-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(auth): Add key previews to personal API keys #22362
Conversation
The mask was inspired by OpenAI API keys page, let me know if you want this changed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the idea but we definitely don't want a migration and a separate field for it. The key is available - we should just read it and do the masking at read time instead.
Also then we can just use the existing field
Ah @benjackwhite This is not is clear in the code, but the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few suggestions, but in principle sounds good to me!
It's effectively a sacrifice of ~24 bits of entropy, out the key's 256 bits total, so we could also increase the key's random part to 280 bits. Let's do that in the generate_random_token_personal()
function, by changing generate_random_token()
to generate_random_token(35)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made a few small tweaks – the PR looks good to me! Will wait for a second opinion from @benjackwhite though
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yeah - shouldn't have been trying to review this on the go 😅 Yeah we need the extra field indeed and overall this looks good.
Only remaining issue will be the double migration. I think our CI requires a max of one migration per PR so needs to be combined into one
Hey @benjackwhite, I have updated the migration code 😄 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing! Great addition!
I could imagine some of the tests failing as they check the returned payload so that might be the final thing to get this over the line https://github.com/PostHog/posthog/blob/master/posthog/api/test/test_personal_api_keys.py#L27 |
Have updated the tests as you pointed out, just in case 👍 |
* added a way to preview the key value without exposing the key * updated api keys preview * Make the UI a bit nicer * Write out the reasoning behind personal API key entropy * Include underscore in masked value * updated migrations for API key mask * updated personal api keys tests --------- Co-authored-by: Michael Matloka <michal@matloka.com>
Problem
Fixes issue #22360
Changes
Does this work well for both Cloud and self-hosted?
Works on self-hosted.
How did you test this code?
Ran in codespaces on localhost.