Merge pull request #2436 from automatisch/redact-api-token

feat: Separate api token serializers and do not show token except creation

packages/backend/src/controllers/api/v1/admin/api-tokens/create-api-token.ee.js

@@ -5,7 +5,7 @@ export default async (request, response) => {
   const apiToken = await ApiToken.query().insertAndFetch({});
 
   renderObject(response, apiToken, {
-    serializer: 'AdminApiToken',
+    serializer: 'AdminApiTokenFull',
     status: 201,
   });
 };

packages/backend/src/serializers/admin/api-token-full.ee.js

@@ -0,0 +1,10 @@
+const adminApiTokenFullSerializer = (apiToken) => {
+  return {
+    id: apiToken.id,
+    token: apiToken.token,
+    createdAt: apiToken.createdAt.getTime(),
+    updatedAt: apiToken.updatedAt.getTime(),
+  };
+};
+
+export default adminApiTokenFullSerializer;

packages/backend/src/serializers/admin/api-token-full.ee.test.js

@@ -0,0 +1,24 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import adminApiTokenFullSerializer from './api-token-full.ee.js';
+import { createApiToken } from '../../../test/factories/api-token.js';
+
+describe('adminApiTokenFullSerializer', () => {
+  let apiToken;
+
+  beforeEach(async () => {
+    apiToken = await createApiToken();
+  });
+
+  it('should return api token data', async () => {
+    const expectedPayload = {
+      id: apiToken.id,
+      token: apiToken.token,
+      createdAt: apiToken.createdAt.getTime(),
+      updatedAt: apiToken.updatedAt.getTime(),
+    };
+
+    expect(adminApiTokenFullSerializer(apiToken)).toStrictEqual(
+      expectedPayload
+    );
+  });
+});

packages/backend/src/serializers/admin/api-token.ee.js

@@ -1,7 +1,10 @@
 const adminApiTokenSerializer = (apiToken) => {
   return {
     id: apiToken.id,
-    token: apiToken.token,
+    token:
+      apiToken.token.substring(0, 4) +
+      '...' +
+      apiToken.token.substring(apiToken.token.length - 4),
     createdAt: apiToken.createdAt.getTime(),
     updatedAt: apiToken.updatedAt.getTime(),
   };

packages/backend/src/serializers/admin/api-token.ee.test.js

@@ -12,7 +12,10 @@ describe('adminApiTokenSerializer', () => {
   it('should return api token data', async () => {
     const expectedPayload = {
       id: apiToken.id,
-      token: apiToken.token,
+      token:
+        apiToken.token.substring(0, 4) +
+        '...' +
+        apiToken.token.substring(apiToken.token.length - 4),
       createdAt: apiToken.createdAt.getTime(),
       updatedAt: apiToken.updatedAt.getTime(),
     };

packages/backend/src/serializers/index.js

@@ -4,6 +4,7 @@ import permissionSerializer from './permission.js';
 import adminSamlAuthProviderSerializer from './admin-saml-auth-provider.ee.js';
 import adminTemplateSerializer from './admin/template.ee.js';
 import adminApiTokenSerializer from './admin/api-token.ee.js';
+import adminApiTokenFullSerializer from './admin/api-token-full.ee.js';
 import templateSerializer from './template.ee.js';
 import samlAuthProviderSerializer from './saml-auth-provider.ee.js';
 import samlAuthProviderRoleMappingSerializer from './role-mapping.ee.js';
@@ -32,6 +33,7 @@ const serializers = {
   AdminSamlAuthProvider: adminSamlAuthProviderSerializer,
   AdminTemplate: adminTemplateSerializer,
   AdminApiToken: adminApiTokenSerializer,
+  AdminApiTokenFull: adminApiTokenFullSerializer,
   Template: templateSerializer,
   SamlAuthProvider: samlAuthProviderSerializer,
   RoleMapping: samlAuthProviderRoleMappingSerializer,

packages/backend/test/mocks/rest/api/v1/admin/api-tokens/get-api-tokens.js

@@ -2,7 +2,10 @@ const getApiTokensMock = async (apiTokens) => {
   const data = apiTokens.map((apiToken) => {
     return {
       id: apiToken.id,
-      token: apiToken.token,
+      token:
+        apiToken.token.substring(0, 4) +
+        '...' +
+        apiToken.token.substring(apiToken.token.length - 4),
       createdAt: apiToken.createdAt.getTime(),
       updatedAt: apiToken.updatedAt.getTime(),
     };