210 lines
5.1 KiB
Markdown
210 lines
5.1 KiB
Markdown
# API Token Vault
|
|
|
|
[](https://7000pct.gitea.bloupla.net/7000pctAUTO/api-token-vault/actions)
|
|
[](https://opensource.org/licenses/MIT)
|
|
[](https://www.rust-lang.org)
|
|
|
|
A Rust CLI tool that generates cryptographically secure API tokens, stores them in an encrypted local vault, rotates them on configurable schedules, and injects them into .env files. Provides multi-project isolation with separate vaults per project.
|
|
|
|
## Features
|
|
|
|
- **Secure Token Generation**: Generate cryptographically secure API tokens using libsodium
|
|
- **Encrypted Vault Storage**: All tokens stored encrypted using libsodium's secretbox
|
|
- **Auto-Rotation Schedules**: Configure automatic token rotation with configurable intervals
|
|
- **.env File Injection**: Inject tokens directly into .env files with custom prefixes
|
|
- **Multi-Project Isolation**: Separate vaults for different projects with independent passwords
|
|
- **Secure Key Derivation**: Uses Argon2id for deriving encryption keys from master passwords
|
|
|
|
## Installation
|
|
|
|
### From Crates.io
|
|
|
|
```bash
|
|
cargo install api-token-vault
|
|
```
|
|
|
|
### From Source
|
|
|
|
```bash
|
|
git clone https://7000pct.gitea.bloupla.net/7000pctAUTO/api-token-vault.git
|
|
cd api-token-vault
|
|
cargo build --release
|
|
```
|
|
|
|
The binary will be at `target/release/api-token-vault`.
|
|
|
|
## Quick Start
|
|
|
|
### Initialize a Vault
|
|
|
|
```bash
|
|
api-token-vault init --project my-project
|
|
```
|
|
|
|
You can also set the project via environment variable:
|
|
|
|
```bash
|
|
export API_VAULT_PROJECT=my-project
|
|
api-token-vault init
|
|
```
|
|
|
|
### Generate a Token
|
|
|
|
```bash
|
|
api-token-vault generate --name api_key --length 32
|
|
```
|
|
|
|
### List All Tokens
|
|
|
|
```bash
|
|
api-token-vault list
|
|
```
|
|
|
|
### Get a Token Value
|
|
|
|
```bash
|
|
api-token-vault get --name api_key
|
|
api-token-vault get --name api_key --raw # Output only the token value
|
|
```
|
|
|
|
### Rotate a Token
|
|
|
|
```bash
|
|
api-token-vault rotate --name api_key
|
|
api-token-vault rotate --name api_key --force # Force rotation even if not due
|
|
```
|
|
|
|
### Set Auto-Rotation
|
|
|
|
```bash
|
|
api-token-vault set-rotation --name api_key --days 30
|
|
```
|
|
|
|
### Check Expired Tokens
|
|
|
|
```bash
|
|
api-token-vault check-expired
|
|
```
|
|
|
|
### Rotate All Expired Tokens
|
|
|
|
```bash
|
|
api-token-vault rotate-expired
|
|
```
|
|
|
|
### Inject Tokens into .env File
|
|
|
|
```bash
|
|
api-token-vault inject --env-file .env
|
|
api-token-vault inject --env-file .env --dry-run # Preview changes without writing
|
|
api-token-vault inject --env-file .env --token-prefix MY_TOKEN_ # Custom prefix
|
|
```
|
|
|
|
### Delete a Token
|
|
|
|
```bash
|
|
api-token-vault delete --name api_key
|
|
```
|
|
|
|
## Command Reference
|
|
|
|
| Command | Description |
|
|
|---------|-------------|
|
|
| `init` | Initialize a new vault for a project |
|
|
| `generate` | Generate a new secure API token |
|
|
| `list` | List all tokens in the vault |
|
|
| `get` | Get a specific token value |
|
|
| `delete` | Delete a token from the vault |
|
|
| `rotate` | Rotate (regenerate) a specific token |
|
|
| `set-rotation` | Set auto-rotation schedule for a token |
|
|
| `inject` | Inject tokens into a .env file |
|
|
| `check-expired` | Check for expired tokens |
|
|
| `rotate-expired` | Rotate all expired tokens |
|
|
|
|
## Configuration
|
|
|
|
### Environment Variables
|
|
|
|
| Variable | Description |
|
|
|----------|-------------|
|
|
| `API_VAULT_PATH` | Custom path for vault storage directory |
|
|
| `API_VAULT_PROJECT` | Default project name (used when not specified via CLI) |
|
|
|
|
### Vault Location
|
|
|
|
By default, vaults are stored in:
|
|
- Linux/macOS: `~/.config/api-token-vault/`
|
|
- Windows: `%APPDATA%\api-token-vault\`
|
|
|
|
Each project has its own vault file: `~/.config/api-token-vault/{project_name}.json`
|
|
|
|
## Security
|
|
|
|
- **Encryption**: Uses libsodium's secretbox for authenticated encryption
|
|
- **Key Derivation**: Uses Argon2id (via libsodium's pwhash) for key derivation
|
|
- **Master Password**: Required to access each vault
|
|
- **Salt**: Unique salt per vault for key derivation
|
|
|
|
## Token Formats
|
|
|
|
The tool can generate tokens in various formats:
|
|
- **Default**: Base64-encoded secure random bytes
|
|
- **Hex**: Hexadecimal encoded
|
|
- **Alphanumeric**: Letters and numbers only
|
|
- **API Key**: With custom prefix (e.g., `sk_live_xxxxx`)
|
|
|
|
## Development
|
|
|
|
### Build
|
|
|
|
```bash
|
|
cargo build
|
|
cargo build --release
|
|
```
|
|
|
|
### Run Tests
|
|
|
|
```bash
|
|
cargo test
|
|
cargo test --all
|
|
```
|
|
|
|
### Lint
|
|
|
|
```bash
|
|
cargo clippy
|
|
```
|
|
|
|
### Benchmarks
|
|
|
|
```bash
|
|
cargo bench
|
|
```
|
|
|
|
## Project Structure
|
|
|
|
```
|
|
api-token-vault/
|
|
├── Cargo.toml
|
|
├── Cargo.lock
|
|
├── README.md
|
|
├── src/
|
|
│ ├── main.rs # Entry point and command handling
|
|
│ ├── cli.rs # CLI argument parsing with clap
|
|
│ ├── vault.rs # Vault storage and management
|
|
│ ├── token.rs # Token generation and data structures
|
|
│ ├── rotation.rs # Token rotation scheduling
|
|
│ ├── env_injector.rs # .env file injection
|
|
│ └── crypto.rs # Cryptographic operations
|
|
└── tests/
|
|
└── integration_tests.rs
|
|
```
|
|
|
|
## Contributing
|
|
|
|
Contributions are welcome! Please feel free to submit a Pull Request.
|
|
|
|
## License
|
|
|
|
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
|