Token tweaks (#5761)

* Ensure token name is trimmed

* Improve sanitizing of token name

InvenTree/users/api.py

@@ -86,7 +86,7 @@ class RoleDetails(APIView):
 
         for ruleset in RuleSet.RULESET_CHOICES:
 
-            role, text = ruleset
+            role, _text = ruleset
 
             permissions = []
 
@@ -199,6 +199,8 @@ class GetAuthToken(APIView):
             user = request.user
             name = request.query_params.get('name', '')
 
+            name = ApiToken.sanitize_name(name)
+
             # Delete any matching tokens
             ApiToken.objects.filter(user=user, name=name).delete()
 

InvenTree/users/models.py

@@ -20,6 +20,7 @@ from django.utils.translation import gettext_lazy as _
 
 from rest_framework.authtoken.models import Token as AuthToken
 
+import InvenTree.helpers
 from InvenTree.ready import canAppAccessDatabase
 
 logger = logging.getLogger("inventree")
@@ -98,6 +99,22 @@ class ApiToken(AuthToken):
         help_text=_('Token has been revoked'),
     )
 
+    @staticmethod
+    def sanitize_name(name: str):
+        """Sanitize the provide name value"""
+
+        name = str(name).strip()
+
+        # Remove any non-printable chars
+        name = InvenTree.helpers.remove_non_printable_characters(name, remove_newline=True)
+        name = InvenTree.helpers.strip_html_tags(name)
+
+        name = name.replace(' ', '-')
+        # Limit to 100 characters
+        name = name[:100]
+
+        return name
+
     @property
     @admin.display(description=_('Token'))
     def token(self):

InvenTree/users/test_api.py

@@ -89,6 +89,12 @@ class UserTokenTests(InvenTreeAPITestCase):
         with self.assertRaises(ApiToken.DoesNotExist):
             token.refresh_from_db()
 
+        # Test with a really long name
+        data = self.get(url, data={'name': 'cat' * 100}, expected_code=200).data
+
+        # Name should be truncated
+        self.assertEqual(len(data['name']), 100)
+
     def test_token_auth(self):
         """Test user token authentication"""