Add server token retrieval feature to dashboard#49
Conversation
Users can now view and copy their server authentication token from the dashboard settings page. The token is stored when servers are linked and can be revealed with a show/hide toggle. This enables users to retrieve their token without needing direct access to the plugin configuration.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| const [tokenLoading, setTokenLoading] = useState(false); | ||
| const [tokenError, setTokenError] = useState<string | null>(null); | ||
| const [showToken, setShowToken] = useState(false); | ||
| const [copied, setCopied] = useState(false); |
There was a problem hiding this comment.
Token state persists when switching between servers
The token-related state (token, tokenError, showToken, copied) is not reset when serverId changes. When a user reveals a token for one server, then switches to a different server via the sidebar, the previous server's token remains displayed. This could cause users to copy and use the wrong server's authentication token. Other pages like the modules page properly reset their state when the selected server changes.
Additional Locations (1)
| const update: Record<string, unknown> = { | ||
| owner_user_id: user.id, | ||
| registered_at: new Date().toISOString(), | ||
| auth_token: token, // Store plain token so user can retrieve it later |
There was a problem hiding this comment.
Authentication tokens stored in plaintext in database
Authentication tokens are stored in plaintext in the auth_token column. While the system already uses auth_token_hash for server lookups, storing the raw token means a database breach would expose all server authentication credentials. An attacker with database access could impersonate any registered server. Consider whether the token retrieval feature justifies this risk, or explore alternatives like encrypted storage with a separate key.
Additional Locations (1)
| <RiAlertLine className="h-4 w-4" /> | ||
| {tokenError} | ||
| </div> | ||
| )} |
There was a problem hiding this comment.
No retry option after token load failure
When token loading fails and tokenError is set, the "Reveal Token" button becomes hidden because the condition token === null && !tokenLoading && !tokenError evaluates to false. The error message is displayed, but users have no way to retry the request without refreshing the entire page. The !tokenError part of the condition prevents the button from appearing when an error exists.
1 participant
Summary
Users can now view and copy their server authentication token from the dashboard settings page. The token is stored when servers are registered and displayed with show/hide and copy-to-clipboard functionality.
Changes
/api/servers/[id]/tokenendpoint to retrieve stored tokensHow it works
Note
Enables viewing and copying a server auth token from the dashboard, with backend support to fetch stored tokens securely.
GET /api/servers/[id]/tokenreadsservers.auth_tokenwith auth/ownership checks and clear error responses when unavailablePOST /api/servers/registernow persists plainauth_tokenalongside existing data so it can be retrieved laterReveal Token), show/hide masking, and copy-to-clipboard with feedback inapp/(dashboard)/dashboard/settings/page.tsxWritten by Cursor Bugbot for commit dc8df6e. This will update automatically on new commits. Configure here.