Skip to content

New API endpoint to create user API tokens#5930

Open
dtorras wants to merge 4 commits into
kimai:mainfrom
dtorras:feature/api-create-access-token
Open

New API endpoint to create user API tokens#5930
dtorras wants to merge 4 commits into
kimai:mainfrom
dtorras:feature/api-create-access-token

Conversation

@dtorras

@dtorras dtorras commented Apr 28, 2026

Copy link
Copy Markdown

Description

Adds a new API endpoint POST /api/users/{id}/api-token that creates a new AccessToken for the given user and returns the plain token in the response. This is the missing counterpart of the existing DELETE /api/users/api-token/{id}.

Currently the only way to obtain an AccessToken is via the web UI. This blocks any automated provisioning flow that needs to create a Kimai user and immediately get a usable Bearer token for that user — for example, a SaaS integration that creates one Kimai user per customer. The legacy plainApiToken field on POST /api/users only populates the deprecated users.api_token column used by the X-AUTH-USER/X-AUTH-TOKEN headers, which is not interchangeable with Authorization: Bearer ….

To guarantee that tokens generated via the API and via the web UI always follow the same algorithm, the random-token generation has been extracted into a new factory method AccessToken::createForUser(User $user): self. Both ProfileController::createAccessToken and the new UserController::postApiToken now use this single source of truth. The AccessToken constructor signature (User $user, string $token) is left unchanged so that fixtures and ResetTestCommand, which need predictable tokens, keep working as-is.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • I verified that my code applies to the guidelines (composer code-check)
  • I updated the documentation (OpenAPI annotations are included in the controller; happy to open a follow-up PR on www.kimai.org if maintainers want a manual mention)
  • I agree that this code is used in Kimai (see license)

@CLAassistant

CLAassistant commented Apr 28, 2026
edited
Loading

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

kevinpapst
kevinpapst requested changes May 12, 2026
View reviewed changes

@kevinpapst kevinpapst left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please address these issues and then we can discuss how to move forward

Comment thread src/Entity/AccessToken.php Outdated
Comment thread src/API/UserController.php
Comment thread src/Controller/ProfileController.php Outdated
dtorras added 2 commits May 12, 2026 12:00
@dtorras
Move random token generation into AccessToken constructor
066db09 
Makes the $token argument optional and generates a random token when
omitted, removing the need for a separate static factory.
@dtorras
Use IsGranted attribute on postApiToken endpoint
806689d 
Replaces the inline authorization checks with the IsGranted attribute,
matching the pattern used in ProfileController::createAccessToken.
@dtorras

dtorras commented May 12, 2026

Copy link
Copy Markdown
Author

@kevinpapst Done. Added #[IsGranted('api-token', 'profile')] matching the pattern in ProfileController::createAccessToken.

@dtorras dtorras requested a review from kevinpapst May 12, 2026 10:07
kevinpapst
kevinpapst requested changes May 21, 2026
View reviewed changes

@kevinpapst kevinpapst left a comment
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The entire method is LLM generated and does not follow the overall setup of the Kimai API definitions.
Prompting is just 10% of the game.
Are you going to make it compatible with the rest of the application?

@dtorras

dtorras commented May 22, 2026

Copy link
Copy Markdown
Author

Yes, I want the contribution to be functional. That's why I'd been applying your earlier feedback as it came in.

This is my first PR to Kimai and I'm not familiar with the codebase. I'd been looking to use the API with your Cloud product, but saw that API passwords will be removed without a programmatic alternative for creating access tokens. So I opened a small PR to add the missing endpoint. I don't quite understand the tone of your last message, and I don't think it was necessary.

The technical point is fair though, and I understand it. I've gone through the branch again.

@kevinpapst

kevinpapst commented May 22, 2026

Copy link
Copy Markdown
Member

I don't quite understand the tone of your last message, and I don't think it was necessary.

Please don't read what was never said.
The method you want to add is very dangerous.

If you want to discuss a PR first, then please:

  • mention it in the description
  • create it as draft

If you want me to maintain your code long term, I think its fair to ask you to put some effort into it upfront.
I do use LLMs as well and I believe that I can see whether code was prompted or also manually adjusted.
Now, after your last commit, it looks much better and now I am willing to give it an honest review. Thanks 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevinpapst kevinpapst kevinpapst requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

API security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dtorras @CLAassistant @kevinpapst