feat: add a flag to disable API key readback#11460
Conversation
bduffany
force-pushed
the
auth-feat-reqs
branch
2 times, most recently
from
6a3067d to
398154d
Compare
siggisim
left a comment
siggisim
left a comment
There was a problem hiding this comment.
LGTM - what happens to the quickstart guide if this flag is enabled (fine for now, but if we enable in prod we probably want to think that through)
|
I suspect we just gona show an environment variable in quick start page. Or we can use bb login and then tell user to use bb as a credentials helper |
|
I just remembered the Quickstart thing right after I sent for review 😅 also remembered we have TLS cert downloads which should probably also be subject to the same logic. Working on both things now |
|
re Quickstart I added an instruction "To create a new API key or certificate, see Settings." I made this show unconditionally since I think it's helpful even without this PR. The "or certificate" part is conditioned on whether certs are enabled. Before (the plaintext key is useless - it's a localhost key :P ): 
After: 
Also updated the settings page to show a download button for certs. |
bduffany
force-pushed
the
auth-feat-reqs
branch
14 times, most recently
from
33d3b4b to
6be24cf
Compare
4 participants
Context: https://buildbuddy-corp.slack.com/archives/C01H6DW5UFL/p1772211902400119?thread_ts=1772199877.792549&cid=C01H6DW5UFL
A customer requested to be able to disable readback of API keys in the UI (i.e. make them accessible via the UI / API only once, when they are created). This seemed like a nice/reasonable security feature to add, and we might want to enable this in our cloud UI as well at some point (making it an org-level preference to start with, maybe).