Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better support for one-off deploy tokens #811

Closed
vemv opened this issue Sep 18, 2021 · 4 comments
Closed

Better support for one-off deploy tokens #811

vemv opened this issue Sep 18, 2021 · 4 comments
Labels
security

Comments

@vemv
Copy link

vemv commented Sep 18, 2021
edited
Loading

Context

I like to use the deploy tokens as one-off (single-use) ones: that way I get to never store them, which has some associated risks.

Problem statement

There isn't explicit support for one-off tokens so one has to manually disable them after use. They also accrue quite awkwardly over the web UI:

image

Proposed solution

Offer one-off tokens that can be used once at most (and that maybe are valid only up to 60m from now).

They would not accrue over the web UI.

WDYT?

Thanks - V
@tobias
Copy link
Member

tobias commented Sep 23, 2021

I think this is a really good idea! The idea of "one use" is a bit tricky, since a single deploy is many requests, but all requests should be in the same HTTP session, so we could attach a session identifier to the token on the first request, then only allow future requests within that same session.

I think implementing this would be straightforward. Are you interested in implementing this? If so, I'm happy to help. I can also do this myself, but wanted to give you the opportunity if you were interested.

@vemv
Copy link
Author

vemv commented Sep 23, 2021

Thanks for the response!

Maybe in a different season I'd be happy to give a PR shot - these days I have quite a lot on my plate (OSS and otherwise)

tobias added a commit that referenced this issue Feb 22, 2022
@tobias
Add support for single-use tokens
9f0b2e1 
This adds single-use tokens, which can only be used for a single deploy.
This handles:

- creating the token with the single-use option
- consuming the token on deploy
- verifying that the the token being used to deploy is valid:
  - either it hasn't been used
  - or it has been used, but only for the current deploy session (this
    allows files pushed after finalization to succeed, since we finalize
    when we see maven-metadata.xml, artifacts with classifiers are
    pushed after the metadata)

See #811.
tobias added a commit that referenced this issue Feb 27, 2022
@tobias
Add support for single-use tokens
6a1e3b2 
This adds single-use tokens, which can only be used for a single deploy.
This handles:

- creating the token with the single-use option
- consuming the token on deploy
- verifying that the the token being used to deploy is valid:
  - either it hasn't been used
  - or it has been used, but only for the current deploy session (this
    allows files pushed after finalization to succeed, since we finalize
    when we see maven-metadata.xml, artifacts with classifiers are
    pushed after the metadata)

See #811.
@tobias
Copy link
Member

tobias commented Mar 3, 2022

I've added support for single-use tokens, and you can now set an expiry on tokens:

image

You can now also filter the list of tokens on the token management page:

image

@tobias tobias closed this as completed Mar 3, 2022
@vemv
Copy link
Author

vemv commented Mar 3, 2022

Amazing, thank you for the effort!

Will sure start using these exclusively.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tobias @vemv