hypothesis / h

70%

master: 97%

LAST BUILD ON BRANCH BPA1eZ9O-add-developer-api-tokens

branch: BPA1eZ9O-add-developer-api-tokens

CHANGE BRANCH

x

Reset

• BPA1eZ9O-add-developer-api-tokens
• 1142-no-client-side-error-message-when-saving-annotation-fails
• 1334-latest-pdfjs
• 1542-source-url-not-visible-on-older-annotations
• 1612-hide-orphans
• 1615-update-timestamps
• 174-let-me-change-my-email
• 1755-handle-internal-server-error-in-registration-form
• 1759-fix-reply-permissions
• 1776-bring-padded-scrolling-back
• 179-focus-in-username-field-when-sign-in-is-clicked
• 1815-streamer-doc-not
• 1916-message-not-available-in-stream
• 1916-message-not-available-in-stream-2
• 1916-rework-stream
• 1916-stream-cards
• 1916-stream-message-not-available
• 1916-stream-message-not-available-2
• 1979-clear-selected-annotations
• 1979-fix-annotation-creation
• 1992-fix
• 2013-fix-fuzzy
• 2026-module-isolate-env
• 2033-fix-focusing
• 2041-fix-show-diff
• 2052-scroll-to-sign-in-form-on-clicking-sign-in-link
• 2053-scroll-sidebar-to-new-annotations
• 2053-scroll-sidebar-to-new-annotations-2
• 2263-tooltip-for-note-button
• 2273-gunicorn-ssl-crash
• 2326-fix-search-with-no-document
• 2440-replies-dont-match-search-normalized-url-queries
• 2440-replies-dont-match-search-normalized-url-queries-2
• 2441-fix-change-email-form
• 2484-fix-page-notes
• 2515-fix-uri-normalization-crash-when-no-hostname
• 2519-crash-when-annotation-document-link-is-None
• 2521-hide-unanchored-warnings-when-not-on-sidebar
• 2525-new-annotations-disappearing
• 2555-fix-email-notifications
• 2589-fix-bug-incorrect-search-results
• 2598-enable-literal-mid-word-underscores
• 2701-delete-unsaved-drafts-on-sign-out
• 2702-fix-diplay-of-num-replies-on-collapsed-replies
• 2713-change-permissions-when-moving-annotations-btwn-groups
• 2716-save-permissions-to-drafts
• 2728-misc-AnnotationController-refactors-part-2
• 2728-refactor-annotation-controller
• 2728-refactor-annotation-controller-tests
• 2728-refactor-highlight-saving
• 2728-remove-USER_CHANGED-event-from-AnnotationController
• 2728-translate-annotation-controller-to-js
• 2771-fix-notifications-crash-on-parent-with-no-text
• 2799-dont-update-wrong-annotations
• 2810-no-error-on-sign-in-to-unactivated-account
• 2823-fix-annotation-thread-collapsing
• 2838-fix-wrong-group-shown-on-stream
• 2845-unsafe-eval-on-github
• 2848-TypeError-Cannot-read-property-show_sidebar_tutorial-of-undefined
• 2852-fill-hole-in-groups-dropdown-button
• 2928-restore-counting-of-private-and-group-annotations-in-badge
• 2NiiPelT-limit-group-names-to-25-characters
• 3001-fix-hypothesis-admin-command
• 3007-fix-tags-autocomplete-dropdown-css
• 391-add-atom-feeds
• 391-add-atom-feeds-2
• 404-should-be-a-404
• 404-style-fix
• 6vnMlymZ-alias-tag-to-tags-in-search-api
• 800-fancy-selected-annotations
• 930-loading-icon
• 9sqXWtNi-fix-title-for-local-file-pdf-annotations
• AnnotationController-domain-model-view-model-refactor
• EqRZwdZC-clear-selection-before-creating-new-annotation
• Kj8vWkme-show-filenames-of-local-files
• NUoaiUO4-add-create-account-banner
• PfK5vbcM-add-tutorial-to-sidebar
• TPUsXCk4-add-media-embeds-feature
• User.get_by_id-refactor
• User.get_by_id-refactor-2
• accounts-views
• add-admin-users
• add-anno-count-to-admin
• add-api-cors-support
• add-authors-to-rss
• add-caching-to-Chrome-badge-api
• add-clickToClose-option
• add-debug-arg-to-buildext
• add-docs-for-how-authenticate-to-the-api
• add-guidelines-for-model-code
• add-help-text-to-nipsa
• add-hpt.is-support-to-chrome-extension
• add-ie-autodetect
• add-jscs-to-hound-config
• add-pyramid-redis-sessions-dependency
• add-pyroma-dependency
• add-robots-txt
• add-rss
• add-sphinx-httpdomain-dependency
• add-staff-users
• add-unit-test-factories
• add-userid-domain-setting
• admin-account-deletion
• admin-views-cleanup
• alembic-logging
• allow-disabling-websocket-uri-equiv
• allow-missing-parents
• allow-missing-permissions
• anchoring-rewrite
• angular-1.4
• angular-csp
• annotation-element-directive
• annotation-html-presenter
• annotation-test-cleanup
• annotation-test-refactor
• annotator-css-separation
• api-blueprint
• api-exception-handling
• api-view-tests-refactor
• api-view-tests-refactor-event
• app-to-extension-comms
• atom-feed-link-tweaks
• autoprefix_css
• aw/csp
• aw/features_pending_removal
• aw/sentry-logging
• b13OFeU2-allow-skinnier-sidebar
• b9PFMDM7-add-activate-button-to-admin-users-page
• better-custom-pdf-viewer-handling
• better-dockerfile-caching
• better-handling-of-missing-blacklist
• better-login-form
• blank-og-description
• build-artifacts
• building-chrome-extension-docs
• buildkite-pipeline
• bump-initial-load-count
• canceling-edits-loses-changes
• capture-request-context-for-sentry
• centralise-api-storage-calls
• centralise-models
• check-manifest
• chrome-error-handling
• chrome-inject-error-capture
• claim-account
• claim-invite
• clarify-effective-principals
• clean-up-debug-helpers
• clean-up-thread-show-logic
• cleaner-direct-es-access
• cleanup-pdf-anchoring
• cleanup-socket-threading-mapper-routes
• cleanup-transactions
• client-auth-refactor
• code-style-conformance
• conditional-http
• consolidate-gitignore
• consolidate-templates
• consolidate-validation
• constraint-naming-convention
• convert-filters-to-functions
• convert-views-module-to-package
• correct-x-annotator-auth-token-to-authorization
• coverage
• coverage-does-not-include-tests
• create_group_ux_tweaks
• csp-friendly-settings
• csrf-tween
• csv-unicode-fix
• debug-logging-database
• decaf
• decouple-tm-from-session
• decouple_app_template_from_pyramid
• decouple_ext_build_from_pyramid
• deduplicate-profile-pages
• deduplicate-script
• defensive-feed-construction
• deform-form-rendering
• dehorusify-authcontroller
• dehorusify-forgotpasswordcontroller
• dehorusify-profilecontroller
• dehorusify-registercontroller
• describe-virtualenvs-in-install-docs
• develop
• disentangle-form-helpers
• dismiss_app_route
• do-not-update-annotation-times-too-often
• do-not-via-via
• docker-deployment-docs
• docker-entrypoint
• docker-prod
• docs-tweaks
• document-id-param-of-search-api
• document-model-tweaks
• document_link_cleanups
• document_link_refactor
• dont-autofocus-group-share-link
• dont-expand-canonical-uris
• dont-explode-on-invalid-json
• dont-open-welcome-page-when-admin-install
• dont-save-null-data-to-draft-store
• dont-sentry-404s
• drop-cc0-license-from-only-me-annotations
• dumb-makefile
• editor-js-conversion-and-tests
• editor-markdown-commands-refactor
• editorconfig
• embed-instruction-hostname
• enriched-stream
• excerpt-hysteresis
• explicit-settings-for-websocket
• explicitly-state-visibility-level
• exponential-backoff-features
• export-showframe
• extend-search-api-docs
• extension-analytics
• faster-api
• faster-database-tests
• faster-docker
• faster-travis
• feature-flags-admin
• features-pending-removal
• finish-indirection-through-storage
• firefox-addon-fixes
• firefox-webextensions-build
• fix-2429
• fix-2452
• fix-a-comment
• fix-a-pep257-warning
• fix-admin-annotations-query
• fix-angular-is-not-defined
• fix-bouncer-url
• fix-broken-document-equivalence-lookups
• fix-broken-promises-ie
• fix-broken-uri-query
• fix-changing-size-socketlist
• fix-crash-on-login-with-non-json-body
• fix-digest-problem
• fix-docker-build
• fix-docs-help
• fix-failing-tests
• fix-form-button-gradients
• fix-group-annot-edit-from-stream
• fix-group-page-js
• fix-groups-principals
• fix-groups-race
• fix-groups-views
• fix-guest-embedding
• fix-http-syntax-highlighting-in-api-docs
• fix-hypothesis-admin-command
• fix-invalid-manifest-error-when-building-stage-and-prod-chrome-extensions
• fix-links-in-readme
• fix-logout
• fix-nipsa-migration
• fix-password-reset
• fix-passwordresetevent
• fix-pdf-uris
• fix-realtime
• fix-realtime-for-replies-standalone
• fix-registration-process
• fix-replies-hover-highlight
• fix-reply-notification-worker
• fix-signed-out-top-bar
• fix-split-user
• fix-standalone-reply-pages
• fix-stream-banner-flash
• fix-streamer-for-namespaced-nsq
• fix-subscription-event
• fix-tag-links
• fix-token-command-for-non-default-ports
• fix-tooltip-on-share-icon
• fix-unsubscribe-auth
• fix-video-embeds-in-firefox-less-than-45
• fix-websocket-auth-policies
• focus-on-a-group
• four-space-js
• frame-rpc
• front-page-font-size-quick-fix
• frontend-cleanups
• frontend-fixes
• fullscreen-video-embeds
• generate-token
• gevent-bump
• gh1900-chrome_pdf_viewer_detection
• gh2590-app_init_race
• gh2671-group_notification_consistency
• gh2675-wait_for_features
• gh2819-new-annot-timestamp
• gh2820-date-formatting-perf
• gh2830-chrome_ext_inline_install
• github-2686-fix-invalid-permissions-when-creating-annotations-when-signed-out
• group-page-update
• group-share-page-design-tweaks
• guest-embedding
• gulp-frontend-build
• gulp-frontend-build-admin
• hSxsjvim-add-WebTrends-to-blacklisted-URL-params
• handle-missing-permissions-fields
• handle-null-targets
• hide-old-sort-control-in-sidebar
• homepage-aak-banner
• host-sidebar-split
• hound-python
• ie-cache-fixes
• increase-max-annot-body-size
• isolate-config-env
• jpm
• jscs-require-spaces-after-function
• jscsrc
• jshint-tweaks
• jsonld-renderer
• jsonschema-annotation-validation
• jwt-bearer
• kill-comment-icon-on-card
• kill-sqlite
• lenazun-fixed-link
• lenient-search
• limit-what-admins-can-do
• lint-tweaks
• lookahead-tags-3
• make-activation-fields-nullable
• make-bridge-a-factory
• manage-own-search-client
• master
• match-tags-according-to-mapping-analyzer
• move-auth-to-api
• move-es-config-into-search
• move-i18n-helper
• move-login-form-to-directive
• move-models-to-api
• move-nipsa-to-app
• move-nipsa-to-prepare
• move-token-to-app
• multitarget
• namespaced-nsqd
• new-group
• ng-annotate
• ng-csp-everywhere
• ng15-upgrade
• nipsa
• no-explicit-typechecks
• nodtm
• oWe60V8v-signal-when-there-are-public-annotations-on-a-page
• observer-3
• one-time-bindings
• open-sidebar-when-annot-fragment-present
• optimistic-save
• optional-websocket
• p-decouple_app_template_from_pyramid
• packaging-cleanups
• paginate-groups-admin
• paste-api-entrypoint
• percolator
• percolator-sse
• pin-webassets
• postgres
• postgres-annotations
• postgres-documents
• postgres-read-write
• presalt-hashids
• prevent-annotation-attempt-when-not-signed-in
• proper-feature-flags
• prospector-allow-id-as-valid-name
• publish-to-a-group
• publish-to-a-group-permissions
• publish-to-a-group-squashed
• publisher-cli-commands
• purge-fontawesome
• purge-yaml
• py3-compat
• quote-hysteresis
• r-squash_test_error_logging
• randomize-websocket-reconnects
• realtime-update-v1-1
• realtime-update-v1-h-only-1
• redirect-after-login
• redirect-after-login-groups-join
• redirect-to-welcome-after-claim
• refactor-accounts-view-config
• refactor-auth-controller-test
• refactor-blocklist
• refactor-chrome-badge-client
• refactor-chrome-tab-error-handling
• refactor-search
• refactor-ux
• refactor_search
• releaser
• reload-annotations-auth-change
• remove-256-character-limit-from-uri-column
• remove-angular-animate
• remove-blocklist
• remove-broken-cla-links
• remove-claim-feature-flag
• remove-claim-invite-module
• remove-dead-code
• remove-dependencies-on-threading
• remove-diff-remnants
• remove-es-test
• remove-get-by-userid
• remove-groups-feature-flag
• remove-hiring-banner
• remove-horus-from-subscriptions
• remove-legacy-firefox-extension
• remove-model-dependence-from-search
• remove-momentjs
• remove-notification-flag
• remove-old-capability-url-serializer
• remove-old-feature-flag-data
• remove-old-internals-docs
• remove-pulse-remnants
• remove-queue-flag
• remove-search-normalized-flag
• remove-show-unanchored-feature
• remove-streamer-flag
• remove-unanchored-annotations-flag
• remove-unnecessary-flashes
• remove-unnecessary-group-filter
• remove-unused-annotation-deleted-property
• remove-unused-streamer-code
• remove_assets_ext_build_arg
• replace-%20-with-space-when-displaying-URIs
• replace-accounts-forms
• replace-hashids-with-pubids
• replace-profile-form
• report-form-level-errors
• resource-refactoring
• script-subscribers
• search-endpoint-default-and
• search-for-one-uri
• search-module-to-package
• send-activation-emails-from-worker
• sentry-stream-errors
• separate-controllers
• separate-service-uri-from-base-uri
• separete-host-service
• session-load-retry
• set-min-chrome-version
• share-a-group
• sharing-via-link-from-extension
• sheetaluk/298-add-product-version-and-environment-info-to-the-tool
• show-orphans
• show-traceback-on-exception-in-dev
• sidebaropenclose-callback
• signin-directive
• silence-horus-sqlalchemy-warnings
• simpler-layouts
• simpler-version-management
• simplify-admin-permission-handling
• simplify-code
• simplify-db-session-handling
• simplify-routing
• simplify-server-side-auth-code
• simplify-streamer
• small-UX-improvements
• some-dev-install-docs-fixes
• speedup-npm-deps-checking
• stable
• standalone-websocket-server
• straightforward-api-inclusion
• stream-group-hashid-query
• streamer-workqueue
• style
• support-epub-integrations
• swagger-docs
• syncbridge
• t105-group_push_notifications
• t120-client_sentry
• t158-truncated_annot_design
• t187-nav_blog_tweaks
• t187-new_homepage_design
• t87-group_scope_dropdown_ui
• t89-combined_scope_save_btn
• t91-sort_dropdown_move_to_top_bar
• test-fix-tests
• test-mock-version-on-travis
• thread-collapsing
• thread-collapsing-redux
• toastr
• toggle-resize-tooltip
• toggle-sidebar-tooltip
• tooltips-on-adder
• topbar-toolbar-harmony
• touch
• translate-annotation-mapper
• travis-node-upgrade
• travis-node-upgrade-test
• trello-135-while-drafting-an-annotation-the-group-name-or-lack-thereof-should-reflect-its-current-visibility
• trello-143-make-replies-default-to-group-and-visibility-of-parent
• trello-144-add-a-list-of-most-recently-annotated-by-the-group-urls-to-the-group-page
• trello-155-simplify-group-share-link
• trello-176-enable-staff-to-look-up-user-email-addresses
• trello-177-change-the-default-behavior-of-the-embed-to-highlights-on-by-default
• trello-178-new-homepage
• unified_session_and_features
• update-docs
• update-package-data
• upgrade-annotator-store
• uri-module
• uri-normalisation
• urlencode-badge-uri
• use-python-time-where-possible
• userid-symbol-consistency
• username-or-email-address
• users-admin-always-query-by-userid
• users-dashboard
• v0.4.2
• v0.5.0
• v0.5.1
• v0.6.0
• v0.7.0
• v0.7.1
• v0.7.10
• v0.7.11
• v0.7.12
• v0.7.13
• v0.7.2
• v0.7.3
• v0.7.4
• v0.7.5
• v0.7.6
• v0.7.8
• v0.7.9
• v0.8.0
• v0.8.1
• v0.8.10
• v0.8.11
• v0.8.12
• v0.8.13
• v0.8.14
• v0.8.15
• v0.8.2
• v0.8.3
• v0.8.4
• v0.8.5
• v0.8.6
• v0.8.7
• v0.8.8
• v0.8.9
• v0.9.0
• v0.9.1
• v0.9.2
• v0.9.3
• validate-permissions-field
• vendor-assets-from-npm
• via
• via-plain-html-form
• viewable-visible
• viewable-vs-visible
• visible-vs-viewable
• visual-truncation
• w/community-guidelines-signup
• w/csv-groups-report
• w/groups-report-in-admin-dashboard
• w/pwd-reset
• w/remove-2char-pw-copy
• warn-for-relative-import
• wdtO5Zzk-dont-404-when-opening-an-old-activation-link
• welcome-page-tweaks
• ws_exception_handling
• xgknj2RP-disable-Chrome-badge-on-certain-pages
• xwyKzlwp-strip-via-prefixes-in-normalization
• yapf-config

Build # 10259

Build Type

push

travis-ci

Committed by seanh

Commit Message

Add simple, long-lived API tokens

Add a /profile/developer/ page where users can generate and re-generate
their API token. This token can be used as a Bearer token in the
Authorization header in API requests instead of using one of the more
complex and short-lived JWT tokens that the client uses to authenticate
API requests.

The tokens are just randomly generated opaque strings, each one
associated with one user account. There's 0 or 1 token per user, and the
user can regenerate their token at any time. The tokens are stored in a
`token` table in the db that just maps token values to userids.

Notes:

- Our authentication policy now calls the new API token validator first
  for API requests. If this validator does not accept the token, then it
  passes it to the legacy JWT validator (which is still used by our
  client).

  The idea is that if we add more types of API token in the future, the
  authentication policy will have a list of different validator
  functions for different token types, and will try each validator in
  turn until either one of them accepts the token or it runs out of
  validators.

  The use of a type prefix string at the beginning of tokens means that
  validators can usually reject tokens without a db lookup, so we won't
  end up with one db lookup per validator.

- The new tokens always start with u"6879-". If a token sent by a user
  doesn't start with this prefix then the token validator can reject it
  out of hand, without doing a database lookup.

  An opaque number is used for this prefix because we want users to
  treat API tokens as opaque, rather than using a human-readable prefix
  that makes it obvious what type of token you're looking at. (But the type
  of the token is not "secret" in any real sense.)

  In the future it's intended that we'll have different types of tokens
  identified by different prefixes, and different types of token might
  (for example) give access to different capabilities.

- The legacy ... (continued)

Run Details

2740 of 3896 relevant lines covered (70.33%)

0.7 hits per line