⚠️ Note on feature completeness ⚠️
We are narrowing the scope of acceptable enhancements to DefectDojo. Learn more here:
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md
Is your feature request related to a problem? Please describe
Currently, DefectDojo API tokens, once generated, appear to remain active indefinitely unless the associated user is deleted or the token is manually removed via the UI (if such an option exists). There is no readily available API endpoint to programmatically revoke or invalidate an active API token. This poses a security risk, as compromised or deprecated tokens cannot be immediately revoked via automation, requiring manual intervention which can be slow and error-prone, especially in large or automated environments.
Describe the solution you'd like
As a security administrator or an automation engineer, I want an API endpoint to revoke or invalidate a specific DefectDojo API token so that I can programmatically manage and secure API access, ensuring that compromised or no-longer-needed tokens can be immediately disabled without manual intervention. Also and expiry date for tokens created.
This could involve:
- A
DELETE endpoint for /api/v2/api-tokens/{token_id} or similar, requiring appropriate administrative permissions.
- An endpoint to list active tokens for a user or globally (with proper authorization) to identify the
token_id for revocation.
Describe alternatives you've considered
- Manual revocation via UI: This is not scalable for automated processes or in emergency situations where immediate revocation is needed across multiple tokens.
- Deleting the user: This is an extreme measure that impacts all of the user's activities and is not suitable for revoking a single token.
- Token expiration: Tokens created do not have expiration date. Even this can be a good enhancement.
Additional context
Implementing an API for token revocation would significantly enhance the security posture of DefectDojo deployments by providing granular control over API access and enabling faster response to potential security incidents. This aligns with best practices for API security and token management.
We are narrowing the scope of acceptable enhancements to DefectDojo. Learn more here:
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md
Is your feature request related to a problem? Please describe
Currently, DefectDojo API tokens, once generated, appear to remain active indefinitely unless the associated user is deleted or the token is manually removed via the UI (if such an option exists). There is no readily available API endpoint to programmatically revoke or invalidate an active API token. This poses a security risk, as compromised or deprecated tokens cannot be immediately revoked via automation, requiring manual intervention which can be slow and error-prone, especially in large or automated environments.
Describe the solution you'd like
As a security administrator or an automation engineer, I want an API endpoint to revoke or invalidate a specific DefectDojo API token so that I can programmatically manage and secure API access, ensuring that compromised or no-longer-needed tokens can be immediately disabled without manual intervention. Also and expiry date for tokens created.
This could involve:
DELETEendpoint for/api/v2/api-tokens/{token_id}or similar, requiring appropriate administrative permissions.token_idfor revocation.Describe alternatives you've considered
Additional context
Implementing an API for token revocation would significantly enhance the security posture of DefectDojo deployments by providing granular control over API access and enabling faster response to potential security incidents. This aligns with best practices for API security and token management.