Prevent mixing up session and service tokens, fix admin login, remove authenticate via API key #164
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Blocked on application-research/estuary#861
Along with application-research/estuary#861, fixes #99 and application-research/estuary#815
Warning: if any estuary node operators have an admin user with a password that doesn't meet the 8 alphanumeric characters bcrypt requirement, they will end up getting locked out of that user when that token expires. They can create a new estuary admin by re-running setup but there may still be files tied to the original admin user. Alternatively, they can hit the change password endpoint while they have a valid token for that user and change it to a valid password.
New login screen (checkbox is unchecked by default):
Note: I'm also open to not having a checkbox and just attempting the admin login on any auth failure.
No keys will be rendered if users haven't made any service tokens explicitly:
Expected user pattern is to label your service tokens clearly here and they will be the only tokens present:
I can no longer authenticate into estuary-www with that service token, so there's no risk of mixing up that token with my session. This removes the risk of signing out with a service token in your cookie and accidentally revoking it, which would break your service's integration with estuary.