Habitica: API could use clarification/warning

I'd simply add the warning because having to use a confirmation button to
access it in a mobile browser could be a pain, depending, and that's the
only way to C/P it into the mobile app at the moment.

On Mon, Mar 10, 2014 at 8:23 PM, wc8 [email protected] wrote:

• add a button & confirmation dialog before displaying API token,
  e.g. _This token should only be used for synchronization or
  integration between other software programs and your habit account. This
  API token should not be given out to others or posted on a site such as
  Github. If you need to provide someone with your User ID for support or
  joining a party, click Dismiss_, Confirmation Buttons: _Dismiss_ and _I
  Understand._ Alternatively, simply add the warning above the API.
• @lefnire https://github.com/lefnire's suggestion on #2592https://github.com/HabitRPG/habitrpg/issues/2592:
  ability to change the API token in case it is compromised

Reply to this email directly or view it on GitHubhttps://github.com/HabitRPG/habitrpg/issues/3049
.

Updated above. Maybe a link to wiki would also be helpful, but that's less important.

Addied a warning. Leaving this open because changing API tokens should be done.

On a tragically related note, is there any way to have the API token changed if you do accidentally post it somewhere public? I'm sorry if this isn't the place for this since it's not exactly a bug, but for obvious reasons I didn't want to ask in the newbie guild/tavern/wiki since those have my username & User ID associated with them.

For the record this wasn't an issue of the warning not working, I just had a massive brain fart. I had put my API token in for the data display tool and then forgot that it was on my clipboard instead of the user ID. They have the same format so it's not obvious when you have the wrong one.

@Renna We can change your API token, but we need to know your User ID. Searching for your account by GitHub name isn't reliable. Paste it here and I'll change your token for you.

UserID is 93e62228-6f93-46d3-a4cf-bd51454d49c0

Thank you for fixing my idiocy so quickly!

It's changed. I recommend logging out of HabitRPG and logging back in. You are likely to see errors until you do that.

Anyone opposed to having a "Generate New API Token" button on the settings page? I'm thinking that it would open a modal with scary warning text about 3rd party extensions and ask for your password to confirm the change.

i'd like that

On Tue, Apr 28, 2015 at 5:50 PM, Blade Barringer [email protected]
wrote:

Anyone opposed to having a "Generate New API Token" button on the settings
page? I'm thinking that it would open a modal with scary warning text about
3rd party extensions and ask for your password to confirm the change.

—
Reply to this email directly or view it on GitHub
https://github.com/HabitRPG/habitrpg/issues/3049#issuecomment-97274379.

Should we also have the key hidden until a user clicks on it? I remember seeing an Issue that discussed it, but I can't find it.

@MathWhiz Yes, having the key hidden until you click on it is something we want. I also remember seeing that idea but can't find where. It was a good idea.

We also want a "Generate New API Token" button on the Settings > API page as @crookedneighbor says.

Is there an API route or something to generate a new API token?

On Wed, Aug 31, 2016 at 3:25 PM Alys [email protected] wrote:

@MathWhiz https://github.com/MathWhiz Yes, having the key hidden until
you click on it is something we want. I also remember seeing that idea but
can't find where. It was a good idea.

We also want a "Generate New API Token" button on the Settings > API page
as @crookedneighbor https://github.com/crookedneighbor says.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/HabitRPG/habitrpg/issues/3049#issuecomment-243889712,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ALz_89K8EGQEUKKWu_bfRFUqWkWzzrwzks5qleM3gaJpZM4BofQm
.

No, there isn't any route actually. There are plans to have it, though

2016-09-06 22:36 GMT+02:00, AccioBooks [email protected]:

Is there an API route or something to generate a new API token?

On Wed, Aug 31, 2016 at 3:25 PM Alys [email protected] wrote:

@MathWhiz https://github.com/MathWhiz Yes, having the key hidden until
you click on it is something we want. I also remember seeing that idea
but
can't find where. It was a good idea.

We also want a "Generate New API Token" button on the Settings > API page
as @crookedneighbor https://github.com/crookedneighbor says.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/HabitRPG/habitrpg/issues/3049#issuecomment-243889712,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ALz_89K8EGQEUKKWu_bfRFUqWkWzzrwzks5qleM3gaJpZM4BofQm
.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/HabitRPG/habitrpg/issues/3049#issuecomment-245082427

Matteo Pagliazzi - paglias.net

@paglias How is a new API token normally created?

Manually by a database admin.

@MathWhiz on signup https://github.com/HabitRPG/habitrpg/blob/develop/website/server/models/user/schema.js#L17

How would it be changed?

On Wed, Sep 7, 2016 at 9:09 AM Matteo Pagliazzi [email protected]
wrote:

@MathWhiz https://github.com/MathWhiz on signup
https://github.com/HabitRPG/habitrpg/blob/develop/website/server/models/user/schema.js#L17

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/HabitRPG/habitrpg/issues/3049#issuecomment-245292012,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ALz_89j-nqtkZEQbY-5vVcSVLLvK03Ovks5qnsV_gaJpZM4BofQm
.

@MathWhiz what do you mean? Changing an API key is something that is done very rarely, so when it's necessary a member of the staff with database access manually generates a new api key and set it in the database

What I mean is how would it be potentially be changed through the codebase?

On Wed, Sep 7, 2016 at 10:45 AM Matteo Pagliazzi [email protected]
wrote:

@MathWhiz https://github.com/MathWhiz what do you mean? Changing an API
key is something that is done very rarely, so when it's necessary a member
of the staff with database access manually generates a new api key and set
it in the database

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/HabitRPG/habitrpg/issues/3049#issuecomment-245323949,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ALz_8yBr1PD_UKD0ehSpSALeHHOGhKIUks5qntwMgaJpZM4BofQm
.

@MathWhiz I'm not sure allowing the API Key to change is a good move. Right now it'll mean that mobile apps, other browsers and all 3rd party extensions will need to be authenticated again.

@Alys @crookedneighbor what do you think?

I would prefer to wait for the auth overhaul we've been talking about

It's desirable but not high prIority. I agree that the code for changing it
yourself should wait. We could cover it now by inserting a message like
(but better worded!) "If you need a new token, post to the Bug guild.
You'll need to re-auth everything afterwards."

On Thu, 8 Sep 2016 05:42 Matteo Pagliazzi, [email protected] wrote:

@MathWhiz https://github.com/MathWhiz I'm not sure allowing the API Key
to change is a good move. Right now it'll mean that mobile apps, other
browsers and all 3rd party extensions will need to be authenticated again.

@Alys https://github.com/Alys @crookedneighbor
https://github.com/crookedneighbor what do you think?

I would prefer to wait for the auth overhaul we've been talking about

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
https://github.com/HabitRPG/habitrpg/issues/3049#issuecomment-245393943,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABbTAU-pzHbePrIo8QHwnnDxAZyN-3cQks5qnxO4gaJpZM4BofQm
.

I can do that!
On Wed, Sep 7, 2016 at 2:54 PM Alys [email protected] wrote:

It's desirable but not high prIority. I agree that the code for changing it
yourself should wait. We could cover it now by inserting a message like
(but better worded!) "If you need a new token, post to the Bug guild.
You'll need to re-auth everything afterwards."

On Thu, 8 Sep 2016 05:42 Matteo Pagliazzi, [email protected]
wrote:

@MathWhiz https://github.com/MathWhiz I'm not sure allowing the API
Key
to change is a good move. Right now it'll mean that mobile apps, other
browsers and all 3rd party extensions will need to be authenticated
again.

@Alys https://github.com/Alys @crookedneighbor
https://github.com/crookedneighbor what do you think?

I would prefer to wait for the auth overhaul we've been talking about

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
<https://github.com/HabitRPG/habitrpg/issues/3049#issuecomment-245393943
,
or mute the thread
<
https://github.com/notifications/unsubscribe-auth/ABbTAU-pzHbePrIo8QHwnnDxAZyN-3cQks5qnxO4gaJpZM4BofQm

.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/HabitRPG/habitrpg/issues/3049#issuecomment-245397047,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ALz_88eek1oY_8IvJV2Yod-tDvRssEJSks5qnxaBgaJpZM4BofQm
.

The Settings > API page now has a note about emailing us to get a new token. I'm putting this on hold until we do the auth overhaul that paglias mentioned.

We are pushing better warnings/security for the API token this week, so I am closing this ticket!