fix: standardize API token format across all creation paths

Three places were creating API tokens with inconsistent formats:
- user.py: used uuid4().hex (no vtk_ prefix, no label, no signature)
- views.py: stored raw frontend token (no format enforcement)
- api_tokens/views.py: generated vtk_ but never persisted to DB

All now use generate_api_key() for consistent vtk_ prefix, with label
"Default", proper signature, and configurable expiry via API_KEY_EXPIRY_DAYS.

Author: wicky-zipstack

backend/backend/core/routers/api_tokens/views.py

@@ -182,8 +182,25 @@ def regenerate_api_key(request: Request, key_id: str) -> Response:
 @api_view([HTTPMethods.POST])
 @handle_http_request
 def generate_token(request: Request) -> Response:
-    """Legacy token generation endpoint."""
+    """Legacy token generation endpoint.
+
+    Now creates a proper APIToken record with vtk_ prefix, label, and expiry
+    to maintain consistency with the api-keys/create endpoint.
+    """
+    # Delete any existing default token for this user
+    APIToken.objects.filter(user=request.user, label="Default").delete()
+
     api_key = generate_api_key()
+    sig = generate_signature(api_key)
+
+    APIToken.objects.create(
+        user=request.user,
+        token=api_key,
+        signature=sig,
+        label="Default",
+        expires_at=now() + timedelta(days=django_settings.API_KEY_EXPIRY_DAYS),
+    )
+
     return Response({
         "message": "Token generated successfully.",
         "token": api_key,

backend/backend/core/user.py

@@ -1,15 +1,16 @@
 import logging
-import uuid
 from datetime import timedelta
 from typing import Any, Optional
 
+from django.conf import settings as django_settings
 from django.db import IntegrityError
 from django.db import transaction
 from django.utils.timezone import now
 
 from backend.core.models.api_tokens import APIToken
 from backend.core.models.organization_model import Organization
 from backend.core.models.user_model import User
+from backend.core.services.api_key_service import generate_api_key, generate_signature
 
 Logger = logging.getLogger(__name__)
 
@@ -87,11 +88,14 @@ def get_or_create_valid_token(self, user: User, organization: Organization):
                     token.delete()
                     token = None
                 if token is None:
+                    api_key = generate_api_key()
                     token = APIToken.objects.create(
                         user=user,
                         organization=organization,
-                        token=str(uuid.uuid4().hex),
-                        expires_at=now() + timedelta(days=90),
+                        token=api_key,
+                        signature=generate_signature(api_key),
+                        label="Default",
+                        expires_at=now() + timedelta(days=django_settings.API_KEY_EXPIRY_DAYS),
                     )
                     logging.info(f"A new api token for user: {user} and tenant: {organization} is created")
             except Exception as e:

backend/backend/core/views.py

@@ -16,6 +16,8 @@
 from backend.utils.tenant_context import get_current_tenant
 
 from backend.core.models.api_tokens import APIToken
+from backend.core.services.api_key_service import generate_api_key, generate_signature
+from django.conf import settings as django_settings
 from django.utils.timezone import now
 from datetime import timedelta
 
@@ -61,7 +63,14 @@ def update_user_token(request, user):
         if existing_token:
             existing_token.delete()
 
-        APIToken.objects.create(user=user, token=new_token, expires_at= now() + timedelta(days=90))
+        api_key = generate_api_key()
+        APIToken.objects.create(
+            user=user,
+            token=api_key,
+            signature=generate_signature(api_key),
+            label="Default",
+            expires_at=now() + timedelta(days=django_settings.API_KEY_EXPIRY_DAYS),
+        )
     else:
         if existing_token:
             existing_token.delete()