-
Notifications
You must be signed in to change notification settings - Fork 252
Multiple API Keys
Feedback on the spec can be given on the following issue - https://github.com/NuGet/NuGetGallery/issues/3246
Currently, NuGet.org users can only create a Single API key for all their packages. For large GitHub organizations, it is necessary that multiple API keys be created that be scoped to specific actions and packages to prevent a single leak from compromising all the packages. In addition, this enables us to hide the API keys after a one-time generation further reducing the risk and enabling users to create keys with specific privileges.
Large GitHub organizations or users with multiple packages and contributors
- Security Push
- Feedback from customers during the Expiring API keys discussion
The key scenarios we want to enable is the following
- Enable users to create multiple API keys with a name
- Set expiration range similar to current API keys.
- Restrict privileges of API keys to one or more packages
- Restrict key privileges to specific NuGet.org actions like Push New Id, Push New Version, Un-list
- API Keys are only shown after generation. Any action that closes or navigates away from page will result in the API key being hidden forever.
- Notify Users on new key creation
- Maintain Legacy API keys, only new API keys have support for privileges, expiration and scope.
- Manage API key - Ability to delete any API key including Legacy keys
- User Logs into NuGet.org
- Goes to Account Details
- Clicks on Show details in the API Keys section
- Navigates to Generate API Key
- Adds a Name for the the Key
- Selects the expiration interval (by default set to 365)
- From the list of packages (all packages owned by the user) selects the packages that the key will apply to (by default none is selected)
- From the list of following scopes Push, Unlist, Update selects privileges for the key (by default none will be selected)
- Clicks on Generate API key
- Notification is sent to registered email Id about the key create with name, packages and scope information.\
- Copies the API key and saves it in NuGet.config or uses it for a one-time operation
Create API Key - Expiration,Name, Packages and Scopes
In the interest of space, I have omitted the examples section in the below screen. We should not remove this from the current UI
Check out the proposals in the accepted
& proposed
folders on the repository, and active PRs for proposals being discussed today.