fix(user token): Stop leaking API token

[ykamo001]

Update API contract to stop sending API token and send new field of lastTokenCharacters instead. Currently the API token in user settings can always be seen, even after creation. This experience also deviates from the org auth tokens. To keep both experiences consistent, and increase security around tokens from leaking, we are updating the API token contract and UI. The current PR focuses on BE, and updating the contract to send a field lastTokenCharacters

• Serializer has an option to include full token value. This is to setup for the future to stop leaking the value in the API. Currently we need this for the delete endpoint to work. Future work captured in https://github.com/getsentry/team-enterprise/issues/21#issue-2047202292
• The API contract for /api-tokens will include a new field of tokenLastCharacters

This PR should go after #61939

Resolves https://github.com/getsentry/team-enterprise/issues/1#issue-2003077670

[codecov]

Codecov Report

Merging #61941 (0031657) into master (b545add) will decrease coverage by 0.01%.
Report is 41 commits behind head on master.
The diff coverage is 83.33%.

❗ Current head 0031657 differs from pull request most recent head 1e0a9bc. Consider uploading reports for the commit 1e0a9bc to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #61941      +/-   ##
==========================================
- Coverage   81.22%   81.21%   -0.01%     
==========================================
  Files        5185     5185              
  Lines      228404   228533     +129     
  Branches    38328    38371      +43     
==========================================
+ Hits       185511   185613     +102     
- Misses      37246    37265      +19     
- Partials     5647     5655       +8     

Files	Coverage Δ
src/sentry/api/endpoints/api_tokens.py	96.49% <ø> (ø)
...atic/app/utils/analytics/replayAnalyticsEvents.tsx	100.00% <ø> (ø)
static/app/utils/replays/replayReader.tsx	50.00% <ø> (ø)
static/app/views/monitors/details.tsx	0.00% <ø> (ø)
src/sentry/api/serializers/models/apitoken.py	89.47% <83.33%> (-4.28%)	⬇️

... and 30 files with indirect coverage changes

[ykamo001]

This should default to false in the future, but currently is true because other endpoints and services are also utilizing this serializer

[nhsiehgit]

rather than passing include_token in the kwargs, can we be explicit in the args, and just default it to False if that's what we expect?

[ykamo001]

This is related to the comment above, but in relation to the False matter:
Unfortunately we cannot default to False, as other API endpoints are referencing this serializer for their contract, and we would need to change more domain code than necessary for this change. This is the result of not using repository patterns and proper contracts/DTOs :/

[ykamo001]

Here's another service/endpoint that uses the same serliazier:

sentry/src/sentry/api/endpoints/integrations/sentry_apps/internal_app_token/index.py

Line 69 in cd40441

token = ApiTokenSerializer().serialize(api_token, attrs, request.user)

[schew2381]

Could you write a test in test_apitoken.py that ensures the new serializer checks work as expected?

[ykamo001]

Could you write a test in test_apitoken.py that ensures the new serializer checks work as expected?

Yes of course! Added!

[nhsiehgit]

quick comment

[nhsiehgit]

Do we need to capture the kwargs here?

Would rather be explicit in the api args, rather than allowing any kwargs to be passed

[ykamo001]

Unfortunately no, we cannot make a change the would break the contract of the base class function https://mypy.readthedocs.io/en/stable/common_issues.html#incompatible-overrides

Other incompatible signature changes in method overrides, such as adding an extra required parameter, or removing an optional parameter, will also generate errors.

This fails on our linter as well, as I tried that initially https://github.com/getsentry/sentry/actions/runs/7227889927/job/19696388755

[nhsiehgit]

rather than passing include_token in the kwargs, can we be explicit in the args, and just default it to False if that's what we expect?

[schew2381]

small nits but lgtm otherwise 👍

[schew2381]

self.user is automatically set in TestCase so you can just use that directly in your tests which is convenient.

Same thing for self.project, self.team, and self.organization. The only difference is I think those are lazy so they only get created after you call it in the test.

[ykamo001]

This is good to know, thank you!

[schew2381]

Sorry I realize I should've defaulted to empty scopes in create_user_auth_token if it wasn't relevant to the test

Suggested change

	self._scopes = ["test_scope"]
	self._token = self.create_user_auth_token(user=self._user, scope_list=self._scopes)
	self._token = self.create_user_auth_token(user=self._user, scope_list=[])

[ykamo001]

That's okay, perfectly fine to be explicit about having empty scopes. Is that even a feasible token? Does that equate to unbounded (i.e. all permissions)?

[ykamo001]

We should probably add more tests here that make sure scopes are also returned correctly, so it's okay to keep a not empty list. This area in general needs more coverage, but something to follow up on!

[schew2381]

We do allow empty scopes, the token would just be useless.

[ykamo001]

Is that something we should change?

[schew2381]

hmm that's a good question. The only use case I can think of for having empty scopes is we allow users to create internal integrations without scopes. They're not required when you follow the creation flow.

I'm not super familiar with how people use integrations, or what you can do without a token/no scopes token. There might be a use case there

[schew2381]

For user tokens, we don't allow it in the UI and you can't create user tokens through other tokens (which is a recent-ish change) so it should be fine.

It's not great though that it's not immediately obvious this is the case for user tokens and is implicit/localized knowledge

[schew2381]

small nits but lgtm otherwise 👍

Oh whoops, didnt realize auto merge was on lol