fix(api): simplify token encoding

README.md

@@ -146,12 +146,12 @@ While there are certainly many ways to get started hacking desec-stack, here is
         The deSEC API will reply with an authentication token to the second request, similar to 
 
            {
-               "auth_token": "i+T3b1h/OI+H9ab8tRS98stGtURe"
+               "auth_token": "i-T3b1h_OI-H9ab8tRS98stGtURe"
            }
 
         Setup a shell variable that holds the authentication token for future use:
 
-           TOKEN=i+T3b1h/OI+H9ab8tRS98stGtURe
+           TOKEN=i-T3b1h_OI-H9ab8tRS98stGtURe
 
         Check your email and follow the instructions for completing the registration.
 

api/desecapi/models.py

@@ -7,7 +7,7 @@ import secrets
 import string
 import time
 import uuid
-from base64 import b64encode
+from base64 import urlsafe_b64encode
 from datetime import datetime, timedelta
 from os import urandom
 
@@ -185,7 +185,7 @@ class Token(rest_framework.authtoken.models.Token):
         super().save(*args, **kwargs)  # Call the "real" save() method.
 
     def generate_key(self):
-        return b64encode(urandom(21)).decode('utf-8').replace('/', '-').replace('=', '_').replace('+', '.')
+        return urlsafe_b64encode(urandom(21)).decode()
 
     class Meta:
         abstract = False

docs/authentication.rst

@@ -137,7 +137,7 @@ email address and password to the ``/auth/login/`` endpoint::
 If email address and password match our records, the server will reply with
 ``201 Created`` and send you the token as part of the response body::
 
-    {"auth_token": "i+T3b1h/OI+H9ab8tRS98stGtURe"}
+    {"auth_token": "i-T3b1h_OI-H9ab8tRS98stGtURe"}
 
 In case of credential mismatch, the server replies with ``401 Unauthorized``.
 
@@ -148,7 +148,7 @@ To authorize subsequent requests with the new token, set the HTTP ``Authorizatio
 header to the token value, prefixed with ``Token``::
 
     curl -X GET https://desec.io/api/v1/ \
-        --header "Authorization: Token i+T3b1h/OI+H9ab8tRS98stGtURe"
+        --header "Authorization: Token i-T3b1h_OI-H9ab8tRS98stGtURe"
 
 
 Retrieve Account Information
@@ -158,7 +158,7 @@ To request information about your account, send a ``GET`` request to the
 ``/auth/account/`` endpoint::
 
     curl -X GET https://desec.io/api/v1/auth/account/ \
-        --header "Authorization: Token i+T3b1h/OI+H9ab8tRS98stGtURe"
+        --header "Authorization: Token i-T3b1h_OI-H9ab8tRS98stGtURe"
 
 A JSON object representing your user account will be returned::
 
@@ -448,8 +448,8 @@ to change in the future.
 Any token is generated from 168 bits of true randomness at the server. Guessing
 the token correctly is hence practically impossible. The value corresponds to 21
 bytes and is represented by 28 characters in Base64-like encoding. That is, any token
-will only consist of URL-safe characters ``A-Z``, ``a-z``, ``-``, and ``.``. (We do not
-have any padding at the end because the string length is a multiple of 4.)
+will only consist of URL-safe characters ``A-Z``, ``a-z``, ``0-9``, ``-``, and ``_``.
+(We do not have any padding at the end because the string length is a multiple of 4.)
 
 As all tokens are stored in plain text on the server, the user may not choose
 the token value individually to prevent re-using passwords as tokens at deSEC.

test/e2e/schemas.js

@@ -100,4 +100,4 @@ exports.tokens = {
     items: exports.token
 };
 
-exports.TOKEN_REGEX = /^[A-Za-z0-9\.\-]{28}$/
+exports.TOKEN_REGEX = /^[A-Za-z0-9_-]{28}$/