fix: standardize API token format across all creation paths

backend/backend/core/routers/api_tokens/views.py

@@ -1,3 +1,4 @@
+import hashlib
 import logging
 from datetime import timedelta
 
@@ -161,10 +162,11 @@ def regenerate_api_key(request: Request, key_id: str) -> Response:
     new_sig = generate_signature(new_key)
 
     token.token = new_key
+    token.token_hash = hashlib.sha256(new_key.encode()).hexdigest()
     token.signature = new_sig
     token.is_disabled = False
     token.expires_at = now() + timedelta(days=django_settings.API_KEY_EXPIRY_DAYS)
-    token.save(update_fields=["token", "signature", "is_disabled", "expires_at"])
+    token.save(update_fields=["token", "token_hash", "signature", "is_disabled", "expires_at"])
 
     logger.info(f"API key regenerated: id={token.id}, label={token.label}, user={request.user.email}")
     log_api_key_event(
@@ -182,8 +184,46 @@ def regenerate_api_key(request: Request, key_id: str) -> Response:
 @api_view([HTTPMethods.POST])
 @handle_http_request
 def generate_token(request: Request) -> Response:
-    """Legacy token generation endpoint."""
+    """Legacy token generation endpoint.
+
+    Now creates a proper APIToken record with vtk_ prefix, label, and expiry
+    to maintain consistency with the api-keys/create endpoint.
+    Uses upsert: updates existing auto-generated token or creates a new one.
+    """
     api_key = generate_api_key()
+    sig = generate_signature(api_key)
+    new_expiry = now() + timedelta(days=django_settings.API_KEY_EXPIRY_DAYS)
+
+    # Upsert: update existing auto-generated token if present, else create
+    existing = APIToken.objects.filter(
+        user=request.user, label="Default"
+    ).order_by("-created_at").first()
+
+    if existing:
+        existing.token = api_key
+        existing.token_hash = hashlib.sha256(api_key.encode()).hexdigest()
+        existing.signature = sig
+        existing.is_disabled = False
+        existing.expires_at = new_expiry
+        existing.save(update_fields=["token", "token_hash", "signature", "is_disabled", "expires_at"])
+        token = existing
+        audit_action = "regenerate"
+    else:
+        token = APIToken.objects.create(
+            user=request.user,
+            token=api_key,
+            signature=sig,
+            label="Default",
+            expires_at=new_expiry,
+        )
+        audit_action = "create"
+
+    logger.info(f"Legacy token generated: id={token.id}, user={request.user.email}")
+    log_api_key_event(
+        request, action=audit_action, key_id=token.id,
+        key_label="Default", key_masked=token.masked_token,
+    )
+
     return Response({
         "message": "Token generated successfully.",
         "token": api_key,

backend/backend/core/user.py

@@ -1,15 +1,16 @@
 import logging
-import uuid
 from datetime import timedelta
 from typing import Any, Optional
 
+from django.conf import settings as django_settings
 from django.db import IntegrityError
 from django.db import transaction
 from django.utils.timezone import now
 
 from backend.core.models.api_tokens import APIToken
 from backend.core.models.organization_model import Organization
 from backend.core.models.user_model import User
+from backend.core.services.api_key_service import generate_api_key, generate_signature
 
 Logger = logging.getLogger(__name__)
 
@@ -87,11 +88,14 @@ def get_or_create_valid_token(self, user: User, organization: Organization):
                     token.delete()
                     token = None
                 if token is None:
+                    api_key = generate_api_key()
                     token = APIToken.objects.create(
                         user=user,
                         organization=organization,
-                        token=str(uuid.uuid4().hex),
-                        expires_at=now() + timedelta(days=90),
+                        token=api_key,
+                        signature=generate_signature(api_key),
+                        label="Default",
+                        expires_at=now() + timedelta(days=django_settings.API_KEY_EXPIRY_DAYS),
                     )
                     logging.info(f"A new api token for user: {user} and tenant: {organization} is created")
             except Exception as e:

backend/backend/core/views.py

@@ -16,6 +16,9 @@
 from backend.utils.tenant_context import get_current_tenant
 
 from backend.core.models.api_tokens import APIToken
+from backend.core.services.api_key_audit import log_api_key_event
+from backend.core.services.api_key_service import generate_api_key, generate_signature
+from django.conf import settings as django_settings
 from django.utils.timezone import now
 from datetime import timedelta
 
@@ -52,16 +55,29 @@ def update_user_profile(request: Request) -> Response:
 
 
 def update_user_token(request, user):
-    new_token = request.data.get("token")
-    existing_token: APIToken = APIToken.objects.filter(user=user).first()
+    # token_value is sent back by the frontend — used only to detect "unchanged"
+    token_value = request.data.get("token")
+    existing_token: APIToken = APIToken.objects.filter(user=user, label="Default").first()
 
-    if new_token:
-        if existing_token and existing_token.token == new_token:
+    if token_value:
+        # Skip regeneration if the token hasn't changed
+        if existing_token and existing_token.token == token_value:
             return
         if existing_token:
             existing_token.delete()
 
-        APIToken.objects.create(user=user, token=new_token, expires_at= now() + timedelta(days=90))
+        api_key = generate_api_key()
+        token = APIToken.objects.create(
+            user=user,
+            token=api_key,
+            signature=generate_signature(api_key),
+            label="Default",
+            expires_at=now() + timedelta(days=django_settings.API_KEY_EXPIRY_DAYS),
+        )
+        log_api_key_event(
+            request, action="create", key_id=token.id,
+            key_label="Default", key_masked=token.masked_token,
+        )
     else:
         if existing_token:
             existing_token.delete()