feat!: replace plain-text DRF token with PBKDF2-hashed API token (#2087)

Signed-off-by: tdruez <tdruez@aboutcode.org>

Author: tdruez

docs/command-line-interface.rst

@@ -717,21 +717,32 @@ Optional arguments:
 .. note:: This command is to be used when ScanCode.io's authentication system
   :ref:`scancodeio_settings_require_authentication` is enabled.
 
-Creates a user and generates an API key for authentication.
+Creates a new user and optionally generates an API key for authentication.
 
 You will be prompted for a password. After you enter one, the user will be created
 immediately.
 
-The API key for the new user account will be displayed on the terminal output.
-
 .. code-block:: console
 
-    User <username> created with API key: abcdef123456
+    $ scanpipe create-user <username>
+    User <username> created.
+
+Use the ``--generate-api-key`` option to generate an API key for this user and print it
+to the console.
+
+.. code-block:: console
 
-The API key can also be retrieved from the :guilabel:`Profile settings` menu in the UI.
+    $ scanpipe create-user <username> --generate-api-key
+    User <username> created.
+    API key: 1234567890abcdef
 
 .. warning::
-    Your API key is like a password and should be treated with the same care.
+    Treat your API key like a password and keep it secure.
+    For security reasons, the key is only shown once at generation time.
+    If you lose it, you will need to regenerate a new one.
+
+.. tip::
+    The API key can be regenerated from the :guilabel:`Profile settings` menu in the UI.
 
 By default, this command will prompt for a password for the new user account.
 When run non-interactively with the ``--no-input`` option, no password will be set,
@@ -741,6 +752,7 @@ API key.
 Optional arguments:
 
 - ``--no-input`` Does not prompt the user for input of any kind.
+- ``--generate-api-key`` Generate an API key for this user and print it to the console.
 - ``--admin`` Specifies that the user should be created as an admin user.
 - ``--super`` Specifies that the user should be created as a superuser.
 

pyproject.toml

@@ -96,6 +96,7 @@ dependencies = [
   "aboutcode.hashid==0.2.0",
   # AboutCode pipeline
   "aboutcode.pipeline==0.2.1",
+  "aboutcode.api-auth==0.2.0",
   # ScoreCode
   "scorecode==0.0.4"
 ]

scancodeio/settings.py

@@ -194,7 +194,6 @@
     "crispy_bootstrap3",  # required for the djangorestframework browsable API
     "django_filters",
     "rest_framework",
-    "rest_framework.authtoken",
     "django_rq",
     "django_probes",
     "taggit",
@@ -401,12 +400,12 @@
 CLAMD_USE_TCP = env.bool("CLAMD_USE_TCP", default=True)
 CLAMD_TCP_ADDR = env.str("CLAMD_TCP_ADDR", default="clamav")
 
-# Django restframework
+# REST API
+
+API_TOKEN_MODEL = "scanpipe.APIToken"  # noqa: S105
 
 REST_FRAMEWORK = {
-    "DEFAULT_AUTHENTICATION_CLASSES": (
-        "rest_framework.authentication.TokenAuthentication",
-    ),
+    "DEFAULT_AUTHENTICATION_CLASSES": ("aboutcode.api_auth.APITokenAuthentication",),
     "DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.IsAuthenticated",),
     "DEFAULT_RENDERER_CLASSES": (
         "rest_framework.renderers.JSONRenderer",

scancodeio/urls.py

@@ -32,6 +32,8 @@
 from scanpipe.api.views import ProjectViewSet
 from scanpipe.api.views import RunViewSet
 from scanpipe.views import AccountProfileView
+from scanpipe.views import GenerateAPIKeyView
+from scanpipe.views import RevokeAPIKeyView
 
 api_router = DefaultRouter()
 api_router.register(r"projects", ProjectViewSet)
@@ -45,6 +47,16 @@
         name="logout",
     ),
     path("accounts/profile/", AccountProfileView.as_view(), name="account_profile"),
+    path(
+        "accounts/profile/api_key/generate/",
+        GenerateAPIKeyView.as_view(),
+        name="generate_api_key",
+    ),
+    path(
+        "accounts/profile/api_key/revoke/",
+        RevokeAPIKeyView.as_view(),
+        name="revoke_api_key",
+    ),
 ]
 
 

scanpipe/management/commands/create-user.py

@@ -28,7 +28,7 @@
 from django.core.management.base import BaseCommand
 from django.core.management.base import CommandError
 
-from rest_framework.authtoken.models import Token
+from scanpipe.models import APIToken
 
 
 class Command(BaseCommand):
@@ -43,13 +43,21 @@ def __init__(self, *args, **kwargs):
         )
 
     def add_arguments(self, parser):
-        parser.add_argument("username", help="Specifies the username for the user.")
+        parser.add_argument(
+            "username",
+            help=f"Specifies the {self.UserModel.USERNAME_FIELD} for the user.",
+        )
         parser.add_argument(
             "--no-input",
             action="store_false",
             dest="interactive",
             help="Do not prompt the user for input of any kind.",
         )
+        parser.add_argument(
+            "--generate-api-key",
+            action="store_true",
+            help="Generate an API key for this user and print it to the console.",
+        )
         parser.add_argument(
             "--admin",
             action="store_true",
@@ -63,9 +71,16 @@ def add_arguments(self, parser):
 
     def handle(self, *args, **options):
         username = options["username"]
+        generate_api_key = options["generate_api_key"]
         is_admin = options["admin"]
         is_superuser = options["super"]
 
+        if options["verbosity"] <= 0 and generate_api_key:
+            raise CommandError(
+                "Cannot display the API key with verbosity disabled. "
+                "The key is only shown once at generation time."
+            )
+
         error_msg = self._validate_username(username)
         if error_msg:
             raise CommandError(error_msg)
@@ -75,19 +90,27 @@ def handle(self, *args, **options):
             password = self.get_password_from_stdin(username)
 
         user_kwargs = {
-            "username": username,
+            self.UserModel.USERNAME_FIELD: username,
             "password": password,
             "is_staff": is_admin or is_superuser,
             "is_superuser": is_superuser,
         }
-
         user = self.UserModel._default_manager.create_user(**user_kwargs)
-        token, _ = Token._default_manager.get_or_create(user=user)
 
         if options["verbosity"] > 0:
-            msg = f"User {username} created with API key: {token.key}"
+            msg = f"User {username} created."
             self.stdout.write(msg, self.style.SUCCESS)
 
+        if generate_api_key:
+            plain_api_key = APIToken.create_token(user=user)
+            self.stdout.write(f"API key: {plain_api_key}", self.style.SUCCESS)
+            warning_msg = (
+                "Treat your API key like a password and keep it secure. "
+                "For security reasons, the key is only shown once at generation time. "
+                "If you lose it, you will need to regenerate a new one."
+            )
+            self.stdout.write(warning_msg, self.style.WARNING)
+
     def get_password_from_stdin(self, username):
         # Validators, such as UserAttributeSimilarityValidator, depends on other user's
         # fields data for password validation.

scanpipe/migrations/0078_apitoken.py

@@ -0,0 +1,29 @@
+# Generated by Django 6.0.3 on 2026-03-09 05:23
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('scanpipe', '0077_alter_discoveredpackage_children_packages'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='APIToken',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('key_hash', models.CharField(max_length=128)),
+                ('prefix', models.CharField(db_index=True, max_length=8, unique=True)),
+                ('created', models.DateTimeField(auto_now_add=True, db_index=True)),
+                ('user', models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, related_name='api_token', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'verbose_name': 'API Token',
+            },
+        ),
+    ]

scanpipe/migrations/0079_apitoken_data.py

@@ -0,0 +1,60 @@
+# Generated by Django 6.0.3 on 2026-03-10 22:09
+
+from django.db import migrations
+from django.contrib.auth.hashers import make_password
+
+
+def migrate_api_tokens(apps, schema_editor):
+    """Migrate existing plain-text DRF tokens to the new hashed APIToken model."""
+    APIToken = apps.get_model("scanpipe", "APIToken")
+    PREFIX_LENGTH = 8
+
+    with schema_editor.connection.cursor() as cursor:
+        cursor.execute(
+            "SELECT EXISTS (SELECT 1 FROM information_schema.tables "
+            "WHERE table_name = 'authtoken_token')"
+        )
+        table_exists = cursor.fetchone()[0]
+
+        if not table_exists:
+            return
+
+        cursor.execute("SELECT user_id, key, created FROM authtoken_token")
+        rows = cursor.fetchall()
+        if not rows:
+            return
+
+        tokens_to_create = [
+            APIToken(
+                user_id=user_id,
+                prefix=key[:PREFIX_LENGTH],
+                key_hash=make_password(key),
+                created=created,
+            )
+            for user_id, key, created in rows
+        ]
+        migrated_tokens = APIToken.objects.bulk_create(tokens_to_create, ignore_conflicts=True)
+        if migrated_tokens:
+            print(f" -> {len(migrated_tokens)} tokens migrated.")
+
+
+def reverse_migrate_api_tokens(apps, schema_editor):
+    """Reverse migration: remove all migrated tokens."""
+    APIToken = apps.get_model("scanpipe", "APIToken")
+    APIToken.objects.all().delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('scanpipe', '0078_apitoken'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_api_tokens, reverse_migrate_api_tokens),
+        migrations.RunSQL(
+            sql="DROP TABLE IF EXISTS authtoken_token",
+            reverse_sql=migrations.RunSQL.noop,
+        ),
+    ]
+

scanpipe/models.py

@@ -57,7 +57,6 @@
 from django.db.models import When
 from django.db.models.functions import Cast
 from django.db.models.functions import Lower
-from django.dispatch import receiver
 from django.forms import model_to_dict
 from django.urls import NoReverseMatch
 from django.urls import reverse
@@ -70,6 +69,7 @@
 import redis
 import requests
 import saneyaml
+from aboutcode.api_auth import AbstractAPIToken
 from commoncode.fileutils import parent_directory
 from cyclonedx import model as cyclonedx_model
 from cyclonedx.model import component as cyclonedx_component
@@ -86,7 +86,6 @@
 from packageurl.contrib.django.models import PACKAGE_URL_FIELDS
 from packageurl.contrib.django.models import PackageURLMixin
 from packageurl.contrib.django.models import PackageURLQuerySetMixin
-from rest_framework.authtoken.models import Token
 from rq.command import send_stop_job_command
 from rq.exceptions import NoSuchJobError
 from rq.job import Job
@@ -146,6 +145,11 @@ class Meta:
         abstract = True
 
 
+class APIToken(AbstractAPIToken):
+    class Meta:
+        verbose_name = "API Token"
+
+
 class HashFieldsMixin(models.Model):
     """
     The hash fields are not indexed by default, use the `indexes` in Meta as needed:
@@ -4963,13 +4967,6 @@ def success(self):
         return self.response_status_code in (200, 201, 202)
 
 
-@receiver(models.signals.post_save, sender=settings.AUTH_USER_MODEL)
-def create_auth_token(sender, instance=None, created=False, **kwargs):
-    """Create an API key token on user creation, using the signal system."""
-    if created:
-        Token.objects.create(user_id=instance.pk)
-
-
 class DiscoveredPackageScore(UUIDPKModel, PackageScoreMixin):
     """Represents a security or quality score for a DiscoveredPackage."""
 

scanpipe/templates/account/profile.html

@@ -13,23 +13,46 @@
         </ul>
       </nav>
     </div>
-
-    <article class="message is-warning">
-      <div class="message-body">
-        <strong>An API key is like a password and should be treated with the same care.</strong>
-      </div>
-    </article>
-
-    <div class="field">
-      <label class="label">API Key</label>
-      <div class="control has-icons-left">
-        <input class="input" type="text" value="{{ request.user.auth_token.key|default:'Not available' }}" readonly>
-        <span class="icon is-small is-left">
-          <i class="fa-solid fa-key"></i>
-        </span>
+    <div class="columns">
+      <div class="column is-7">
+        <div class="content">
+          <div class="mb-2">
+            Your personal API key provides access to the
+            <a href="{% url 'project-list' %}" target="_blank">REST API</a>
+            <div class="has-text-weight-semibold">
+              Treat it like a password and keep it secure.
+            </div>
+          </div>
+          {% if request.user.api_token %}
+            <div class="notification is-grey mb-4">
+              Your API key <strong>{{ request.user.api_token.prefix }}...</strong>
+              was generated on {{ request.user.api_token.created }}<br>
+              For security reasons, the full key is only shown once at generation time.<br>
+              If you lose it, you will need to regenerate a new one.
+            </div>
+          {% else %}
+            <div class="notification is-warning is-light mb-4">
+              <strong>No API key created.</strong><br>
+              Generate one using the button below to access the REST API.
+            </div>
+          {% endif %}
+        </div>
+        <div class="buttons">
+          <button type="button" class="button is-success is-outlined modal-button" data-target="modal-generate-api-key" aria-haspopup="true">
+            Generate API key
+          </button>
+          {% if request.user.api_token %}
+            <button type="button" class="button is-danger is-outlined modal-button" data-target="modal-revoke-api-key" aria-haspopup="true">
+              Revoke API key
+            </button>
+          {% endif %}
+        </div>
       </div>
     </div>
-
   </section>
+  {% include 'scanpipe/modals/profile_generate_api_key_modal.html' %}
+  {% if request.user.api_token %}
+    {% include 'scanpipe/modals/profile_revoke_api_key_modal.html' %}
+  {% endif %}
 </div>
 {% endblock %}