8853 Prevent the retrieval of API tokens after creation (#10645)

* 8853 hide api token * 8853 hide key on edit * 8853 add key display * 8853 cleanup html * 8853 make token view accessible only once on POST * Clean up display of tokens in views * Honor ALLOW_TOKEN_RETRIEVAL in API serializer * Add docs & tweak default setting * Include token key when provisioning with user credentials Co-authored-by: jeremystretch <jstretch@ns1.com>
2024-05-10 07:54:54 +00:00 · 2022-11-02 09:45:00 -07:00
parent 484efdaf75
commit 816fedb78d
12 changed files with 116 additions and 12 deletions
--- a/netbox/users/models.py
+++ b/netbox/users/models.py
@@ -1,6 +1,7 @@
 import binascii
 import os

+from django.conf import settings
 from django.contrib.auth.models import Group, User
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.postgres.fields import ArrayField
@@ -230,12 +231,12 @@ class Token(models.Model):
                  'Ex: "10.1.1.0/24, 192.168.10.16/32, 2001:DB8:1::/64"',
    )

-    class Meta:
-        pass
-
    def __str__(self):
-        # Only display the last 24 bits of the token to avoid accidental exposure.
-        return f"{self.key[-6:]} ({self.user})"
+        return self.key if settings.ALLOW_TOKEN_RETRIEVAL else self.partial
+
+    @property
+    def partial(self):
+        return f'**********************************{self.key[-6:]}' if self.key else ''

    def save(self, *args, **kwargs):
        if not self.key: