api tokens: allow admins to reset user tokens (#13885)

valentijnscholten · web-flow · commit f3a93ced8391 · 2025-12-15T21:26:38.000-06:00
* apiv2: allow admins to reset tokens

* token reset: send notification upon reset

* token reset: rename method

* revert ruff shenanigans

* add ui elements

* cleanup

* openapi type hints
diff --git a/dojo/api_v2/permissions.py b/dojo/api_v2/permissions.py
@@ -12,6 +12,7 @@
     user_has_configuration_permission,
     user_has_global_permission,
     user_has_permission,
+    user_is_superuser_or_global_owner,
 )
 from dojo.authorization.roles_permissions import Permissions
 from dojo.importers.auto_create_context import AutoCreateContextManager
@@ -872,6 +873,11 @@ def has_permission(self, request, view):
         return request.user and request.user.is_superuser
 
 
+class IsSuperUserOrGlobalOwner(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return user_is_superuser_or_global_owner(request.user)
+
+
 class UserHasEngagementPresetPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
@@ -487,6 +487,8 @@ class UserSerializer(serializers.ModelSerializer):
     date_joined = serializers.DateTimeField(read_only=True)
     last_login = serializers.DateTimeField(read_only=True, allow_null=True)
     email = serializers.EmailField(required=True)
+    token_last_reset = serializers.SerializerMethodField()
+    password_last_reset = serializers.SerializerMethodField()
     password = serializers.CharField(
         write_only=True,
         style={"input_type": "password"},
@@ -515,10 +517,22 @@ class Meta:
             "last_login",
             "is_active",
             "is_superuser",
+            "token_last_reset",
+            "password_last_reset",
             "password",
             "configuration_permissions",
         )
 
+    @extend_schema_field(serializers.DateTimeField(allow_null=True))
+    def get_token_last_reset(self, instance):
+        uci = getattr(instance, "usercontactinfo", None)
+        return getattr(uci, "token_last_reset", None)
+
+    @extend_schema_field(serializers.DateTimeField(allow_null=True))
+    def get_password_last_reset(self, instance):
+        uci = getattr(instance, "usercontactinfo", None)
+        return getattr(uci, "password_last_reset", None)
+
     def to_representation(self, instance):
         ret = super().to_representation(instance)
 
diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py
@@ -171,6 +171,7 @@
 from dojo.risk_acceptance.queries import get_authorized_risk_acceptances
 from dojo.test.queries import get_authorized_test_imports, get_authorized_tests
 from dojo.tool_product.queries import get_authorized_tool_product_settings
+from dojo.user.authentication import reset_token_for_user
 from dojo.user.utils import get_configuration_permissions_codenames
 from dojo.utils import (
     async_delete,
@@ -2410,6 +2411,19 @@ def destroy(self, request, *args, **kwargs):
         self.perform_destroy(instance)
         return Response(status=status.HTTP_204_NO_CONTENT)
 
+    @action(
+        detail=True,
+        methods=["post"],
+        url_path="reset_api_token",
+        permission_classes=(IsAuthenticated, permissions.IsSuperUserOrGlobalOwner),
+        filter_backends=[],
+        pagination_class=None,
+    )
+    def reset_api_token(self, request, pk=None):
+        target_user = self.get_object()
+        reset_token_for_user(acting_user=request.user, target_user=target_user)
+        return Response(status=status.HTTP_204_NO_CONTENT)
+
 
 # Authorization: superuser
 @extend_schema_view(**schema_with_prefetch())
diff --git a/dojo/authorization/authorization.py b/dojo/authorization/authorization.py
@@ -40,6 +40,35 @@ def user_has_configuration_permission(user, permission):
     return user.has_perm(permission)
 
 
+def user_is_superuser_or_global_owner(user):
+    """
+    Returns True if the user is a superuser or has a global role (directly or
+    via group membership) whose Role.is_owner is True.
+    """
+    if not user or getattr(user, "is_anonymous", False):
+        return False
+
+    if user.is_superuser:
+        return True
+
+    if (
+        hasattr(user, "global_role")
+        and user.global_role.role is not None
+        and user.global_role.role.is_owner
+    ):
+        return True
+
+    for group in get_groups(user):
+        if (
+            hasattr(group, "global_role")
+            and group.global_role.role is not None
+            and group.global_role.role.is_owner
+        ):
+            return True
+
+    return False
+
+
 def user_has_permission(user, obj, permission):
     if user.is_anonymous:
         return False
diff --git a/dojo/db_migrations/0249_usercontactinfo_reset_timestamps.py b/dojo/db_migrations/0249_usercontactinfo_reset_timestamps.py
@@ -0,0 +1,33 @@
+# Generated by Django 3.1.13 on 2025-12-12
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("dojo", "0248_alter_general_survey_expiration"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="usercontactinfo",
+            name="token_last_reset",
+            field=models.DateTimeField(
+                blank=True,
+                help_text="Timestamp of the most recent API token reset for this user.",
+                null=True,
+            ),
+        ),
+        migrations.AddField(
+            model_name="usercontactinfo",
+            name="password_last_reset",
+            field=models.DateTimeField(
+                blank=True,
+                help_text="Timestamp of the most recent password reset for this user.",
+                null=True,
+            ),
+        ),
+    ]
+
+
diff --git a/dojo/forms.py b/dojo/forms.py
@@ -31,7 +31,7 @@
 from tagulous.forms import TagField
 
 import dojo.jira_link.helper as jira_helper
-from dojo.authorization.authorization import user_has_configuration_permission
+from dojo.authorization.authorization import user_has_configuration_permission, user_is_superuser_or_global_owner
 from dojo.authorization.roles_permissions import Permissions
 from dojo.endpoint.utils import endpoint_filter, endpoint_get_or_create, validate_endpoints_to_add
 from dojo.engagement.queries import get_authorized_engagements
@@ -2420,13 +2420,32 @@ class Meta:
 
 
 class UserContactInfoForm(forms.ModelForm):
+    reset_api_token = forms.BooleanField(
+        required=False,
+        label=_("Reset API token"),
+        help_text=_("Upon saving, a new token will be generated and a notification of category 'Other' is triggered."),
+    )
+
     class Meta:
         model = UserContactInfo
         exclude = ["user", "slack_user_id"]
+        # Swap order: password_last_reset before token_last_reset
+        field_order = [
+            "title", "phone_number", "cell_number", "twitter_username", "github_username",
+            "slack_username", "block_execution", "force_password_reset", "reset_api_token",
+            "password_last_reset", "token_last_reset",
+        ]
 
     def __init__(self, *args, **kwargs):
         user = kwargs.pop("user", None)
         super().__init__(*args, **kwargs)
+        # Make timestamp fields readonly.
+        # NOTE: `disabled=True` is enforced server-side by Django forms: posted values for disabled fields
+        # are ignored during binding/cleaning, so these timestamps cannot be modified via this form.
+        if "password_last_reset" in self.fields:
+            self.fields["password_last_reset"].disabled = True
+        if "token_last_reset" in self.fields:
+            self.fields["token_last_reset"].disabled = True
         # Do not expose force password reset if the current user does not have a password to reset
         if user is not None:
             if not user.has_usable_password():
@@ -2437,11 +2456,15 @@ def __init__(self, *args, **kwargs):
         if not current_user.is_superuser:
             if not user_has_configuration_permission(current_user, "auth.change_user") and \
                not user_has_configuration_permission(current_user, "auth.add_user"):
-                del self.fields["force_password_reset"]
+                self.fields.pop("force_password_reset", None)
             if not get_system_setting("enable_user_profile_editable"):
                 for field in self.fields:
                     self.fields[field].disabled = True
 
+        # Only show reset_api_token to superusers or global owners, and only if API tokens are enabled
+        if not settings.API_TOKENS_ENABLED or not user_is_superuser_or_global_owner(current_user):
+            self.fields.pop("reset_api_token", None)
+
 
 class GlobalRoleForm(forms.ModelForm):
     class Meta:
diff --git a/dojo/management/commands/force_token_reset.py b/dojo/management/commands/force_token_reset.py
@@ -0,0 +1,46 @@
+from django.contrib.auth import get_user_model
+from django.core.management.base import BaseCommand, CommandError
+
+from dojo.user.authentication import reset_token_for_user
+
+
+class Command(BaseCommand):
+    help = "Rotate (reset) the DRF API token for a target user. Requires an acting user (superuser or global owner)."
+
+    def add_arguments(self, parser):
+        parser.add_argument("--acting-user", required=True, help="Username of the acting user performing the reset.")
+        parser.add_argument("--username", help="Username of the target user.")
+        parser.add_argument("--user-id", type=int, help="ID of the target user.")
+
+    def handle(self, *args, **options):
+        User = get_user_model()
+
+        acting_username = options["acting_user"]
+        target_username = options.get("username")
+        target_user_id = options.get("user_id")
+
+        if bool(target_username) == bool(target_user_id):
+            msg = "Provide exactly one of --username or --user-id."
+            raise CommandError(msg)
+
+        try:
+            acting_user = User.objects.get(username=acting_username)
+        except User.DoesNotExist as exc:
+            msg = f"Acting user '{acting_username}' does not exist."
+            raise CommandError(msg) from exc
+
+        try:
+            if target_username:
+                target_user = User.objects.get(username=target_username)
+            else:
+                target_user = User.objects.get(id=target_user_id)
+        except User.DoesNotExist as exc:
+            msg = "Target user does not exist."
+            raise CommandError(msg) from exc
+
+        try:
+            reset_token_for_user(acting_user=acting_user, target_user=target_user)
+        except Exception as exc:
+            raise CommandError(str(exc)) from exc
+
+        self.stdout.write(self.style.SUCCESS("API token reset successfully."))
diff --git a/dojo/models.py b/dojo/models.py
@@ -268,6 +268,8 @@ class UserContactInfo(models.Model):
     slack_user_id = models.CharField(blank=True, null=True, max_length=25)
     block_execution = models.BooleanField(default=False, help_text=_("Instead of async deduping a finding the findings will be deduped synchronously and will 'block' the user until completion."))
     force_password_reset = models.BooleanField(default=False, help_text=_("Forces this user to reset their password on next login."))
+    token_last_reset = models.DateTimeField(null=True, blank=True, help_text=_("Timestamp of the most recent API token reset for this user."))
+    password_last_reset = models.DateTimeField(null=True, blank=True, help_text=_("Timestamp of the most recent password reset for this user."))
 
 
 class Dojo_Group(models.Model):
diff --git a/dojo/templates/dojo/users.html b/dojo/templates/dojo/users.html
@@ -69,6 +69,8 @@ <h3 class="has-filters">
                                     <th class="nowrap">{% trans "Global Role" %}</th>
                                     <th class="nowrap">{% trans "Date Joined" %}</th>
                                     <th class="nowrap">{% trans "Last Login" %}</th>
+                                    <th class="nowrap">{% trans "Token Last Reset" %}</th>
+                                    <th class="nowrap">{% trans "Password Last Reset" %}</th>
                                     {% block users_table_extra_header_rows %}
                                     {% endblock users_table_extra_header_rows %}
                                 </tr>
@@ -127,6 +129,8 @@ <h3 class="has-filters">
                                         <td>{% if u.global_role.role %} {{ u.global_role.role }} {% endif %}</td>
                                         <td>{{ u.date_joined }}</td>
                                         <td>{% if u.last_login %}{{ u.last_login }}{% else %}{% trans "Never" %}{% endif %}</td>
+                                        <td>{% if u.usercontactinfo.token_last_reset %}{{ u.usercontactinfo.token_last_reset }}{% else %}{% trans "Never" %}{% endif %}</td>
+                                        <td>{% if u.usercontactinfo.password_last_reset %}{{ u.usercontactinfo.password_last_reset }}{% else %}{% trans "Never" %}{% endif %}</td>
                                         {% block users_table_extra_data_rows %}
                                         {% endblock users_table_extra_data_rows %}
                                     </tr>
diff --git a/dojo/templates/dojo/view_user.html b/dojo/templates/dojo/view_user.html
@@ -34,7 +34,7 @@ <h3 class="pull-left">{% trans "Default Information" %}</h3>
                                 {% if "auth.delete_user"|has_configuration_permission:request and user.id != request.user.id %}
                                 <li role="separator" class="divider"></li>
                                 <li>
-                                    <a class="" href="{% url 'delete_user' user.id %}" id="deleteUser"> 
+                                    <a class="" href="{% url 'delete_user' user.id %}" id="deleteUser">
                                         <i class="fa-solid fa-trash"></i>{% trans "Delete" %}</a>
                                 </li>
                                 {% endif %}
@@ -374,6 +374,14 @@ <h3 class="panel-title"><span class="fa-solid fa-circle-info fa-fw" aria-hidden=
                             <td style="width: 200px;"><strong>{% trans "Last Login" %}</strong></td>
                             <td>{% if user.last_login %} {{ user.last_login }} {% else %} {% trans "Never" %} {% endif %}</td>
                         </tr>
+                        <tr>
+                            <td style="width: 200px;"><strong>{% trans "Token Last Reset" %}</strong></td>
+                            <td>{% if user.usercontactinfo.token_last_reset %} {{ user.usercontactinfo.token_last_reset }} {% else %} {% trans "Never" %} {% endif %}</td>
+                        </tr>
+                        <tr>
+                            <td style="width: 200px;"><strong>{% trans "Password Last Reset" %}</strong></td>
+                            <td>{% if user.usercontactinfo.password_last_reset %} {{ user.usercontactinfo.password_last_reset }} {% else %} {% trans "Never" %} {% endif %}</td>
+                        </tr>
                     </tbody>
                 </table>
             </div>
@@ -399,11 +407,11 @@ <h3 class="panel-title"><span class="fa-solid fa-lock-open-alt" aria-hidden="tru
                         <td><strong>{{ field.display_name }}</strong></td>
                         <td class="centered">
                             {% if field.view_codename %}
-                            <input id="id_{{ field.view_codename }}" 
+                            <input id="id_{{ field.view_codename }}"
                                 {% if not request.user.is_superuser %}disabled{% endif %}
-                                name="{{ field.view_codename }}" 
-                                aria-label="{{ field.view_codename }}" 
-                                type="checkbox" 
+                                name="{{ field.view_codename }}"
+                                aria-label="{{ field.view_codename }}"
+                                type="checkbox"
                                 {% if user|user_has_configuration_permission_without_group:field.view_codename %}checked{% endif %} />
                             {% endif %}
                         </td>
diff --git a/dojo/user/authentication.py b/dojo/user/authentication.py
@@ -0,0 +1,59 @@
+from django.conf import settings
+from django.urls import reverse
+from django.utils import timezone
+from rest_framework.authtoken.models import Token
+from rest_framework.exceptions import PermissionDenied, ValidationError
+
+from dojo.authorization.authorization import user_is_superuser_or_global_owner
+from dojo.models import Dojo_User, UserContactInfo
+from dojo.notifications.helper import create_notification
+
+
+def reset_token_for_user(*, acting_user: Dojo_User, target_user: Dojo_User, allow_self_reset: bool = False) -> None:
+    if not settings.API_TOKENS_ENABLED:
+        msg = "API tokens are disabled."
+        raise PermissionDenied(msg)
+
+    if acting_user is None or getattr(acting_user, "is_anonymous", False):
+        msg = "Authentication required."
+        raise PermissionDenied(msg)
+
+    if acting_user == target_user and not allow_self_reset:
+        msg = "Resetting your own API token via this endpoint is not allowed."
+        raise ValidationError(msg)
+
+    # Only check permissions if not self-reset (self-reset is always allowed when allow_self_reset=True)
+    if acting_user != target_user and not user_is_superuser_or_global_owner(acting_user):
+        msg = "Insufficient permissions to reset API tokens."
+        raise PermissionDenied(msg)
+
+    # Rotate token: delete existing token (if any), then create a new one.
+    Token.objects.filter(user=target_user).delete()
+    Token.objects.create(user=target_user)
+
+    uci, _ = UserContactInfo.objects.get_or_create(user=target_user)
+    uci.token_last_reset = timezone.now()
+    uci.save(update_fields=["token_last_reset"])
+
+    # Send notification to the target user
+    if acting_user == target_user:
+        # Self-reset notification
+        description = f"A new API token has been generated for user {target_user.username}."
+        requested_by = None
+    else:
+        # Admin reset notification
+        description = (
+            f"Your API token has been reset by {acting_user.get_full_name() or acting_user.username}. "
+            f"Please retrieve the new API token via the UI to keep using the API."
+        )
+        requested_by = acting_user
+
+    create_notification(
+        event="other",
+        title="API Token Reset",
+        description=description,
+        recipients=[target_user],
+        url=reverse("api_v2_key"),
+        requested_by=requested_by,
+        icon="key",
+    )
diff --git a/dojo/user/urls.py b/dojo/user/urls.py
@@ -35,7 +35,7 @@
         re_path(r"^password_reset/done/$", auth_views.PasswordResetDoneView.as_view(
             template_name="login/password_reset_done.html",
         ), name="password_reset_done"),
-        re_path(r"^reset/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,40})/$", auth_views.PasswordResetConfirmView.as_view(
+        re_path(r"^reset/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,40})/$", views.DojoPasswordResetConfirmView.as_view(
             template_name="login/password_reset_confirm.html",
         ), name="password_reset_confirm"),
         re_path(r"^reset/done/$", auth_views.PasswordResetCompleteView.as_view(
diff --git a/dojo/user/views.py b/dojo/user/views.py
diff --git a/unittests/test_apiv2_user.py b/unittests/test_apiv2_user.py
diff --git a/unittests/test_user_ui_timestamps.py b/unittests/test_user_ui_timestamps.py
