From 6f988331506fc24f84a801009e1f4dd4ad502e3f Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 14 Jul 2021 20:57:16 +0200
Subject: [PATCH] core: allow users to create non-expiring tokens when flag is
 set

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/api/tokens.py                  | 12 +++++++++--
 authentik/core/models.py                      |  1 +
 authentik/core/tests/test_token_api.py        | 21 ++++++++++++++++++-
 schema.yml                                    |  9 ++++++++
 .../user-settings/tokens/UserTokenForm.ts     |  3 +--
 5 files changed, 41 insertions(+), 5 deletions(-)

diff --git a/authentik/core/api/tokens.py b/authentik/core/api/tokens.py
index 10d74ec6b..e822c02c3 100644
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -12,7 +12,7 @@ from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import PassiveSerializer
-from authentik.core.models import Token, TokenIntents
+from authentik.core.models import USER_ATTRIBUTE_TOKEN_EXPIRING, Token, TokenIntents
 from authentik.events.models import Event, EventAction
 from authentik.managed.api import ManagedSerializer
 
@@ -61,11 +61,19 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
         "intent",
         "user__username",
         "description",
+        "expires",
+        "expiring",
     ]
     ordering = ["expires"]
 
     def perform_create(self, serializer: TokenSerializer):
-        serializer.save(user=self.request.user, intent=TokenIntents.INTENT_API)
+        serializer.save(
+            user=self.request.user,
+            intent=TokenIntents.INTENT_API,
+            expiring=self.request.user.attributes.get(
+                USER_ATTRIBUTE_TOKEN_EXPIRING, True
+            ),
+        )
 
     @permission_required("authentik_core.view_token_key")
     @extend_schema(
diff --git a/authentik/core/models.py b/authentik/core/models.py
index 866ec374c..b17831582 100644
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -37,6 +37,7 @@ LOGGER = get_logger()
 USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
 USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
 USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
+USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
 
 GRAVATAR_URL = "https://secure.gravatar.com"
 DEFAULT_AVATAR = static("dist/assets/images/user_default.png")
diff --git a/authentik/core/tests/test_token_api.py b/authentik/core/tests/test_token_api.py
index a1c994446..ff9cd48cd 100644
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@@ -2,7 +2,12 @@
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Token, TokenIntents, User
+from authentik.core.models import (
+    USER_ATTRIBUTE_TOKEN_EXPIRING,
+    Token,
+    TokenIntents,
+    User,
+)
 
 
 class TestTokenAPI(APITestCase):
@@ -22,3 +27,17 @@ class TestTokenAPI(APITestCase):
         token = Token.objects.get(identifier="test-token")
         self.assertEqual(token.user, self.user)
         self.assertEqual(token.intent, TokenIntents.INTENT_API)
+        self.assertEqual(token.expiring, True)
+
+    def test_token_create_non_expiring(self):
+        """Test token creation endpoint"""
+        self.user.attributes[USER_ATTRIBUTE_TOKEN_EXPIRING] = False
+        self.user.save()
+        response = self.client.post(
+            reverse("authentik_api:token-list"), {"identifier": "test-token"}
+        )
+        self.assertEqual(response.status_code, 201)
+        token = Token.objects.get(identifier="test-token")
+        self.assertEqual(token.user, self.user)
+        self.assertEqual(token.intent, TokenIntents.INTENT_API)
+        self.assertEqual(token.expiring, False)
diff --git a/schema.yml b/schema.yml
index bc496fe38..bf267a654 100644
--- a/schema.yml
+++ b/schema.yml
@@ -2429,6 +2429,15 @@ paths:
         name: description
         schema:
           type: string
+      - in: query
+        name: expires
+        schema:
+          type: string
+          format: date-time
+      - in: query
+        name: expiring
+        schema:
+          type: boolean
       - in: query
         name: identifier
         schema:
diff --git a/web/src/pages/user-settings/tokens/UserTokenForm.ts b/web/src/pages/user-settings/tokens/UserTokenForm.ts
index 3ca274635..48aae7dab 100644
--- a/web/src/pages/user-settings/tokens/UserTokenForm.ts
+++ b/web/src/pages/user-settings/tokens/UserTokenForm.ts
@@ -47,9 +47,8 @@ export class UserTokenForm extends ModelForm<Token, string> {
             </ak-form-element-horizontal>
             <ak-form-element-horizontal
                 label=${t`Description`}
-                ?required=${true}
                 name="description">
-                <input type="text" value="${ifDefined(this.instance?.description)}" class="pf-c-form-control" required>
+                <input type="text" value="${ifDefined(this.instance?.description)}" class="pf-c-form-control">
             </ak-form-element-horizontal>
         </form>`;
     }