Skip to content

Multiple API Keys

Jump to bottom
Harikrishna Menon edited this page Sep 21, 2016 · 17 revisions

Multiple API Keys

Issue

Feedback on the spec can be given on the following issue - https://github.com/NuGet/NuGetGallery/issues/3246

Problem

Currently, NuGet.org users can only create a Single API key for all their packages. For large GitHub organizations, it is necessary that multiple API keys be created that be scoped to specific actions and packages to prevent a single leak from compromising all the packages. In addition, this enables us to hide the API keys after a one-time generation further reducing the risk and enabling users to create keys with specific privileges.

Who is the customer?

Large GitHub organizations or users with multiple packages and contributors

Evidence

  • Security Push
  • Feedback from customers during the Expiring API keys discussion

Solution

The key scenarios we want to enable is the following

  • Enable users to create multiple API keys with a name
  • Set expiration range similar to current API keys.
  • Restrict privileges of API keys to one or more packages
  • Restrict key privileges to specific NuGet.org actions like Push New Id, Push New Version, Un-list
  • API Keys are only shown after generation. Any action that closes or navigates away from page will result in the API key being hidden forever.
  • Notify Users on new key creation
  • Maintain Legacy API keys, only new API keys have support for privileges, expiration and scope.
  • Manage API key - Ability to delete any API key including Legacy keys

User Workflow

  • User Logs into NuGet.org
  • Goes to Account Details
  • Clicks on Show details in the API Keys section
  • Navigates to Generate API Key
  • Adds a Name for the the Key
  • Selects the expiration interval (by default set to 365)
  • From the list of packages (all packages owned by the user) selects the packages that the key will apply to (by default none is selected)
  • From the list of following scopes Push, Unlist, Update selects privileges for the key (by default none will be selected)
  • Clicks on Generate API key
  • Notification is sent to registered email Id about the key create with name, packages and scope information.\
  • Copies the API key and saves it in NuGet.config or uses it for a one-time operation

Screens

Create API Key - Expiration,Name, Packages and Scopes

In the interest of space, I have omitted the examples section in the below screen. We should not remove this from the current UI

Contributing

What's Being Worked On?

Check out the proposals in the accepted & proposed folders on the repository, and active PRs for proposals being discussed today.

Common Problems

Clone this wiki locally