Skip to content

Hardening: [low-priority] Remove User.api_v2_token property (returns plaintext API token) #3047

Description

@gpshead

(claude identified, low priority -gpshead): apps/users/models.py:76-82 defines a @property that returns the user's plaintext DRF Token.key. It's referenced by no template or serializer (one test uses it: apps/downloads/tests/test_views.py:182), so today it does nothing. But its existence means a single future template typo ({{ user.api_v2_token }}) or a model_to_dict-style serialization could leak a capable API credential.

Describe the solution you'd like

Suggested: delete the property (updating that one test); if admin display ever needs it, a has_api_v2_token boolean serves without exposing the key.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementThis is an improvement to existing code or configuration

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions