Seafile Authorization Tokens

I am busy working on a companion application for my seafile server. I’m using Java spring boot to interact with the seafile web api. this is a local installation.

How long does it take for a user auth-token to expire?

Is this configurable?

after experimenting around with this a bit, IE making a postman request to https://myseafile.local/api2/repos/ for example, the api key gotten yesterday never changes and is always valid with no way to invalidate it.

This negates the need for MFA and provides a permanent access via token to clients. How is this not a security risk? I dug into my database, it appears seahub just stores the api token in the database in plain text as well.

@daniel.pan @Jonathan
i think also this is a serious problem

API token is already a random string, storing it using symmetric encryption does not make much sense or increase security, as anyone can read the source code and decrypt it.

When you reset the password, the API token will be removed too.

For client access, every client will have its own token, and a client can be removed from the web interface.

If you use an account for API purpose, the best approach is using library API token that restrict the access to a library or using a dedicated account.

What actually is missing is an overview of existing tokens and when they were used the last time or mechanisms to let them expire.

I agree that “missing” encryption of api tokens is no issue. When someone is able to steal them he has access to confident information anyway.

right, but let’s say my web app makes a request to seafile to get an api token. I get the token and start doing some calls. the user logs out. That token is still valid. is there any way to get a token that invalidates at logout. You cant prevent someone from getting in, but you can minimize the time they have to do damage.

I think this permanent key is meant for things like the sync client that has “always logged in” checked… however for an app like mine where there is no perma access there is no other option.