Add DISABLE_TOKEN_CREATION flag

Turbo87 · Turbo87 · commit a9130759ec57 · 2025-09-12T17:04:55.000+02:00
Setting this environment variable will cause crates.io to reject new API token creation requests with the error message set inside the environment variable. This can be useful to e.g. temporarily pause API token creation during ongoing phishing campaigns.
diff --git a/src/config/server.rs b/src/config/server.rs
@@ -93,6 +93,10 @@ pub struct Server {
     /// The expected audience claim (`aud`) for the Trusted Publishing
     /// token exchange.
     pub trustpub_audience: String,
+
+    /// Disables API token creation when set to any non-empty value.
+    /// The value is used as the error message returned to users.
+    pub disable_token_creation: Option<String>,
 }
 
 impl Server {
@@ -128,6 +132,8 @@ impl Server {
     ///   endpoint even with a healthy database pool.
     /// - `BLOCKED_ROUTES`: A comma separated list of HTTP route patterns that are manually blocked
     ///   by an operator (e.g. `/crates/{crate_id}/{version}/download`).
+    /// - `DISABLE_TOKEN_CREATION`: If set to any non-empty value, disables API token creation
+    ///   and uses the value as the error message returned to users.
     ///
     /// # Panics
     ///
@@ -195,6 +201,7 @@ impl Server {
 
         let domain_name = dotenvy::var("DOMAIN_NAME").unwrap_or_else(|_| "crates.io".into());
         let trustpub_audience = var("TRUSTPUB_AUDIENCE")?.unwrap_or_else(|| domain_name.clone());
+        let disable_token_creation = var("DISABLE_TOKEN_CREATION")?.filter(|s| !s.is_empty());
 
         Ok(Server {
             db: DatabasePools::full_from_environment(&base)?,
@@ -245,6 +252,7 @@ impl Server {
             html_render_cache_max_capacity: var_parsed("HTML_RENDER_CACHE_CAP")?.unwrap_or(1024),
             content_security_policy: Some(content_security_policy.parse()?),
             trustpub_audience,
+            disable_token_creation,
         })
     }
 }
diff --git a/src/controllers/token.rs b/src/controllers/token.rs
@@ -7,7 +7,7 @@ use anyhow::Context;
 use crate::app::AppState;
 use crate::auth::AuthCheck;
 use crate::models::token::{CrateScope, EndpointScope};
-use crate::util::errors::{AppResult, bad_request};
+use crate::util::errors::{AppResult, bad_request, custom};
 use crate::util::token::PlainToken;
 use axum::Json;
 use axum::extract::{Path, Query};
@@ -25,7 +25,7 @@ use http::request::Parts;
 use minijinja::context;
 use secrecy::ExposeSecret;
 use serde::{Deserialize, Serialize};
-use tracing::error;
+use tracing::{error, warn};
 
 #[derive(Deserialize)]
 pub struct GetParams {
@@ -127,6 +127,17 @@ pub async fn create_api_token(
 
     let user = auth.user();
 
+    // Check if token creation is disabled
+    if let Some(disable_message) = &app.config.disable_token_creation {
+        warn!(
+            "Blocked token creation for user `{}` (id: {}) due to disabled flag (token name: `{}`)",
+            user.gh_login, user.id, new.api_token.name
+        );
+
+        let message = disable_message.clone();
+        return Err(custom(StatusCode::SERVICE_UNAVAILABLE, message));
+    }
+
     let max_token_per_user = 500;
     let count: i64 = ApiToken::belonging_to(user)
         .count()
diff --git a/src/tests/routes/me/tokens/create.rs b/src/tests/routes/me/tokens/create.rs
@@ -279,3 +279,21 @@ async fn create_token_with_expiry_date() {
 
     assert_snapshot!(app.emails_snapshot().await);
 }
+
+#[tokio::test(flavor = "multi_thread")]
+async fn create_token_disabled() {
+    const ERROR_MESSAGE: &str =
+        "Token creation is temporarily disabled due to an ongoing phishing campaign";
+
+    let (app, _, user) = TestApp::init()
+        .with_config(|config| {
+            config.disable_token_creation = Some(ERROR_MESSAGE.to_string());
+        })
+        .with_user()
+        .await;
+
+    let response = user.put::<()>("/api/v1/me/tokens", NEW_BAR).await;
+    assert_snapshot!(response.status(), @"503 Service Unavailable");
+    assert_snapshot!(response.text(), @r#"{"errors":[{"detail":"Token creation is temporarily disabled due to an ongoing phishing campaign"}]}"#);
+    assert!(app.emails().await.is_empty());
+}
diff --git a/src/tests/util/test_app.rs b/src/tests/util/test_app.rs
@@ -526,6 +526,7 @@ fn simple_config() -> config::Server {
         html_render_cache_max_capacity: 1024,
         content_security_policy: None,
         trustpub_audience: AUDIENCE.to_string(),
+        disable_token_creation: None,
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -526,6 +526,7 @@ fn simple_config() -> config::Server {`
`526`	`526`	`html_render_cache_max_capacity: 1024,`
`527`	`527`	`content_security_policy: None,`
`528`	`528`	`trustpub_audience: AUDIENCE.to_string(),`
	`529`	`+ disable_token_creation: None,`
`529`	`530`	`}`
`530`	`531`	`}`
`531`	`532`