Skip to content

Hardening: Remove User.api_v2_token property (returns plaintext API token)#3057

Open
hanu-14 wants to merge 1 commit into
python:mainfrom
hanu-14:fix/remove-api-v2-token
Open

Hardening: Remove User.api_v2_token property (returns plaintext API token)#3057
hanu-14 wants to merge 1 commit into
python:mainfrom
hanu-14:fix/remove-api-v2-token

Conversation

@hanu-14

@hanu-14 hanu-14 commented Jul 16, 2026

Copy link
Copy Markdown

Closes #3047

Removes the User.api_v2_token property that returns the plaintext DRF Token.key, and updates the one test that referenced it.

Copilot AI review requested due to automatic review settings July 16, 2026 16:26
@hanu-14
hanu-14 requested a review from JacobCoffee as a code owner July 16, 2026 16:26

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens credential handling by removing the User.api_v2_token convenience property that could expose a plaintext DRF API token key, reducing the risk of accidental leakage via templates/serialization.

Changes:

  • Removed User.api_v2_token property (and its DRF Token import) from the user model.
  • Updated the one test that referenced api_v2_token to fetch a DRF token key directly.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
apps/users/models.py Removes the api_v2_token property that returned a plaintext DRF token key.
apps/downloads/tests/test_views.py Updates API auth header construction in tests to no longer rely on the removed model property.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 18 to 20
from pydotorg.drf import BaseAPITestCase
from rest_framework.authtoken.models import Token

is_staff=True,
)
self.Authorization = f"Token {self.staff_user.api_v2_token}"
self.Authorization = f"Token {Token.objects.get(user=self.staff_user).key}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Hardening: [low-priority] Remove User.api_v2_token property (returns plaintext API token)

2 participants