Add scoped API keys #262
Comments
|
These scoped API tokens should also be revokable. Currently, all API tokens are non-revocable. |
|
Currently, the API tokens are tied to a users email. This means if a user changes their email, their API tokens still appear however they will no longer be valid. The new API tokens should be tied to the user's UUID to avoid this issue. However for testing purposes, we will still want to be able to have an API token that is set to the users email and not their UUID. |
|
Consider using API keys instead of API tokens. The difference being that an API key is just a simple identifier, which will fit better with the prefixed IDs. For example: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now tokens are unscoped.
Add scoped tokens and also make them only available at the time of creation.
The Pereto solution to this would be having a single toggle that is just for CI (and likely make this selected by default).
This would only allow for any GET queries and POST for all dimensions (Branches, Testbeds, Benchmarks, and Measures) and Reports. That is the minimum set of permissions required to run in CI.
It's likely anything past that would only make sense down the road as a Plus feature.
The text was updated successfully, but these errors were encountered: