-
Notifications
You must be signed in to change notification settings - Fork 649
Audit trail for more owner actions #1548
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
@carols10cents This sounds like a fun issue to sink my teeth into. |
I don't mind at all, and no, there's no deadline! |
1567: Mark API tokens as revoked r=carols10cents a=joshleeb With this PR, when a user deletes an API token, rather than deleting it from the database, it will instead be marked as `revoked`. That means that this PR also adds a migration to add the column `revoked` to the `api_tokens` table. Ref. #1548 (Task 1) Co-authored-by: Josh Leeb-du Toit <[email protected]>
Hold onto authorization header with ApiToken source Modify the `AuthenticationSource::ApiToken` variant to hold onto the authorization header that may be used to fetch the current user. Ref. #1548 (Task 4)
Hold onto authorization header with ApiToken source Modify the `AuthenticationSource::ApiToken` variant to hold onto the authorization header that may be used to fetch the current user. Ref. #1548 (Task 4)
Add migration and model for version_owner_actions table Add a migration to create the `version_owner_actions` table, as well as a `VersionOwnerAction` struct in `models/actions.rs`. Ref. #1548 (Task 2)
Contributes to Issue rust-lang#1548
Including the following audit actions: - Invite User - Remove User Closes rust-lang#1548
Contributes to Issue rust-lang#1548
Including the following audit actions: - Invite User - Remove User Closes rust-lang#1548
…10cents Add Verions Owner Actions to the API Contributes to Issue #1548
Including the following audit actions: - Invite User - Remove User Closes rust-lang#1548
Including the following audit actions: - Invite User - Remove User Closes rust-lang#1548
There's some discussion that happened in #2025 that's relevant to implementation:
|
Just had a thought-- because we sometimes use emails sent from the same address as the verified email address in crates.io, it might be useful to know if an account's verified email address has been changed recently. Sometimes we say "hey can you send us an email from the verified address" and for whatever reason the person needs to change the verified address to something else and that's totally legitimate. But if it's been set to [email protected] for years, then it gets set to [email protected] and then we get a request to do something with a crate, that might be a sign that something suspicious is going on. Right now, I think we just overwrite the old verified email address if it's changed; it would be nice to keep those historical records around marked as old/invalid/superseded but viewable in the database and/or admin web UI someday. |
Uh oh!
There was an error while loading. Please reload this page.
Further steps beyond #1478. These changes wouldn't be exposed in the UI but would be in the database for us to use in determining who took what actions when.
Add a column to the api_tokens table named
revoked
that's a BOOLEAN NOT NULL DEFAULT 'f'. Then instead of deleting tokens, mark them as revoked.Create a migration (using
diesel migration generate
, as explained in this guide) that adds a new table namedversion_owner_actions
with the following columns:Keep the headers[0] authorization header value accessible by holding onto it in the
AuthenticationSource::ApiToken
variantWithin the crate publish transaction, after the new version record is created, create a new version owner action record with action = "publish", version_id = version.id, owner_id = user.id, owner_token = req.authentication_source() (and then extract the
token value)
Make similar changes to add records to the activity table in yank and unyank
Add a field to EncodableVersion that's a Vec of all the actions, owner ids, and times that this version has had an action taken on it so that this info, minus the api token value, is returned in the API response
Add a table crate_owners_actions that records who adds and removes other owners from a crate
Add tests that this information is being recorded and returned as expected
The text was updated successfully, but these errors were encountered: