Skip to content

Add admin service account token issuance#896

Merged
JoaquinBN merged 3 commits into
devfrom
JoaquinBN/admin-service-account-token-issuance
Jul 5, 2026
Merged

Add admin service account token issuance#896
JoaquinBN merged 3 commits into
devfrom
JoaquinBN/admin-service-account-token-issuance

Conversation

@JoaquinBN

@JoaquinBN JoaquinBN commented Jul 5, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • add a Django admin "Issue token" flow on ServiceAccount records
  • issue tokens through ServiceAccountToken.issue(), keeping token records read-only
  • show the plaintext token only on the successful admin response
  • update service-account docs to mention admin issuance

Validation

  • env/bin/python manage.py test service_accounts --noinput
  • env/bin/python manage.py makemigrations --check --dry-run service_accounts
  • git diff --check

Summary by CodeRabbit

  • New Features

    • Added a Django admin workflow to issue service account tokens directly from a service account page.
    • Tokens can now be created with selected scopes and an optional expiration.
  • Bug Fixes

    • Improved scope validation to require at least one scope and ignore duplicate entries.
    • Added clearer handling for invalid or missing service account token requests.
  • Documentation

    • Updated service account and authentication docs to mention both admin and command-line token issuance options.
    • Clarified that plaintext tokens are shown only once.

@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@JoaquinBN, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 2 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 258d41e8-7dc4-4ff6-b09b-46e6c14fa806

📥 Commits

Reviewing files that changed from the base of the PR and between 123b55a and ee28dc8.

📒 Files selected for processing (5)
  • backend/contributions/ai_review/views.py
  • backend/service_accounts/admin.py
  • backend/service_accounts/scopes.py
  • backend/service_accounts/templates/admin/service_accounts/serviceaccount/issue_token.html
  • backend/service_accounts/tests/test_service_accounts.py
📝 Walkthrough

Walkthrough

This PR adds a Django admin interface for issuing service account tokens, including a new form with scope/expiry validation, a custom admin view and URL route, an "Issue token" link in the admin list, a rendering template, corresponding tests, and documentation updates reflecting the new admin-based token issuance option.

Changes

Admin Issue Token Feature

Layer / File(s) Summary
Token issue form and admin wiring
backend/service_accounts/admin.py
Adds imports for HTML formatting, timezone, URL routing, and widgets; introduces ServiceAccountTokenIssueForm with scope parsing/dedup and future-dated expiry validation; extends ServiceAccountAdmin with issue_token_link in list_display/readonly_fields and a custom get_urls route.
Issue token link and view logic
backend/service_accounts/admin.py
Implements issue_token_link to render a button or save-first message, and issue_token_view to handle object lookup, permission enforcement, form binding, token issuance via ServiceAccountToken.issue(...), and context building for the response.
Issue token admin template
backend/service_accounts/templates/admin/service_accounts/serviceaccount/issue_token.html
Adds a template rendering either the plaintext-token success view or the issuance form with field help/errors and submit/cancel controls.
Admin token issuance tests
backend/service_accounts/tests/test_service_accounts.py
Adds ServiceAccountAdminTokenIssueTests verifying link suppression for unsaved accounts, successful issuance with plaintext exposure and digest-only storage, and rejection of empty scopes.
Documentation updates
.claude/skills/ai-review.md, backend/CLAUDE.md, backend/submissions_review.md
Updates docs to state tokens can be issued from Django admin or via the management command, and adjusts wording on one-time plaintext display.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Admin
  participant ServiceAccountAdmin
  participant ServiceAccountTokenIssueForm
  participant ServiceAccountToken

  Admin->>ServiceAccountAdmin: Open "Issue token" link for account
  ServiceAccountAdmin->>ServiceAccountAdmin: Load account, check change permission
  Admin->>ServiceAccountAdmin: Submit scopes and optional expiry
  ServiceAccountAdmin->>ServiceAccountTokenIssueForm: Validate scopes and expires_at
  ServiceAccountTokenIssueForm-->>ServiceAccountAdmin: Cleaned data or validation errors
  alt Form valid
    ServiceAccountAdmin->>ServiceAccountToken: issue(account, scopes, expires_at)
    ServiceAccountToken-->>ServiceAccountAdmin: token record + plaintext value
    ServiceAccountAdmin-->>Admin: Render success page with plaintext token
  else Form invalid
    ServiceAccountAdmin-->>Admin: Re-render form with errors
  end
Loading

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding admin-based service account token issuance.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch JoaquinBN/admin-service-account-token-issuance

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@JoaquinBN JoaquinBN marked this pull request as ready for review July 5, 2026 15:13
@JoaquinBN JoaquinBN changed the title [codex] Add admin service account token issuance Add admin service account token issuance Jul 5, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/service_accounts/admin.py`:
- Around line 17-41: The ServiceAccountTokenIssueForm currently accepts
arbitrary scope strings, so add validation in clean_scopes to reject values not
present in the allowed scope set used by the service-account views. Derive that
allowed set from the scopes referenced in required_scopes (or the existing
central scope registry if available), then check each parsed scope against it
before returning the deduplicated list. Keep the logic in
ServiceAccountTokenIssueForm.clean_scopes so invalid typos are blocked before
token creation.

In
`@backend/service_accounts/templates/admin/service_accounts/serviceaccount/issue_token.html`:
- Around line 43-58: The plaintext token field in issue_token.html is missing a
programmatic label association, so update the label/input pair in the plaintext
token section to use matching for/id attributes. Keep the existing readonly
token display, but ensure the label text “Plaintext token:” is tied to the input
element so assistive technologies can announce it correctly.

In `@backend/service_accounts/tests/test_service_accounts.py`:
- Around line 207-226: The digest check in
test_admin_can_issue_token_for_service_account is too weak because it only
verifies the plaintext is not a substring of token.digest. Update the assertion
to compare token.digest against the actual SHA-256 digest of the issued
plaintext token in this test, using the existing plaintext and
ServiceAccountToken objects to locate the relevant values. This will ensure the
test validates the stored digest matches the expected hash, not just that it
differs from the plaintext.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 71a4ac4c-e3b1-4630-af71-b0f91868cb0a

📥 Commits

Reviewing files that changed from the base of the PR and between e2a09bb and 123b55a.

📒 Files selected for processing (6)
  • .claude/skills/ai-review.md
  • backend/CLAUDE.md
  • backend/service_accounts/admin.py
  • backend/service_accounts/templates/admin/service_accounts/serviceaccount/issue_token.html
  • backend/service_accounts/tests/test_service_accounts.py
  • backend/submissions_review.md

Comment thread backend/service_accounts/admin.py
Comment thread backend/service_accounts/tests/test_service_accounts.py
@JoaquinBN JoaquinBN merged commit ab6eb9a into dev Jul 5, 2026
3 checks passed
@JoaquinBN JoaquinBN deleted the JoaquinBN/admin-service-account-token-issuance branch July 5, 2026 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant