Warehouse: [Project-scoped API tokens] should be accessible from project settings
What's the problem this feature will solve?
I think that it'd be convenient if I could see a list of tokens having access to the chosen project page. Even ones created by someone else.
This'd result in better visibility of the security aspects of managing the project.
Describe the solution you'd like
I'm thinking of one of these pages:
- https://pypi.org/manage/project/{project}/collaboration/
- https://pypi.org/manage/project/{project}/settings/
It'd look like:
[ Create a new token ] <-- links to https://pypi.org/manage/account/token with a project pre-selected
* token1 (created by you) [ Revoke ]
* token2 (created by some_maintainer) [~Revoke~] <-- not sure whether owner should be able to revoke this
* to...3 (created by some_maintainer_2) [~Revoke~] <-- maybe even mostly hide their names if created by someone else
[ Create a new token ] <-- links to https://pypi.org/manage/account/token with a project pre-selected
Additional context
N/A
webknjaz
All 2 comments
Thanks for your note and for the feature idea of displaying an inventory, somewhere within project settings, of project-scoped API tokens, viewable by project owners (and maybe maintainers).
Right now I think this is out of scope for the OTF-funded security work on our development roadmap -- we need to be pretty frugal with scope for this to make sure we get through all our milestones.
But I think that the creation of a token would probably go into the audit log in #5863. So that would help with the visibility concern.
brainwane
on 26 Jul 2019
If someone makes a pull request to implement this, please ping @nlhkabu to ask her to review it. :)
brainwane
on 5 Aug 2019
Related issues
hartwork
路
4Comments
nlhkabu
路
4Comments
nlhkabu
路
4Comments
LarsFronius
路
4Comments
jeff00seattle
路
3Comments
Most helpful comment
If someone makes a pull request to implement this, please ping @nlhkabu to ask her to review it. :)