, keeping it the same made more sense.