Implement way to disable API keys, rather than delete

NEW
Unassigned

Status

P3
normal
6 years ago
8 months ago

People

(Reporter: lorchard, Unassigned)

Tracking

Details

(Whiteboard: [points=2])

(Reporter)

Description

6 years ago
Currently, the only way to prevent an API key from being used is to delete it. However, this also deletes all audit log entries along with the key record.

That's bad, because it leaves us no way to inspect what was done with the key after the fact. And, it makes it impossible to find what documents might have been affected (eg. for a mass-revert feature).

So, we need to make it hard to delete an API key (ie. from admin panel only), and instead add a "disabled" flag that makes the system no longer honor it for auth yet keep it around for forensics and recovery. Change the UI on the key management side to "disable" rather than "delete"

Updated

5 years ago
Component: General → API
Whiteboard: [triaged]
Priority: -- → P3
Whiteboard: [triaged] → [points=2]
You need to log in before you can comment on or make changes to this bug.