Skip to content

Allow creating Personal Access Tokens through the website

Timothy Andrewrequested to merge
2979-personal-access-tokens into master

Related to #2979

  • Allow a user to create personal access tokens, and use them to authenticate
  • Refactor API::Helpers into API::Helpers::Core and API::Helpers::Authentication

Tasks

  • #2979 (!3749 (merged)) - Personal Access Tokens
    • Basic Implementation
      • Add UI to add "Personal Access Tokens"
      • Reload lib/api on every request
      • Respect these tokens for API requests
      • Just a param or a header too?
      • Allow revoking tokens
      • Expire tokens
      • Left bar should have a "PAT" icon
      • Scopes?
      • Copy to Clipboard
      • Show active/inactive tokens separately
        • No need to check for expired/revoked in the appropriate places
      • Why does regular ApplicationController check for private token?
      • Support non-API requests
      • Revert (or work on) lib/api eager loading
    • Create MR
    • Refactoring
    • Fix tests
    • Write more tests
    • Add screenshots to MR
    • Add description of query performance to MR
    • Limit the number of queries in the personal_access_tokens page
    • Wait for CI to pass
    • Fix merge issues in schema.rb
    • Assign MR to endboss
    • Wait for feedback
    • Fix feedback
      • Wait for CI to pass
    • Assign to @rspeicher
    • Fix @rspeicher's comments
    • Wait for CI to pass
    • Assign back to @rspeicher
    • Write documentation and ping @axil
    • Wait for Axil to respond
    • Assign to endboss
    • Address Douwe's feedback
      • Use the private_token or authentication_token param instead of personal_access_token
      • Ditto for the header
    • Assign to endboss
    • Make sure CI is green
    • Address Douwe's feedback
      • Don't go through the authenticate_user_from_private_token! method, if a private token is supplied (or combine them)
      • In authenticate_user_from_personal_access_token! don't hit DB if token_string is nil
      • Use current_user.personal_access_tokens.build in the controller
      • Remove the "We aren't using personal_access_token as the root param" comment
      • No need for = "...", we can just have the Inactive ... #{...} on the next line in the view
      • Render dates in a (more) human format
      • CSS issue with table
      • Don't show the tokens in the UI indefinitely
      • How to implement scopes? Add-on to current impl? Doorkeeper?
    • Wait for @DouweM's comments about scopes
    • Address @DouweM's second review
      • Try not using native['innerHTML']
      • use contexts for all "when ..."
      • Ensure consistency (styling) with other pages for "You don't have any tokens" message
      • "Actions" table column doesn't need a label
      • %td can be moved outside of the if/else statement
      • The header title should be "Profile Settings"
      • Can this be a before_create, so we don't need to use generate?
      • If it couldn't be revoked, will we show an error?
      • If it couldn't be saved, will we show an error?
    • Merge master
    • Update CHANGELOG entry
    • Add tests for form errors?
    • Post screenshots
    • Tag @jschatz1 for review
    • Wait for build to pass
    • Respond to @jschatz1's comments
      • Hardcoded colors should be variables
      • Should not be allowed to chose a date in the past
      • Use the same table as in the Applications tab
      • button should say "Create Personal Access Token"
      • Float the revoke to the right on the a
      • Change revocation message. "Are you sure you want to revoke this certificate? This action cannot be undone."
      • Date stays selected and looks selected even though date is set as "never".
      • hover on the calendar button shifts (not caused by this MR - happens on milestones#new as well)
      • Don't use the panel for the created token
        • Use a normal flash for "Your new personal access token has been created"
        • Show the input (with the token) below it full width.
        • Put the "Make sure you save it - you won't be able to access it again." message near the input
      • Have the input highlight all on single click
    • Update screenshots
    • Merge master in + conflicts
    • Assign to @jschatz1 again
    • Respond to @jschatz1's comments
      • No button for clipboard, only link
      • text-danger
      • highlight fade on that area where the token was created
    • Make sure build is green
    • Assign to @jschatz1
    • Wait for build to pass
    • Respond to @DouweM's feedback
      • move the redirect_to out of the if/else
      • certificate -> token
      • datepicker back to text field
      • combine the get_user_from_private_token and get_user_from_personal_access_token methods in ApplicationController
      • combine the get_user_from_private_token and get_user_from_personal_access_token methods in lib/api/helpers
      • don't need the new constants
    • Wait for build to pass
    • Wait for merge

Screenshots

Screen_Shot_2016-06-16_at_8.30.33_AM Screen_Shot_2016-06-16_at_8.30.44_AM Screen_Shot_2016-06-16_at_8.31.02_AM Screen_Shot_2016-06-16_at_8.31.29_AM

Merge request reports