[pull] master from kevoreilly:master#487
Merged
Merged
Conversation
More Environments
custom/conf/cape-processor.env
Add support for .env configuration for the CAPE processor and wire those variables into the service and runtime. Changes include: copying conf/default/*.env in installer and copy script; adding a default conf/default/cape-processor.env; updating systemd service to load environment variables and files, set sensible defaults and use utils/process.py as ExecStart; and updating utils/process.py to read configuration from environment variables (with a str_to_bool helper) for ID, parallelism, timeouts, memory flags, and other options. Also adjusted service RestartSec. This enables easier configuration via environment files or systemd Environment settings.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Add an `apikey` Django app providing per-user, individually-revocable API keys for the REST API, decoupled from DRF's one-token-per-user `authtoken` so each operator / script / CI bot can hold its own labeled credential and revoke any of them independently. - ApiKeyAuthentication accepts the same `Authorization: Token <key>` header and checks the new model first, falling back to the legacy DRF TokenAuthentication so tokens previously issued via /apiv2/api-token-auth/ keep working without migration. - Disabling a user (is_active -> False) cascade-revokes all their keys via a post_save signal; a runtime is_active check in the auth class is the second, authoritative barrier. Re-enabling a user does not restore old keys. - Management UI at /accounts/api-keys/ (list / create / revoke). The raw key is shown exactly once on creation. Local users may always manage their own keys; SSO-provisioned (SocialAccount-linked) users must be staff. This also wires up the "API Keys" nav link added in d9542f3 to a real backend (previously a dangling reference, kept hidden by the undefined `may_manage_apikeys` flag).
Per review feedback on #3053: persist only the SHA-256 hash of each API key, never the raw value. The raw key is shown to the operator exactly once on creation and can no longer be recovered from the database, so a DB leak no longer exposes usable credentials. Keys are 256-bit random tokens, so an unsalted digest is sufficient (nothing to brute-force). - ApiKey.issue() now returns (obj, raw_key); ApiKeyAuthentication hashes the presented token before lookup. The Authorization: Token <key> wire format is unchanged, so existing clients keep working. - 0002 data migration hashes any existing keys in place — already-issued keys keep authenticating because the client still presents the same raw value, which now hashes to the stored digest. Idempotent. - admin save_model mints + hashes a key on creation; the readonly `key` field would otherwise raise an IntegrityError through the add form.
From the automated review on #3053: - ApiKeyAuthentication throttles last_used_at writes to at most once per minute (per-request writes are costly on SQLite, CAPE's web-auth DB). - _user_may_manage_keys caches its SocialAccount lookup on the request user object — the apikey_access context processor calls it on every page. - the pre_save is_active capture skips its SELECT when update_fields is given and excludes is_active (fires on every login via the last_login save).
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Guac fix 01
feat(web): per-user revocable API keys (apikey app)
cape-processor config
hotkeys nativation for power users
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )