Closes #20492: Disable API token plaintext retrieval

2026-01-24 04:22:41 -06:00 · 2025-10-14 14:57:37 -04:00
parent b7cc4c418b
commit 2bebfccf9b
8 changed files with 10 additions and 42 deletions
--- a/netbox/netbox/configuration_example.py
+++ b/netbox/netbox/configuration_example.py
@@ -91,9 +91,6 @@ ADMINS = [
    # ('John Doe', 'jdoe@example.com'),
 ]

-# Permit the retrieval of API tokens after their creation.
-ALLOW_TOKEN_RETRIEVAL = False
-
 # Enable any desired validators for local account passwords below. For a list of included validators, please see the
 # Django documentation at https://docs.djangoproject.com/en/stable/topics/auth/passwords/#password-validation.
 AUTH_PASSWORD_VALIDATORS = [
--- a/netbox/netbox/configuration_testing.py
+++ b/netbox/netbox/configuration_testing.py
@@ -43,8 +43,6 @@ SECRET_KEY = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'

 DEFAULT_PERMISSIONS = {}

-ALLOW_TOKEN_RETRIEVAL = True
-
 API_TOKEN_PEPPERS = {
    1: 'TEST-VALUE-DO-NOT-USE-TEST-VALUE-DO-NOT-USE-TEST-VALUE-DO-NOT-USE',
 }
--- a/netbox/netbox/settings.py
+++ b/netbox/netbox/settings.py
@@ -76,7 +76,6 @@ elif hasattr(configuration, 'DATABASE') and hasattr(configuration, 'DATABASES'):

 # Set static config parameters
 ADMINS = getattr(configuration, 'ADMINS', [])
-ALLOW_TOKEN_RETRIEVAL = getattr(configuration, 'ALLOW_TOKEN_RETRIEVAL', False)
 ALLOWED_HOSTS = getattr(configuration, 'ALLOWED_HOSTS')  # Required
 API_TOKEN_PEPPERS = getattr(configuration, 'API_TOKEN_PEPPERS', {})
 AUTH_PASSWORD_VALIDATORS = getattr(configuration, 'AUTH_PASSWORD_VALIDATORS', [
--- a/netbox/templates/users/token.html
+++ b/netbox/templates/users/token.html
@@ -20,14 +20,7 @@
          {% if object.version == 1 %}
            <tr>
              <th scope="row">{% trans "Token" %}</th>
-              <td>
-                {% if settings.ALLOW_TOKEN_RETRIEVAL %}
-                  <span id="secret" class="font-monospace" data-secret="{{ object.plaintext }}">{{ object.plaintext }}</span>
-                  <button type="button" class="btn btn-primary toggle-secret float-end" data-bs-toggle="button">{% trans "Show Secret" %}</button>
-                {% else %}
-                  {{ object.partial }}
-                {% endif %}
-              </td>
+              <td>{{ object.partial }}</td>
            </tr>
          {% else %}
            <tr>
--- a/netbox/users/forms/model_forms.py
+++ b/netbox/users/forms/model_forms.py
@@ -1,7 +1,6 @@
 import json

 from django import forms
-from django.conf import settings
 from django.contrib.auth import password_validation
 from django.contrib.postgres.forms import SimpleArrayField
 from django.core.exceptions import FieldError
@@ -115,7 +114,7 @@ class UserTokenForm(forms.ModelForm):
        label=_('Token'),
        help_text=_(
            'Tokens must be at least 40 characters in length. <strong>Be sure to record your key</strong> prior to '
-            'submitting this form, as it may no longer be accessible once the token has been created.'
+            'submitting this form, as it will no longer be accessible once the token has been created.'
        ),
        widget=forms.TextInput(
            attrs={'data-clipboard': 'true'}
@@ -148,11 +147,8 @@ class UserTokenForm(forms.ModelForm):
            self.fields['version'].disabled = True
            self.fields['user'].disabled = True

-            # Omit the key field when editing an existing token if token retrieval is not permitted
-            if self.instance.v1 and settings.ALLOW_TOKEN_RETRIEVAL:
-                self.initial['token'] = self.instance.plaintext
-            else:
-                del self.fields['token']
+            # Omit the key field when editing an existing Token
+            del self.fields['token']

        # Generate an initial random key if none has been specified
        elif self.instance._state.adding and not self.initial.get('token'):
--- a/netbox/users/tables.py
+++ b/netbox/users/tables.py
@@ -11,13 +11,7 @@ __all__ = (
    'UserTable',
 )

-TOKEN = """<samp><a href="{{ record.get_absolute_url }}" id="token_{{ record.pk }}">{{ record }}</a></samp>"""
-
-COPY_BUTTON = """
-{% if settings.ALLOW_TOKEN_RETRIEVAL %}
-  {% copy_content record.pk prefix="token_" color="success" %}
-{% endif %}
-"""
+TOKEN = """<samp><a href="{{ record.get_absolute_url }}">{{ record }}</a></samp>"""


 class TokenTable(NetBoxTable):
@@ -48,7 +42,6 @@ class TokenTable(NetBoxTable):
    )
    actions = columns.ActionsColumn(
        actions=('edit', 'delete'),
-        extra_buttons=COPY_BUTTON
    )

    class Meta(NetBoxTable.Meta):