implement the API key management views

Signed-off-by: tdruez <tdruez@aboutcode.org>

Author: tdruez

pyproject.toml

@@ -96,7 +96,7 @@ dependencies = [
   "aboutcode.hashid==0.2.0",
   # AboutCode pipeline
   "aboutcode.pipeline==0.2.1",
-  "aboutcode.api-auth==0.1.0",
+  "aboutcode.api-auth==0.2.0",
   # ScoreCode
   "scorecode==0.0.4"
 ]

scancodeio/urls.py

@@ -32,6 +32,8 @@
 from scanpipe.api.views import ProjectViewSet
 from scanpipe.api.views import RunViewSet
 from scanpipe.views import AccountProfileView
+from scanpipe.views import GenerateAPIKeyView
+from scanpipe.views import RevokeAPIKeyView
 
 api_router = DefaultRouter()
 api_router.register(r"projects", ProjectViewSet)
@@ -45,6 +47,16 @@
         name="logout",
     ),
     path("accounts/profile/", AccountProfileView.as_view(), name="account_profile"),
+    path(
+        "accounts/profile/api_key/generate/",
+        GenerateAPIKeyView.as_view(),
+        name="generate_api_key",
+    ),
+    path(
+        "accounts/profile/api_key/revoke/",
+        RevokeAPIKeyView.as_view(),
+        name="revoke_api_key",
+    ),
 ]
 
 

scanpipe/templates/account/profile.html

@@ -14,22 +14,48 @@
       </nav>
     </div>
 
-    <article class="message is-warning">
-      <div class="message-body">
-        <strong>An API key is like a password and should be treated with the same care.</strong>
-      </div>
-    </article>
-
-    <div class="field">
-      <label class="label">API Key</label>
-      <div class="control has-icons-left">
-        <input class="input" type="text" value="{{ request.user.auth_token.key|default:'Not available' }}" readonly>
-        <span class="icon is-small is-left">
-          <i class="fa-solid fa-key"></i>
-        </span>
+    <div class="columns">
+      <div class="column is-7">
+        <div class="content">
+          <p>
+            Your personal API key provides access to the <a href="{% url 'project-list' %}" target="_blank">REST API</a>.<br>
+            <strong>Treat it like a password and keep it secure.</strong>
+          </p>
+          {% if request.user.api_token %}
+            <div class="notification is-info is-light mb-4">
+              Your API key <strong>{{ request.user.api_token.prefix }}...</strong>
+              was generated on {{ request.user.api_token.created }}<br>
+              For security reasons, the full key is only shown once at generation time.<br>
+              If you lose it, you will need to regenerate a new one.
+            </div>
+          {% else %}
+            <div class="notification is-warning is-light mb-4">
+              <strong>No API key created.</strong><br>
+              Generate one using the button below to access the REST API.
+            </div>
+          {% endif %}
+        </div>
+        <div class="buttons">
+          <button type="button" class="button is-link is-outlined modal-button">
+            Generate API key
+          </button>
+          {% if request.user.api_token %}
+            <button type="button" class="button is-danger is-outlined modal-button">
+              Revoke API key
+            </button>
+          {% endif %}
+        </div>
       </div>
     </div>
 
+    <form action="{% url 'generate_api_key' %}" id="generate-api-key-form" method="post">{% csrf_token %}
+      <button type="submit" class="btn btn-success">Generate</button>
+    </form>
+
+    <form action="{% url 'revoke_api_key' %}" id="revoke-api-key-form" method="post">{% csrf_token %}
+      <button type="submit" class="btn btn-danger">Revoke API key</button>
+    </form>
+
   </section>
 </div>
 {% endblock %}

scanpipe/tests/test_auth.py

@@ -22,6 +22,7 @@
 
 import uuid
 
+from django.apps import apps
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import AnonymousUser
@@ -111,10 +112,12 @@ def test_scancodeio_auth_logout_view(self):
 
     def test_scancodeio_account_profile_view(self):
         self.client.login(username=self.basic_user.username, password=TEST_PASSWORD)
+        APIToken = apps.get_model("scanpipe", "APIToken")
+        APIToken.create_token(user=self.basic_user)
         response = self.client.get(profile_url)
         expected = '<label class="label">API Key</label>'
         self.assertContains(response, expected, html=True)
-        self.assertContains(response, self.basic_user.auth_token.key)
+        # self.assertContains(response, self.basic_user.auth.key)
 
     def test_scancodeio_auth_views_are_protected(self):
         a_uuid = uuid.uuid4()

scanpipe/views.py

@@ -60,6 +60,8 @@
 
 import saneyaml
 import xlsxwriter
+from aboutcode.api_auth.views import BaseGenerateAPIKeyView
+from aboutcode.api_auth.views import BaseRevokeAPIKeyView
 from django_filters.views import FilterView
 from django_htmx.http import HttpResponseClientRedirect
 from licensedcode.spans import Span
@@ -2835,3 +2837,18 @@ def get_context_data(self, **kwargs):
             context["parent_path"] = "/".join(parent_segments)
 
         return context
+
+
+class GenerateAPIKeyView(ConditionalLoginRequired, BaseGenerateAPIKeyView):
+    success_url = reverse_lazy("account_profile")
+    success_message = (
+        "<strong>Copy your API key now, it will not be shown again:</strong>"
+        '<pre class="mt-2 p-3">'
+        '<i class="fa fa-key mr-3" aria-hidden="true"></i>{plain_key}'
+        "</pre>"
+    )
+
+
+class RevokeAPIKeyView(ConditionalLoginRequired, BaseRevokeAPIKeyView):
+    success_url = reverse_lazy("account_profile")
+    success_message = "API key revoked."