feat: add name and token_last_characters to apitoken (#58945)

- Add a nullable `name` column to the `ApiToken` model to help users
identify and give meaningful names to their API tokens.
- Add a nullable `last_token_characters` column that will contain the
last four characters of the API token to help users with identify the
token in the UI when the majority of it is obfuscated.

Supports #58918

Author: mdtro

migrations_lockfile.txt

@@ -9,5 +9,5 @@ feedback: 0003_feedback_add_env
 hybridcloud: 0008_add_externalactorreplica
 nodestore: 0002_nodestore_no_dictfield
 replays: 0003_add_size_to_recording_segment
-sentry: 0583_add_early_adopter_to_organization_mapping
+sentry: 0584_apitoken_add_name_and_last_chars
 social_auth: 0002_default_auto_field

src/sentry/backup/comparators.py

@@ -666,7 +666,9 @@ def get_default_comparators():
     default_comparators: ComparatorMap = defaultdict(
         list,
         {
-            "sentry.apitoken": [HashObfuscatingComparator("refresh_token", "token")],
+            "sentry.apitoken": [
+                HashObfuscatingComparator("refresh_token", "token", "token_last_characters")
+            ],
             "sentry.apiapplication": [HashObfuscatingComparator("client_id", "client_secret")],
             "sentry.authidentity": [HashObfuscatingComparator("ident", "token")],
             "sentry.alertrule": [DateUpdatedComparator("date_modified")],

src/sentry/migrations/0584_apitoken_add_name_and_last_chars.py

@@ -0,0 +1,36 @@
+# Generated by Django 3.2.20 on 2023-10-27 17:53
+
+from django.db import migrations, models
+
+from sentry.new_migrations.migrations import CheckedMigration
+
+
+class Migration(CheckedMigration):
+    # This flag is used to mark that a migration shouldn't be automatically run in production. For
+    # the most part, this should only be used for operations where it's safe to run the migration
+    # after your code has deployed. So this should not be used for most operations that alter the
+    # schema of a table.
+    # Here are some things that make sense to mark as dangerous:
+    # - Large data migrations. Typically we want these to be run manually by ops so that they can
+    #   be monitored and not block the deploy for a long period of time while they run.
+    # - Adding indexes to large tables. Since this can take a long time, we'd generally prefer to
+    #   have ops run this and not block the deploy. Note that while adding an index is a schema
+    #   change, it's completely safe to run the operation after the code has deployed.
+    is_dangerous = False
+
+    dependencies = [
+        ("sentry", "0583_add_early_adopter_to_organization_mapping"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="apitoken",
+            name="name",
+            field=models.CharField(max_length=255, null=True),
+        ),
+        migrations.AddField(
+            model_name="apitoken",
+            name="token_last_characters",
+            field=models.CharField(max_length=4, null=True),
+        ),
+    ]

src/sentry/models/apitoken.py

@@ -37,7 +37,9 @@ class ApiToken(ReplicatedControlModel, HasApiScopes):
     # users can generate tokens without being application-bound
     application = FlexibleForeignKey("sentry.ApiApplication", null=True)
     user = FlexibleForeignKey("sentry.User")
+    name = models.CharField(max_length=255, null=True)
     token = models.CharField(max_length=64, unique=True, default=generate_token)
+    token_last_characters = models.CharField(max_length=4, null=True)
     refresh_token = models.CharField(max_length=64, unique=True, null=True, default=generate_token)
     expires_at = models.DateTimeField(null=True, default=default_expiration)
     date_added = models.DateTimeField(default=timezone.now)
@@ -55,6 +57,16 @@ class Meta:
     def __str__(self):
         return force_str(self.token)
 
+    # TODO(mdtro): uncomment this function after 0583_apitoken_add_name_and_last_chars migration has been applied
+    # def save(self, *args: Any, **kwargs: Any) -> None:
+    #     # when a new ApiToken is created we take the last four characters of the token
+    #     # and save them in the `token_last_characters` field so users can identify
+    #     # tokens in the UI where they're mostly obfuscated
+    #     token_last_characters = self.token[-4:]
+    #     self.token_last_characters = token_last_characters
+
+    #     return super().save(**kwargs)
+
     def outbox_region_names(self) -> Collection[str]:
         return list(find_all_region_names())
 

src/sentry/testutils/helpers/backups.py

@@ -550,7 +550,10 @@ def create_exhaustive_sentry_app(self, name: str, owner: User, org: Organization
         # Api*
         ApiAuthorization.objects.create(application=app.application, user=owner)
         ApiToken.objects.create(
-            application=app.application, user=owner, token=uuid4().hex, expires_at=None
+            application=app.application,
+            user=owner,
+            expires_at=None,
+            name="create_exhaustive_sentry_app",
         )
         ApiGrant.objects.create(
             user=owner,
@@ -583,7 +586,9 @@ def create_exhaustive_global_configs(self, owner: User):
         self.create_exhaustive_global_configs_regional()
         ControlOption.objects.create(key="bar", value="b")
         ApiAuthorization.objects.create(user=owner)
-        ApiToken.objects.create(user=owner, token=uuid4().hex, expires_at=None)
+        ApiToken.objects.create(
+            user=owner, expires_at=None, name="create_exhaustive_global_configs"
+        )
 
     @assume_test_silo_mode(SiloMode.REGION)
     def create_exhaustive_global_configs_regional(self):