From: Hannes Laimer <h.laimer@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-access-control 1/2] api: token: support regenerating the secret on update
Date: Fri, 17 Apr 2026 14:35:03 +0200 [thread overview]
Message-ID: <20260417123504.143556-2-h.laimer@proxmox.com> (raw)
In-Reply-To: <20260417123504.143556-1-h.laimer@proxmox.com>
Rotating a leaked API token currently requires deleting and
recreating it, which forces re-applying all ACLs that referenced it.
Add a `regenerate` flag to the token update endpoint that swaps in a
fresh secret in-place, preserving metadata and ACL entries. The new
secret is returned in the response.
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
src/PVE/API2/User.pm | 41 +++++++++++++++++++++++++++++++++++------
1 file changed, 35 insertions(+), 6 deletions(-)
diff --git a/src/PVE/API2/User.pm b/src/PVE/API2/User.pm
index 4742f17..80a5ad0 100644
--- a/src/PVE/API2/User.pm
+++ b/src/PVE/API2/User.pm
@@ -833,7 +833,8 @@ __PACKAGE__->register_method({
name => 'update_token_info',
path => '{userid}/token/{tokenid}',
method => 'PUT',
- description => "Update API token for a specific user.",
+ description => "Update API token for a specific user. NOTE: when 'regenerate' is set,"
+ . " the returned token value needs to be stored as it cannot be retrieved afterwards!",
protected => 1,
permissions => {
check => [
@@ -848,6 +849,13 @@ __PACKAGE__->register_method({
expire => get_standard_option('token-expire'),
privsep => get_standard_option('token-privsep'),
comment => get_standard_option('token-comment'),
+ regenerate => {
+ description => "Regenerate the token's secret value. All users of the"
+ . " previous secret will lose access after this operation.",
+ type => 'boolean',
+ optional => 1,
+ default => 0,
+ },
delete => {
type => 'string',
format => 'pve-configid-list',
@@ -856,13 +864,26 @@ __PACKAGE__->register_method({
},
},
},
- returns =>
- get_standard_option('token-info', { description => "Updated token information." }),
+ returns => $token_info_extend->({
+ value => {
+ type => 'string',
+ description => "API token value used for authentication."
+ . " Only set when 'regenerate' was set.",
+ optional => 1,
+ },
+ 'full-tokenid' => {
+ type => 'string',
+ format_description => '<userid>!<tokenid>',
+ description => "The full token id. Only set when 'regenerate' was set.",
+ optional => 1,
+ },
+ }),
code => sub {
my ($param) = @_;
my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
my $tokenid = extract_param($param, 'tokenid');
+ my $regenerate = extract_param($param, 'regenerate');
my $usercfg = cfs_read_file("user.cfg");
my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
@@ -870,13 +891,14 @@ __PACKAGE__->register_method({
my $delete = extract_param($param, 'delete');
$delete = { map { $_ => 1 } PVE::Tools::split_list($delete) } if $delete;
+ my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
+ my $value;
+
PVE::AccessControl::lock_user_config(
sub {
$usercfg = cfs_read_file("user.cfg");
$token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
- my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
-
$token->{privsep} = $param->{privsep} if defined($param->{privsep});
$token->{expire} = $param->{expire} if defined($param->{expire});
$token->{comment} = $param->{comment} if defined($param->{comment});
@@ -894,13 +916,20 @@ __PACKAGE__->register_method({
delete $token->{$k};
}
+ $value = PVE::TokenConfig::generate_token($full_tokenid) if $regenerate;
+
$usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
cfs_write_file("user.cfg", $usercfg);
},
'updating token info failed',
);
- return $token;
+ my $res = {%$token};
+ if ($regenerate) {
+ $res->{value} = $value;
+ $res->{'full-tokenid'} = $full_tokenid;
+ }
+ return $res;
},
});
--
2.47.3
next prev parent reply other threads:[~2026-04-17 12:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 12:35 [PATCH access-control/manager 0/2] fixes #7504: add support for regenerating secrets Hannes Laimer
2026-04-17 12:35 ` Hannes Laimer [this message]
2026-04-17 12:35 ` [PATCH pve-manager 2/2] ui: token: add regenerate secret button Hannes Laimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260417123504.143556-2-h.laimer@proxmox.com \
--to=h.laimer@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox