Revise the current way of creating API Keys in order to increase our security processes.
Here are some things to improve upon:
Stop the API key email that get's sent. The key should never be sent via email. We send it via email, because we create a key for them upon account creation.
Show a warning banner that they must create an API key if they log in and they don’t have any keys registered
The user must have a section where they can create multiple keys, not only one key
Have the ability for a key to have a permission scope: read only, read-write
When a key is created, show it to the user, but NEVER show it again, and make sure the user knows this.
The keys’s prefix and suffix should be visible for identification only of the right key
Store the keys in encrypted format or bcrypted format ( ??)
Would be great if they log in via CommandBox and they don’t have an API key, to actually, create it from there
Separate the current field in the user object to a separate table to store user keys
I would add that we don’t need to show the prefix or suffix. Rather let the user give the key a label, like GitHub personal access tokens.
One way hashing for the api keys.
I don’t think we need to force the user to create a token. Just a section on the site to create one or more. CommandBox can also automate this.
Thanks I like the suggestions