API token expiry warning emails

[Turbo87]

Some time last year we introduced optional expiration periods for API tokens. One caveat of the existing system is that users don't get notified when their tokens expire and they have to proactively monitor this if they use expiration.

In our team meeting on Friday we discussed how we could improve the situation and one idea was to automatically send out warning emails when an API token expires.

As #6664 (comment) states, such emails are seen as a requirement before we can change the default expiration setting on the API token creation page.

A couple of open questions:

• When should we send these emails? At the time when the token expires? A week before? A day before?
• Should we offer a way to create a new token based on the settings from an existing token?
• Should we use a feature flag while testing this out on the staging environment?

In terms of implementation:

• We will probably need to track for what tokens we have sent out warnings already. One way to do this would be to add another column to the api_tokens table.
• A new background job could then be implemented that scans the api_tokens table for tokens that have expired (or are going to expire) and where a warning has not been sent yet, and then sends out such a warning email.

[Rustin170506]

• Should we offer a way to create a new token based on the settings from an existing token?

I haven't seen this feature on other products and platforms. Do you have any examples we can refer to?

Are you working on this? If not, do you mind me to take it and help implement it?

[Turbo87]

I haven't seen this feature on other products and platforms. Do you have any examples we can refer to?

can't think of one, but what I have in mind is a "Duplicate" button on each of the existing tokens that would take you to the "Create API token" page with the scopes from the other token filled in and a name of e.g. "XXX (Copy)".

Are you working on this? If not, do you mind me to take it and help implement it?

Sure, go ahead! :)

[mdtro]

I'll follow up with the infra team on Zulip in regards to hardening our DMARC and SPF configurations in preparation for sending these emails. 🙂

[Rustin170506]

I was too busy last week, but I will begin working on the design and implementation this week.

[Rustin170506]

I haven't seen this feature on other products and platforms. Do you have any examples we can refer to?

GitHub has this feature, for instance:

The UI looks like this:

[Turbo87]

Since the API token expiry notification emails have been implemented I will close this issue now. The token copy functionality has its own issue now: #8717 :)