Federated Wiki - UserAccessTokens Plugin
This plugin allows users to create, manage, and revoke User Access Tokens. User Access Tokens, also known elsewhere as "API tokens" or "personal access tokens", offer a way to authenticate users without requiring them to enter their username and password for every request. This allows for interactions with FedWiki through scripts or other applications while maintaining security.
Implementation Notes
- Token generation:
- Generate cryptographically secure random tokens (32+ bytes) using
cryptowith a secure hashing algorithm (e.g., bcrypt or Argon2). - Include a token type prefix
fwuat-to distinguish User Access Tokens from other types of tokens in the system.
- Generate cryptographically secure random tokens (32+ bytes) using
- Token storage:
- Store tokens in the file system, specifically in the site's
statussubdirectory in a file nameduser-access-tokens.json.
- Store tokens in the file system, specifically in the site's
- Token format:
- Each token should be a JSON object with the following structure:
{ "name": "TOKEN_NAME", "user": "USERNAME", "tokenHash": "UNIQUE_TOKEN_STRING", "displayHint": "LAST_FOUR_CHARACTERS_OF_TOKEN", "created": "DATE_STRING_ISO8601", "expires": "DATE_STRING_ISO8601", "lastUsed": "DATE_STRING_ISO8601", "revoked": false, // or true "scopes": ["site:read", "site:write"] // optional, for future use }name: A human-readable name for the token. This must be unique for the site.user: The username of the user who created the token.tokenHash: A unique, securely generated token string stored in a hashed format using a secure hashing algorithm (e.g., bcrypt or Argon2).displayHint: The last four characters of the token, used for display purposes. Helps users identify tokens without revealing the full token.created: The date and time when the token was created, in ISO 8601 format.expires: The date and time when the token will expire, in ISO 8601 format. If not set, the token does not expire.lastUsed: The date and time when the token was last used, in ISO 8601 format.revoked: A boolean indicating whether the token has been revoked.scopes: An array of strings representing the scopes assigned to the token. If empty, the token has full access. This is a placeholder for future enhancements.
- Each token should be a JSON object with the following structure:
- Token management:
- Provide UI and API endpoints for creating, listing, revoking, and deleting tokens.
- Return the full token only once (upon creation) to the user. Make sure to inform the user to store it securely, as it will not be retrievable later.
- Tokens will not work if they are expired, revoked, or deleted.
- The user may GET a token or list of tokens, however, the hashed token string should be stripped from the response to prevent accidental exposure.
- Token usage:
- Tokens should be included in the
AuthorizationHTTP header of API requests, using theBearerscheme.
- Tokens should be included in the
- Token validation and security:
- Check only tokens with the
fwuat-prefix. - Tokens should be treated as sensitive information. They should not be logged or exposed in any way.
- Implement rate limiting to prevent abuse of the API using tokens. This is necessary because tokens can be used without user interaction.
- Tokens should only be transmitted over secure connections (HTTPS) to prevent interception.
- Check only tokens with the
Build
npm install
npm run build
License
MIT