Rework token management (django-rest-knox) and endpoints

[peterthomassen]

Our API supports undocumented URL endpoints that we have not documented and are not actively maintaining (e.g. /api/v1/dns or /api/v1/auth/users/activate/). We should clean those up.

A list of URL patterns can be obtained by adding django-extensions to requirements.txt, then adding django_extensions to INSTALLED_APPS in settings.py, and then running python manage.py show_urls.

[nils-wisiol]

Current status after #165 (v2 is a copy of v1!)

URL	Module	Name
/api/v1/	desecapi.views.Root	v1:root
/api/v1/auth/me/	djoser.views.UserView	v1:user
/api/v1/auth/token/create/	desecapi.views.TokenCreateView	v1:token-create
/api/v1/auth/token/create/	djoser.views.TokenCreateView	v1:token-create
/api/v1/auth/token/destroy/	desecapi.views.TokenDestroyView	v1:token-destroy
/api/v1/auth/token/destroy/	djoser.views.TokenDestroyView	v1:token-destroy
/api/v1/auth/token/login/	desecapi.views.TokenCreateView	v1:login
/api/v1/auth/token/login/	djoser.views.TokenCreateView	v1:login
/api/v1/auth/token/logout/	desecapi.views.TokenDestroyView	v1:logout
/api/v1/auth/token/logout/	djoser.views.TokenDestroyView	v1:logout
/api/v1/auth/tokens/	desecapi.views.TokenViewSet	v1:token-list
/api/v1/auth/tokens/<user_specific_id>/	desecapi.views.TokenViewSet	v1:token-detail
/api/v1/auth/users/	desecapi.views.UserCreateView	v1:register
/api/v1/auth/users/create/	desecapi.views.UserCreateView	v1:user-create
/api/v1/dns	desecapi.views.DnsQuery	v1:dns-query
/api/v1/domains/	desecapi.views.DomainList	v1:domain-list
/api/v1/domains/<name>/	desecapi.views.DomainDetail	v1:domain-detail
/api/v1/domains/<name>/rrsets/	desecapi.views.RRsetList	v1:rrsets
/api/v1/domains/<name>/rrsets/.../<type>/	desecapi.views.RRsetDetail
/api/v1/domains/<name>/rrsets/<subname>/<type>/	desecapi.views.RRsetDetail
/api/v1/domains/<name>/rrsets/<subname>@/<type>/	desecapi.views.RRsetDetail	v1:rrset@
/api/v1/domains/<name>/rrsets/<subname>\.\.\./<type>/	desecapi.views.RRsetDetail	v1:rrset
/api/v1/domains/<name>/rrsets/@/<type>/	desecapi.views.RRsetDetail
/api/v1/donation/	desecapi.views.DonationList	v1:donation
/api/v1/dyndns/update	desecapi.views.DynDNS12Update	v1:dyndns12update
/api/v1/unlock/done	desecapi.views.unlock_done	v1:unlock/done
/api/v1/unlock/user/<email>	desecapi.views.unlock	v1:unlock/byEmail
/api/v2/	desecapi.views.Root	v2:root
/api/v2/auth/me/	djoser.views.UserView	v2:user
/api/v2/auth/token/create/	desecapi.views.TokenCreateView	v2:token-create
/api/v2/auth/token/create/	djoser.views.TokenCreateView	v2:token-create
/api/v2/auth/token/destroy/	desecapi.views.TokenDestroyView	v2:token-destroy
/api/v2/auth/token/destroy/	djoser.views.TokenDestroyView	v2:token-destroy
/api/v2/auth/token/login/	desecapi.views.TokenCreateView	v2:login
/api/v2/auth/token/login/	djoser.views.TokenCreateView	v2:login
/api/v2/auth/token/logout/	desecapi.views.TokenDestroyView	v2:logout
/api/v2/auth/token/logout/	djoser.views.TokenDestroyView	v2:logout
/api/v2/auth/tokens/	desecapi.views.TokenViewSet	v2:token-list
/api/v2/auth/tokens/<user_specific_id>/	desecapi.views.TokenViewSet	v2:token-detail
/api/v2/auth/users/	desecapi.views.UserCreateView	v2:register
/api/v2/auth/users/create/	desecapi.views.UserCreateView	v2:user-create
/api/v2/dns	desecapi.views.DnsQuery	v2:dns-query
/api/v2/domains/	desecapi.views.DomainList	v2:domain-list
/api/v2/domains/<name>/	desecapi.views.DomainDetail	v2:domain-detail
/api/v2/domains/<name>/rrsets/	desecapi.views.RRsetList	v2:rrsets
/api/v2/domains/<name>/rrsets/.../<type>/	desecapi.views.RRsetDetail
/api/v2/domains/<name>/rrsets/<subname>/<type>/	desecapi.views.RRsetDetail
/api/v2/domains/<name>/rrsets/<subname>@/<type>/	desecapi.views.RRsetDetail	v2:rrset@
/api/v2/domains/<name>/rrsets/<subname>\.\.\./<type>/	desecapi.views.RRsetDetail	v2:rrset
/api/v2/domains/<name>/rrsets/@/<type>/	desecapi.views.RRsetDetail
/api/v2/donation/	desecapi.views.DonationList	v2:donation
/api/v2/dyndns/update	desecapi.views.DynDNS12Update	v2:dyndns12update
/api/v2/unlock/done	desecapi.views.unlock_done	v2:unlock/done
/api/v2/unlock/user/<email>	desecapi.views.unlock	v2:unlock/byEmail

[peterthomassen]

Domain and RRset endpoints have recently been reworked. User unlocking is covered by #162. User management is covered by #151. /dns is covered by #193. /donation/ is legit.

This leaves the token endpoints, so I'm changing the title of this issue accordingly.

[peterthomassen]

We probably want to use django-rest-knox. It can handle the required token operations, and it also supports storing tokens in hashed format. (They also get salted, although that would appear unnecessary.)

Two related resources:

• We would need to change the token representation from hex to something base64-like. There's a neat way to do this in Django: https://djangosnippets.org/snippets/1669/ (Base64Field)
• Integrating django-rest-knox with django-rest-auth/django-allauth, in case we want to use that (but pretty bloated): https://gist.github.com/AndrewPix/cdd9276b1d5683459b965d5cc4517b26

[peterthomassen]

finished in 06e609a