• Test if the API keys change after the rotation
• Ensure that the rotation hasn't started if we have no API keys instances and the user has recently installed the package.

from drf-simple-apikey.

Implement Key Rotation with Caching for Enhanced Performance

Background

Key rotation enhances security by limiting the potential damage caused by a compromised key. In our design discussions, we've identified the need for centralized control of key rotation configurations, potentially using a RotationConfig model. To ensure the system remains performant and doesn't hit the database on every request, it's recommended to use Django's caching mechanism.

Issue

For projects that haven't set up caching, there will be unnecessary overhead as the system will query the database frequently to check for rotation status.

Proposed Solution

• Rotation Configuration Model:
  • Create a RotationConfig model with fields like is_rotation_enabled, last_rotation_date, and next_rotation_date.
  • This model should typically contain a single record to hold the current rotation status.
• Caching Rotation Status:
  • Use Django's caching mechanism to cache the rotation status.
  • On every request, check the cache first. If the rotation status isn't in the cache, query the RotationConfig model and cache the result.
  • When the rotation status changes (either through a scheduled task or manual initiation), update the RotationConfig model and clear the corresponding cache.
• Configuration Warning:
  • On application/package initialization, check if caching is properly configured. If not, issue a warning recommending the configuration of caching for the rotation feature.
  • Emphasize the importance of caching in the package documentation.
• Documentation:
  • Update the documentation to guide developers on setting up caching for the rotation feature. Provide examples and links to Django's caching documentation.

Acceptance Criteria

• A RotationConfig model is implemented and effectively tracks key rotation status.
• Rotation status is cached using Django's caching mechanism.
• Warnings are issued if caching isn't set up.
• Documentation is updated to guide developers on setting up caching.
• Celery should be optional as a package, as this feature is not required.

from drf-simple-apikey.

In the future, we will implement features such as :

• A system to notify API key users about ongoing key rotations.
• A mechanism to alert developers about unusual API key usage patterns.
• A model or logging system to track completed key rotations.

from drf-simple-apikey.

@asiedu-kev @LewisYann @Ederene20 I need your opinions here if you have some time.🙏

from drf-simple-apikey.