Merge branch 'develop' of https://github.com/NodeBB/NodeBB into develop

install/package.json

@@ -53,7 +53,7 @@
         "connect-mongo": "5.0.0",
         "connect-multiparty": "2.2.0",
         "connect-pg-simple": "8.0.0",
-        "connect-redis": "7.0.1",
+        "connect-redis": "7.1.0",
         "cookie-parser": "1.4.6",
         "cron": "2.3.0",
         "cropperjs": "1.5.13",
@@ -70,7 +70,7 @@
         "helmet": "7.0.0",
         "html-to-text": "9.0.5",
         "ipaddr.js": "2.0.1",
-        "jquery": "3.6.4",
+        "jquery": "3.7.0",
         "jquery-deserialize": "2.0.0",
         "jquery-form": "4.3.0",
         "jquery-serializeobject": "1.0.0",
@@ -105,7 +105,7 @@
         "nodebb-theme-peace": "2.0.22",
         "nodebb-theme-persona": "13.0.65",
         "nodebb-widget-essentials": "7.0.12",
-        "nodemailer": "6.9.1",
+        "nodemailer": "6.9.2",
         "nprogress": "0.2.0",
         "passport": "0.6.0",
         "passport-http-bearer": "1.0.1",
@@ -173,7 +173,7 @@
         "sass-embedded": "1.62.0"
     },
     "resolutions": {
-        "*/jquery": "3.6.4"
+        "*/jquery": "3.7.0"
     },
     "bugs": {
         "url": "https://github.com/NodeBB/NodeBB/issues"

public/language/ar/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/bg/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Настройки",
 	"lead-text": "На тази страница можете да настроите достъпа до ППИ за писане в NodeBB.",
 	"intro": "По подразбиране ППИ за писане удостоверява потребителите чрез бисквитката им за сесията, но NodeBB поддържа и удостоверяване чрез метода „Bearer“, използвайки кодовете от тази страница.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Щракнете тук за достъп до пълната документация на ППИ",
 
 	"require-https": "Ползването на ППИ да работи само чрез HTTPS",
 	"require-https-caveat": "<strong>Забележка</strong>: В някои случаи, когато се ползват програми за  балансиране на натоварването, е възможно заявките към NodeBB да се препращат чрез HTTP – тогава тази настройка трябва да остане изключена.",
 
 	"uid": "Потребителски ИД",
+	"token": "Token",
 	"uid-help-text": "Посочете потребителски ИД, който да бъде свързан с този код. Ако ИД е <code>0</code>, това ще се счита за <em>главен</em> код, който може да приема идентичността на всеки от другите потребители чрез параметъра <code>_uid</code>",
 	"description": "Описание",
-	"last-seen-ago": "Последно използван <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Последно използван на <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "Този ключ не е използван никога.",
 	"no-description": "Няма описание.",
-	"token-on-save": "Кодът ще бъде създаден след като данните бъдат запазени"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/bn/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/cs/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/da/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/de/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Einstellungen",
 	"lead-text": "Auf dieser Seite kanst Du den Zugriff auf die Write-API in NodeBB konfigurieren.",
 	"intro": "Standardmäßig authentifiziert die Write-API Benutzer basierend auf ihrem Sitzungscookie, aber NodeBB unterstützt auch die Bearer-Authentifizierung über Token, die über diese Seite generiert werden.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Klicke hier, um auf die vollständige API-Spezifikation zuzugreifen",
 
 	"require-https": "API-Nutzung nur über HTTPS möglich",
 	"require-https-caveat": "<strong>Hinweis</strong>: Einige Installationen mit Load Balancern können ihre Anfragen über HTTP an NodeBB weiterleiten, in diesem Fall sollte diese Option deaktiviert bleiben.",
 
 	"uid": "Nutzer–ID",
+	"token": "Token",
 	"uid-help-text": "Gebe eine Benutzer-ID an, die diesem Token zugeordnet werden soll. Wenn die Benutzer-ID <code>0</code> ist, wird sie als <em>Master</em>-Token betrachtet, das basierend auf dem <code>_uid</code>-Parameter die Identität anderer Benutzer annehmen kann",
 	"description": "Beschreibung",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "Keine Beschreibung angegeben.",
-	"token-on-save": "Token wird generiert, sobald das Formular gespeichert wird"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/el/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/en-GB/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/en-US/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/en-x-pirate/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/es/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/et/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/fa-IR/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/fi/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/fr/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Paramètres",
 	"lead-text": "À partir de cette page, vous pouvez paramétrer l'accès à l'API dans NodeBB.",
 	"intro": "Par défaut, l'API authentifie les utilisateurs en fonction de leur cookie de session, mais NodeBB prend également en charge l'authentification du porteur via des tokens générés via cette page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Cliquez ici pour accéder à la documentation de l'API",
 
 	"require-https": "Forcer l'utilisation de l'API via HTTPS uniquement",
 	"require-https-caveat": "<strong>Remarque</strong>: certaines installations impliquant des load balancer peuvent transmettre leurs requêtes à NodeBB via HTTP, auquel cas cette option doit rester désactivée.",
 
 	"uid": "ID Utilisateur",
+	"token": "Token",
 	"uid-help-text": "Spécifiez un ID utilisateur à associer à ce token. Si l'ID utilisateur est 0, il sera considéré comme un token <code>maître<em>, qui peut prendre l'identité d'autres utilisateurs en fonction du paramètre <code>_uid</code>",
 	"description": "Description",
-	"last-seen-ago": "Dernière utilisation <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Dernière utilisation sur <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "Cette clé n'a jamais été utilisée.",
 	"no-description": "Aucune description spécifiée.",
-	"token-on-save": "Le token sera généré une fois le formulaire enregistré"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/gl/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/he/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "הגדרות",
 	"lead-text": "מעמוד זה תוכלו להגדיר גישת כתיבה ל-API ב- NodeBB.",
 	"intro": "כברירת מחדל, ה- API של כתיבה מאמת משתמשים בהתבסס על קובץ ה-cookie של ההפעלה שלהם, אך NodeBB תומך גם באימות נושא באמצעות טוקנים (אישורי אבטחה) שנוצרו באמצעות דף זה.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "לחץ כאן כדי לגשת למפרט ה- API המלא",
 
 	"require-https": "אפשר שימוש בAPI באמצעות HTTPS בלבד",
 	"require-https-caveat": "<strong>הערה</strong>: התקנות מסוימות הכוללות מאזני עומסים עשויות לשלוח את הבקשות שלהם ל-NodeBB באמצעות HTTP, ובמקרה כזה אפשרות זו צריכה להישאר מושבתת.",
 
 	"uid": "ID משתמש",
+	"token": "Token",
 	"uid-help-text": "ציין מזהה משתמש לשיוך לטוקן זה. אם מזהה המשתמש הוא <code>0</code>, זה ייחשב כטוקן<em>ראשי</em>, שיכול לשער את זהותם של משתמשים אחרים על בסיס פרמטר<code>_uid</code> .",
 	"description": "תיאור",
-	"last-seen-ago": "שימוש אחרון <span class=\"timeago\" title=\"%1\"></span>",
+	"last-seen": "Last seen",
-	"last-seen-on": "שימוש אחרון ב<span class=\"timeago\" title=\"%1\"></span>",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "מעולם לא נעשה שימוש במפתח זה.",
 	"no-description": "לא צוין תיאור.",
-	"token-on-save": "טוקן יוצר לאחר שמירת הטופס"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/hr/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/hu/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Beállítások",
 	"lead-text": "Ezen az oldalon beállíthatod a NodeBB Write API-jának hozzáférését.",
 	"intro": "Alapértelmezetten a Write API a felhasználókat a munkamenet sütijükön keresztül authentikálja, azonban a NodeBB támogatja a Bearer authentikációt tokeneken keresztül, amiket ezen az oldalon generálhatsz.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Kattints ide a teljes API specifikáció megtekintéséhez",
 
 	"require-https": "API használat korlátozása HTTPS protokollra",
 	"require-https-caveat": "<strong>Megjegyzés</strong>: Némely telepítések terherléselosztás miatt a kéréseket a NodeBB felé HTTP-n keresztül továbbítják. Ilyen esetekben ezt a beállítást nem szabad bekapcsolni.",
 
 	"uid": "Felhasználó azonosító",
+	"token": "Token",
 	"uid-help-text": "Adj meg egy felhasználó azonosítót, hogy társítsd ehhez a tokenhez. Ha a felhasználó azonosító 0, akkor <em>mester</em> tokenként lesz kezelve, ami bármelyik felhasználó identitását képes felvenni a <code>_uid</code> paraméter alapján",
 	"description": "Leírás",
-	"last-seen-ago": "Utolsó látogatás <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Utolsó látogatás <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "Ezt a kulcsot soha nem használták.",
 	"no-description": "Nincs leírás megadva.",
-	"token-on-save": "A token az űrlap mentésekor generálódik"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/hy/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Կարգավորումներ ",
 	"lead-text": "Այս էջից դուք կարող եք կարգավորել մուտքը դեպի «Write API» NodeBB-ում:",
 	"intro": " Write API-ն նույնականացնում է օգտատերերին՝ հիմնվելով նրանց նստաշրջանի cookie-ի վրա, սակայն NodeBB-ն աջակցում է նաև կրող նույնականացումը այս էջի միջոցով ստեղծվող նշանների միջոցով:",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Սեղմեք այստեղ՝ API-ի ամբողջական ճշգրտմանը մուտք գործելու համար",
 
 	"require-https": "Պահանջել API-ի օգտագործում միայն HTTPS-ի միջոցով",
 	"require-https-caveat": "Նշում․ որոշ տեղադրումներ, որոնք ներառում են բեռի հավասարակշռողներ, կարող են իրենց հարցումները փոխանցել NodeBB-ին՝ օգտագործելով HTTP, որի դեպքում այս տարբերակը պետք է մնա անջատված։",
 
 	"uid": "Օգտատիրոջ ID",
+	"token": "Token",
 	"uid-help-text": "Նշեք Օգտատիրոջ ID՝ այս նշանի հետ կապելու համար: Եթե օգտատիրոջ ID-ն 0 է, ապա այն կհամարվի հիմնական նշան, որը կարող է ենթադրել այլ օգտատերերի ինքնությունը՝ հիմնվելով _uid պարամետրի վրա:",
 	"description": "Նկարագրություն",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "Ոչ մի նկարագրություն նշված չէ:",
-	"token-on-save": "Ձևաթուղթը կստեղծվի, երբ ձևը պահպանվի"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/id/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/it/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Impostazioni",
 	"lead-text": "Da questa pagina è possibile configurare l'accesso alle API di scrittura in NodeBB.",
 	"intro": "Per impostazione predefinita, l'API di scrittura autentica gli utenti in base al cookie di sessione, ma NodeBB supporta anche l'autenticazione Bearer tramite token generati tramite questa pagina.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Clicca qui per accedere alle specifiche complete dell'API",
 
 	"require-https": "Richiedi utilizzo API solo tramite HTTPS",
 	"require-https-caveat": "<strong>Nota</strong>:Alcune installazioni che coinvolgono bilanciatori del carico possono inviare tramite proxy le loro richieste a NodeBB utilizzando HTTP, nel qual caso questa opzione dovrebbe rimanere disabilitata.",
 
 	"uid": "ID utente",
+	"token": "Token",
 	"uid-help-text": "Specificare un ID utente da associare a questo token. Se l'ID utente è <code>0</code>, sarà considerato un token <em>master</em>, che può assumere l'identità di altri utenti in base al parametro <code>_uid</code>",
 	"description": "Descrizione",
-	"last-seen-ago": "Ultimo utilizzo <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Ultimo utilizzo il <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "Questa chiave non è mai stata usata.",
 	"no-description": "Nessuna descrizione specificata.",
-	"token-on-save": "Il token sarà generato una volta salvato il modulo"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/ja/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/ko/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "설정",
 	"lead-text": "이 설정 화면에서 NodeBB에 Write API의 연결을 설정할 수 있습니다.",
 	"intro": "기본적으로 Write API는 세션 쿠키를 기반으로 사용자를 인증하지만 NodeBB는 이 페이지를 통해 생성된 토큰을 통해 Bearer 인증도 지원합니다.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "여기를 클릭해서 자세한 API 설정 방법 확인",
 
 	"require-https": "API 사용을 HTTPS 접속으로만 허용",
 	"require-https-caveat": "<strong>참고</strong>: Load balancer와 관련된 일부 설치에서는 HTTP를 사용하여 요청을 NodeBB에 프록시하므로 이 옵션을 사용하지 않도록 설정해야 합니다.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "이 토큰과 연결할 User ID를 지정하세요. User ID가 <code>0</code>일 경우 <em>master</em> 토큰으로 간주되어 다른 사용자의 정보를 <code>_uid</code> 패러미터를 통해 알 수 있게 됩니다.",
 	"description": "설명",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "설명 없음",
-	"token-on-save": "현재 설정 저장 후 토큰 생성"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/lt/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/lv/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/ms/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/nb/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/nl/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/pl/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Ustawienia",
 	"lead-text": "Na tej stronie możesz skonfigurować dostęp do Write API w NodeBB.",
 	"intro": "Domyślnie Write API uwierzytelnia użytkowników na podstawie ich sesji cookie, ale NodeBB obsługuje również uwierzytelnianie okaziciela za pomocą tokenów generowanych za pośrednictwem tej strony.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Kliknij tutaj, aby zobaczyć pełną specyfikację API",
 
 	"require-https": "Wymagaj użycia API tylko przez HTTPS",
 	"require-https-caveat": "<strong>Notatka</strong>: Niektóre instalacje z modułami równoważenia obciążenia mogą przekazywać swoje żądania do NodeBB za pomocą protokołu HTTP, w takim przypadku ta opcja powinna pozostać wyłączona.",
 
 	"uid": "ID Użytkownika",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Opis",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "Brak opisu.",
-	"token-on-save": "Token zostanie wygenerowany po zapisaniu formularza"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/pt-BR/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Configurações",
 	"lead-text": "Nesta página, você pode configurar o acesso à API de Escrita no NodeBB.",
 	"intro": "Por padrão, a API de Escrita autentica os usuários com base em seu cookie de \nsessão, mas o NodeBB também oferece suporte à autenticação Bearer por\n meio de tokens gerados por meio desta página.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Clique aqui para acessar a especificação completa da API",
 
 	"require-https": "Exigir uso da API apenas via HTTPS",
 	"require-https-caveat": "<strong>Nota</strong>: Algumas instalações que envolvem balanceadores de carga podem fazer proxy de suas solicitações para NodeBB usando HTTP, caso em que esta opção deve permanecer desabilitada.",
 
 	"uid": "ID do Usuário",
+	"token": "Token",
 	"uid-help-text": "Especifique um ID de usuário para associar a este token. Se o ID do usuário for<code>0</code>, ele será considerada uma token <em>master</em>, que pode assumir a identidade de outros usuários com base no parâmetro <code>_uid</code>",
 	"description": "Descrição",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "Nenhuma descrição especificada.",
-	"token-on-save": "O token será gerado assim que o formulário for salvo"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/pt-PT/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/ro/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/ru/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Настройки",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "ID пользователя",
+	"token": "Token",
 	"uid-help-text": "Укажите идентификатор пользователя, который нужно связать с этим токеном. Если идентификатор пользователя равен <code>0</code>, он будет считаться <em>главным</em> токеном, который может предполагать идентичность других пользователей на основе параметра <code>_uid</code>.",
 	"description": "Описание",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "Описания нет.",
-	"token-on-save": "Токен будет сгенерирован после сохранения формы"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/rw/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/sc/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/sk/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/sl/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Nastavitve",
 	"lead-text": "Na tej strani lahko konfigurirate dostop do API-ja za pisanje v NodeBB.",
 	"intro": "API za pisanje privzeto preverja uporabnike na podlagi njihovega piškotka seje, vendar NodeBB podpira tudi preverjanje pristnosti nosilca prek žetonov, ustvarjenih na tej strani.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Kliknite tukaj za dostop do celotne specifikacije API-ja",
 
 	"require-https": "Zahtevaj uporabo API samo prek protokola HTTPS",
 	"require-https-caveat": "<strong>Opomba</strong>: Nekatere namestitve, ki vključujejo izravnalnike obremenitve, lahko svoje zahteve posredujejo NodeBB prek protokola HTTP, v tem primeru bi morala ta možnost ostati onemogočena.",
 
 	"uid": "ID uporabnika",
+	"token": "Token",
 	"uid-help-text": "Določite ID uporabnika, ki ga želite povezati s tem žetonom. Če je ID uporabnika <code>0</code>, bo veljal za <em>glavni</em> žeton, ki lahko prevzame identiteto drugih uporabnikov na podlagi parametra <code>_uid</code>",
 	"description": "Opis",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "Opis ni naveden.",
-	"token-on-save": "Žeton bo ustvarjen, ko bo obrazec shranjen"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/sq-AL/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/sr/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/sv/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Inställningar",
 	"lead-text": "Från den här sidan kan du konfigurera åtkomst till NodeBBs 'Write API'.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Tillåt endast API-användning via HTTPS",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Beskrivning",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "Ingen beskrivning finns.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/th/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/tr/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Ayarlar",
 	"lead-text": "Bu sayfadan NodeBB'deki \"Write API\"e erişimi yapılandırabilirsiniz.",
 	"intro": "Varsayılan olarak, Yazma API'si kullanıcıların kimliklerini oturum tanımlama bilgileri temelinde doğrular, ancak NodeBB ayrıca bu sayfa aracılığıyla oluşturulan belirteçler aracılığıyla Taşıyıcı kimlik doğrulamasını da destekler.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Tüm API özeliklerine erişmek için buraya tıklayın. ",
 
 	"require-https": "API kullanımı için HTTPS kısıtlaması gerektir",
 	"require-https-caveat": "Not: Yük dengeleyicilerini içeren bazı kurulumlar, isteklerini HTTP kullanarak NodeBB'ye proxy uygulayabilir, bu durumda bu seçenek devre dışı kalmalıdır.",
 
 	"uid": "Kullanıcı ID",
+	"token": "Token",
 	"uid-help-text": "Bu jetonla ilişkilendirilecek bir Kullanıcı Kimliği belirtin. Kullanıcı kimliği 0 ise, diğer kullanıcıların kimliğini _uid parametresine göre üstlenebilen bir ana simge olarak kabul edilir.",
 	"description": "Açıklama",
-	"last-seen-ago": "En son <span class=\"timeago\" title=\"%1\"></span> kullanıldı.",
+	"last-seen": "Last seen",
-	"last-seen-on": "En son <span class=\"timeago\" title=\"%1\"></span> tarihinde kullanıldı.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "Bu anahtar daha önce hiç kullanılmadı.",
 	"no-description": "Hiçbir açıklama belirtilmemiş.",
-	"token-on-save": "Form kaydedildikten sonra bir jeton oluşturulacak"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/uk/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/vi/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Cài đặt",
 	"lead-text": "Từ trang này, bạn có thể cấu hình quyền truy cập vào API Viết trong NodeBB.",
 	"intro": "Mặc định, API Viết xác thực người dùng dựa trên cookie phiên của họ, nhưng NodeBB cũng hỗ trợ xác thực Bearer thông qua mã truy cập được tạo qua trang này.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Nhấp vào đây để truy cập thông số kỹ thuật API đầy đủ",
 
 	"require-https": "Chỉ yêu cầu sử dụng API qua HTTPS",
 	"require-https-caveat": "<strong>Ghi chú</strong>: Một số cài đặt liên quan đến bộ cân bằng tải có thể ủy quyền các yêu cầu của họ tới NodeBB bằng HTTP, trong trường hợp đó tùy chọn này vẫn bị vô hiệu hóa.",
 
 	"uid": "ID Người Dùng",
+	"token": "Token",
 	"uid-help-text": "Ghi rõ ID người dùng liên kết với mã truy cập. Nếu ID người dùng là <code>0</code>, nó sẽ là môt mã truy cập <em>cao cấp</em>, có thể giả định danh tính của những người dùng khác dựa trên tham số <code>_uid</code>",
 	"description": "Mô tả",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "Khóa này chưa bao giờ được dùng.",
 	"no-description": "Không có mô tả cụ thể.",
-	"token-on-save": "Mã truy cập sẽ được tạo sau khi biểu mẫu được lưu"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/zh-CN/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "设置",
 	"lead-text": "从此处，您可以配置对 NodeBB 中 Write API 的访问。",
 	"intro": "默认情况下，Write API 根据用户的会话cookie对用户进行身份验证，但 NodeBB 也支持通过此页面生成的令牌进行身份验证。",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "单击此处访问完整的 API 规范",
 
 	"require-https": "要求 API 只能通过 HTTPS 调用",
 	"require-https-caveat": "<strong>注意：</strong>一些负载均衡器可能会使用 HTTP 代理对 NodeBB 的请求，在此情况下此选项应保持关闭状态。",
 
 	"uid": "用户ID",
+	"token": "Token",
 	"uid-help-text": "指定要与此令牌关联的用户ID。如果用户ID是 <code>0</code>, 它将被实危 <em>最高</em> 令牌，可以通过 <code>_uid</code> 参数假定其他用户的身份",
 	"description": "说明",
-	"last-seen-ago": "最后一次使用<span class=\"timeago\" title=\"%1\"></span>",
+	"last-seen": "Last seen",
-	"last-seen-on": "最后一次使用于<span class=\"timeago\" title=\"%1\"></span>",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "从未被使用过的键值",
 	"no-description": "未指定说明。",
-	"token-on-save": "保存表单后将生成令牌"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/language/zh-TW/admin/settings/api.json

@@ -3,17 +3,25 @@
 	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
+	"warning": "<strong>Be advised</strong> — treat tokens like passwords. If they are leaked, your account should be considered compromised.",
 	"docs": "Click here to access the full API specification",
 
 	"require-https": "Require API usage via HTTPS only",
 	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
 
 	"uid": "User ID",
+	"token": "Token",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
-	"last-seen-ago": "Last used <span class=\"timeago\" title=\"%1\"></span>.",
+	"last-seen": "Last seen",
-	"last-seen-on": "Last used on <span class=\"timeago\" title=\"%1\"></span>.",
+	"created": "Created",
+	"create-token": "Create Token",
+	"update-token": "Update Token",
+	"master-token": "Master token",
 	"last-seen-never": "This key has never been used.",
 	"no-description": "No description specified.",
-	"token-on-save": "Token will be generated once form is saved"
+	"actions": "Actions",
+
+	"delete-confirm": "Are you sure you wish to delete this token? It will not be recoverable.",
+	"roll-confirm": "Are you sure you wish to regenerate this token? The old token will be immediately revoked and will not be recoverable."
 }

public/openapi/components/schemas/admin/tokenObject.yaml

@@ -0,0 +1,24 @@
+TokenObject:
+  type: object
+  properties:
+    uid:
+      type: number
+      description: A valid user id
+    description:
+      type: string
+      description: Optional descriptor to differentiate tokens.
+    token:
+      type: string
+      description: An API token that can be called against this API via Bearer Authentication.
+    timestamp:
+      type: number
+    timestampISO:
+      type: string
+      description: An ISO 8601 formatted date string (complementing `timestamp`)
+    lastSeen:
+      type: number
+      nullable: true
+    lastSeenISO:
+      type: string
+      description: An ISO 8601 formatted date string (complementing `lastSeen`)
+      nullable: true

public/openapi/read/admin/settings/api.yaml

@@ -11,14 +11,8 @@ get:
             allOf:
               - type: object
                 properties:
-                  lastSeen:
+                  tokens:
-                    type: object
+                    type: array
-                    description: A key-value set of API tokens and a UNIX timestamp of when it was last used
+                    items:
-                    properties: {}
+                      $ref: ../../../components/schemas/admin/tokenObject.yaml#/TokenObject
-                    additionalProperties: {}
-                  lastSeenISO:
-                    type: object
-                    description: A key-value set of API tokens and an ISO 8601 formatted date string of when it was last used
-                    properties: {}
-                    additionalProperties: {}
               - $ref: ../../../components/schemas/CommonProps.yaml#/CommonProps

public/openapi/write.yaml

@@ -198,6 +198,12 @@ paths:
     $ref: 'write/admin/analytics.yaml'
   /admin/analytics/{set}:
     $ref: 'write/admin/analytics/set.yaml'
+  /admin/tokens:
+    $ref: 'write/admin/tokens.yaml'
+  /admin/tokens/{token}:
+    $ref: 'write/admin/tokens/token.yaml'
+  /admin/tokens/{token}/roll:
+    $ref: 'write/admin/tokens/token/roll.yaml'
   /files/:
     $ref: 'write/files.yaml'
   /files/folder:

public/openapi/write/admin/tokens.yaml

@@ -0,0 +1,32 @@
+post:
+  tags:
+    - admin
+  summary: create token
+  description: This operation creates a new API token for access to the Read and Write APIs.
+  requestBody:
+    required: true
+    content:
+      application/json:
+        schema:
+          type: object
+          properties:
+            uid:
+              type: number
+              description: The generated token will make calls against NodeBB as this user.
+              example: 1
+            description:
+              type: string
+              description: Optional descriptor to differentiate tokens.
+              example: 'My new token.'
+  responses:
+    '200':
+      description: token successfully created
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              status:
+                $ref: ../../components/schemas/Status.yaml#/Status
+              response:
+                $ref: ../../components/schemas/admin/tokenObject.yaml#/TokenObject

public/openapi/write/admin/tokens/token.yaml

@@ -0,0 +1,89 @@
+get:
+  tags:
+    - admin
+  summary: get token
+  description: This operation retrieves an API token and its associated metadata
+  parameters:
+    - in: path
+      name: token
+      schema:
+        type: string
+      required: true
+      description: a valid API token
+      example: 4eb506f8-a173-4693-a41b-e23604bc973a
+  responses:
+    '200':
+      description: token successfully retrieved
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              status:
+                $ref: ../../../components/schemas/Status.yaml#/Status
+              response:
+                $ref: ../../../components/schemas/admin/tokenObject.yaml#/TokenObject
+put:
+  tags:
+    - admin
+  summary: update token
+  description: This operation updates a token's metadata.
+  parameters:
+    - in: path
+      name: token
+      schema:
+        type: string
+      required: true
+      description: a valid API token
+      example: 4eb506f8-a173-4693-a41b-e23604bc973a
+  requestBody:
+    required: true
+    content:
+      application/json:
+        schema:
+          type: object
+          properties:
+            uid:
+              type: number
+              description: The generated token will make calls against NodeBB as this user.
+              example: 1
+            description:
+              type: string
+              description: Optional descriptor to differentiate tokens.
+              example: 'My new token.'
+  responses:
+    '200':
+      description: Token metadata updated.
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              status:
+                $ref: ../../../components/schemas/Status.yaml#/Status
+              response:
+                $ref: ../../../components/schemas/admin/tokenObject.yaml#/TokenObject
+delete:
+  tags:
+    - admin
+  summary: revoke token
+  description: This operation revokes a token and removes it from the database
+  parameters:
+    - in: path
+      name: token
+      schema:
+        type: string
+      required: true
+      description: a valid API token
+      example: 4eb506f8-a173-4693-a41b-e23604bc973a
+  responses:
+    '200':
+      description: Token metadata updated.
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              status:
+                $ref: ../../../components/schemas/Status.yaml#/Status
+              response: {}

public/openapi/write/admin/tokens/token/roll.yaml

@@ -0,0 +1,25 @@
+post:
+  tags:
+    - admin
+  summary: regenerate token
+  description: This operation regenerates an existing token. The previous token is immediately invalidated.
+  parameters:
+    - in: path
+      name: token
+      schema:
+        type: string
+      required: true
+      description: a valid API token
+      example: 4eb506f8-a173-4693-a41b-e23604bc973a
+  responses:
+    '200':
+      description: Token regenerated.
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              status:
+                $ref: ../../../../components/schemas/Status.yaml#/Status
+              response:
+                $ref: ../../../../components/schemas/admin/tokenObject.yaml#/TokenObject

public/scss/admin/admin.scss

@@ -9,6 +9,7 @@
 @import "./manage/privileges";
 @import "./manage/tags";
 @import "./manage/groups";
+@import "./settings/api";
 @import "./appearance/customise";
 @import "./extend/plugins";
 @import "./extend/rewards";

public/scss/admin/settings/api.scss

@@ -0,0 +1,7 @@
+.template-admin-settings-api {
+	[data-action="copy"]:active {
+		i::before {
+			content: '\f00c';
+		}
+	}
+}

public/src/admin/settings/api.js

@@ -1,52 +1,180 @@
 'use strict';
 
-define('admin/settings/api', ['settings', 'alerts', 'hooks'], function (settings, alerts, hooks) {
+define('admin/settings/api', ['settings', 'clipboard', 'bootbox', 'benchpress', 'api', 'alerts'], function (settings, clipboard, bootbox, Benchpress, api, alerts) {
 	const ACP = {};
 
 	ACP.init = function () {
 		settings.load('core.api', $('.core-api-settings'));
-		$('#save').on('click', saveSettings);
+		$('#save').on('click', () => {
+			settings.save('core.api', $('.core-api-settings'));
+		});
+
+		// Click to copy
+		const copyEls = document.querySelectorAll('[data-component="acp/tokens"] [data-action="copy"]');
+		new clipboard(copyEls);
+
+		handleActions();
+	};
+
+	function handleActions() {
+		const formEl = document.querySelector('#content form');
+		if (!formEl) {
+			return;
+		}
+
+		formEl.addEventListener('click', (e) => {
+			const subselector = e.target.closest('[data-action]');
+			if (subselector) {
+				const action = subselector.getAttribute('data-action');
+
+				switch (action) {
+					case 'create':
+						handleTokenCreation();
+						break;
+
+					case 'edit':
+						handleTokenUpdate(subselector);
+						break;
+
+					case 'delete':
+						handleTokenDeletion(subselector);
+						break;
 
-		hooks.on('filter:settings.sorted-list.loadItem', ({ item }) => {
+					case 'roll':
-			if (!ajaxify.data.lastSeen[item.token]) {
+						handleTokenRolling(subselector);
-				item.lastSeen = '[[admin/settings/api:last-seen-never]]';
+						break;
-				return { item };
+				}
 			}
+		});
+	}
+
+	async function handleTokenCreation() {
+		const html = await Benchpress.render('admin/partials/edit-token-modal', {});
+		const parseForm = async function () {
+			const modal = this;
+			const formEl = this.get(0).querySelector('form');
+			const tokensTableBody = document.querySelector('[data-component="acp/tokens"] tbody');
+			const valid = formEl.reportValidity();
+			if (formEl && valid) {
+				const formData = new FormData(formEl);
+				const uid = formData.get('uid');
+				const description = formData.get('description');
 
-			const cutoffMs = 1000 * 60 * 60 * 24 * Math.max(0, parseInt(config.timeagoCutoff, 10));
+				try {
-			let translationSuffix = 'ago';
+					const tokenObj = await api.post('/admin/tokens', { uid, description });
-			if (cutoffMs > 0 && Date.now() - ajaxify.data.lastSeen[item.token] > cutoffMs) {
+					if (!tokensTableBody) {
-				translationSuffix = 'on';
+						modal.modal('hide');
+						return ajaxify.refresh();
+					}
+
+					ajaxify.data.tokens.push(tokenObj);
+					const rowEl = (await app.parseAndTranslate(ajaxify.data.template.name, 'tokens', {
+						tokens: [tokenObj],
+					})).get(0);
+
+					tokensTableBody.append(rowEl);
+					$(rowEl).find('.timeago').timeago();
+					modal.modal('hide');
+				} catch (e) {
+					alerts.error(e);
+				}
 			}
-			item.lastSeen = `[[admin/settings/api:last-seen-${translationSuffix}, ${ajaxify.data.lastSeenISO[item.token]}]]`;
 
-			return { item };
+			return false;
+		};
+
+		bootbox.dialog({
+			title: '[[admin/settings/api:create-token]]',
+			message: html,
+			buttons: {
+				submit: {
+					label: '[[modules:bootbox.submit]]',
+					className: 'btn-primary',
+					callback: parseForm,
+				},
+			},
 		});
+	}
+
+	async function handleTokenUpdate(el) {
+		const rowEl = el.closest('[data-token]');
+		const token = rowEl.getAttribute('data-token');
+		const { uid, description } = await api.get(`/admin/tokens/${token}`);
+		const parseForm = async function () {
+			const modal = this;
+			const formEl = this.get(0).querySelector('form');
+			const valid = formEl.reportValidity();
+			if (formEl && valid) {
+				const formData = new FormData(formEl);
+				const uid = formData.get('uid');
+				const description = formData.get('description');
+
+				try {
+					const tokenObj = await api.put(`/admin/tokens/${token}`, { uid, description });
+					const newEl = (await app.parseAndTranslate(ajaxify.data.template.name, 'tokens', {
+						tokens: [tokenObj],
+					})).get(0);
 
-		hooks.on('action:settings.sorted-list.loaded', ({ listEl }) => {
+					rowEl.replaceWith(newEl);
-			$(listEl).find('.timeago').timeago();
+					$(newEl).find('.timeago').timeago();
+					modal.modal('hide');
+				} catch (e) {
+					alerts.error(e);
+				}
+			}
+
+			return false;
+		};
+
+		const html = await Benchpress.render('admin/partials/edit-token-modal', { uid, description });
+		bootbox.dialog({
+			title: '[[admin/settings/api:update-token]]',
+			message: html,
+			buttons: {
+				submit: {
+					label: '[[modules:bootbox.submit]]',
+					className: 'btn-primary',
+					callback: parseForm,
+				},
+			},
 		});
+	}
+
+	async function handleTokenDeletion(el) {
+		const rowEl = el.closest('[data-token]');
+		const token = rowEl.getAttribute('data-token');
 
-		hooks.on('action:settings.sorted-list.itemLoaded', ({ element }) => {
+		bootbox.confirm('[[admin/settings/api:delete-confirm]]', async (ok) => {
-			element.addEventListener('click', (ev) => {
+			if (ok) {
-				if (ev.target.closest('input[readonly]')) {
+				try {
-					// Select entire input text
+					await api.del(`/admin/tokens/${token}`);
-					ev.target.selectionStart = 0;
+				} catch (e) {
-					ev.target.selectionEnd = ev.target.value.length;
+					alerts.error(e);
 				}
-			});
+
+				rowEl.remove();
+			}
 		});
-	};
+	}
 
-	function saveSettings() {
+	async function handleTokenRolling(el) {
-		settings.save('core.api', $('.core-api-settings'), function () {
+		const rowEl = el.closest('[data-token]');
-			alerts.alert({
+		const token = rowEl.getAttribute('data-token');
-				type: 'success',
+
-				alert_id: 'core.api-saved',
+		bootbox.confirm('[[admin/settings/api:roll-confirm]]', async (ok) => {
-				title: 'Settings Saved',
+			if (ok) {
-				timeout: 5000,
+				try {
-			});
+					const tokenObj = await api.post(`/admin/tokens/${token}/roll`);
-			ajaxify.refresh();
+					const newEl = (await app.parseAndTranslate(ajaxify.data.template.name, 'tokens', {
+						tokens: [tokenObj],
+					})).get(0);
+
+					rowEl.replaceWith(newEl);
+					$(newEl).find('.timeago').timeago();
+				} catch (e) {
+					alerts.error(e);
+				}
+			}
 		});
 	}
 

src/api/users.js

@@ -18,7 +18,8 @@ const plugins = require('../plugins');
 const events = require('../events');
 const translator = require('../translator');
 const sockets = require('../socket.io');
-const utils = require('../utils');
+
+// const api = require('.');
 
 const usersAPI = module.exports;
 
@@ -308,41 +309,25 @@ usersAPI.unmute = async function (caller, data) {
 };
 
 usersAPI.generateToken = async (caller, { uid, description }) => {
+	const api = require('.');
 	await hasAdminPrivilege(caller.uid, 'settings');
 	if (parseInt(uid, 10) !== parseInt(caller.uid, 10)) {
 		throw new Error('[[error:invalid-uid]]');
 	}
 
-	const settings = await meta.settings.get('core.api');
+	const tokenObj = await api.utils.tokens.generate({ uid, description });
-	settings.tokens = settings.tokens || [];
+	return tokenObj.token;
-
-	const newToken = {
-		token: utils.generateUUID(),
-		uid: caller.uid,
-		description: description || '',
-		timestamp: Date.now(),
-	};
-	settings.tokens.push(newToken);
-	await meta.settings.set('core.api', settings);
-
-	return newToken;
 };
 
 usersAPI.deleteToken = async (caller, { uid, token }) => {
+	const api = require('.');
 	await hasAdminPrivilege(caller.uid, 'settings');
 	if (parseInt(uid, 10) !== parseInt(caller.uid, 10)) {
 		throw new Error('[[error:invalid-uid]]');
 	}
 
-	const settings = await meta.settings.get('core.api');
+	await api.utils.tokens.delete(token);
-	const beforeLen = settings.tokens.length;
+	return true;
-	settings.tokens = settings.tokens.filter(tokenObj => tokenObj.token !== token);
-	if (beforeLen !== settings.tokens.length) {
-		await meta.settings.set('core.api', settings);
-		return true;
-	}
-
-	return false;
 };
 
 const getSessionAsync = util.promisify((sid, callback) => {

src/api/utils.js

@@ -2,12 +2,123 @@
 
 const db = require('../database');
 
+const user = require('../user');
+const srcUtils = require('../utils');
+
 const utils = module.exports;
 
 // internal token management utilities only
+utils.tokens = {};
+
+utils.tokens.list = async () => {
+	// Validation handled at higher level
+	const tokens = await db.getSortedSetRange(`tokens:createtime`, 0, -1);
+	return await utils.tokens.get(tokens);
+};
+
+utils.tokens.get = async (tokens) => {
+	// Validation handled at higher level
+	if (!tokens) {
+		throw new Error('[[error:invalid-data]]');
+	}
+
+	let singular = false;
+	if (!Array.isArray(tokens)) {
+		tokens = [tokens];
+		singular = true;
+	}
+
+	let [tokenObjs, lastSeen] = await Promise.all([
+		db.getObjects(tokens.map(t => `token:${t}`)),
+		utils.tokens.getLastSeen(tokens),
+	]);
+
+	tokenObjs = tokenObjs.map((tokenObj, idx) => {
+		if (!tokenObj) {
+			return null;
+		}
+
+		tokenObj.token = tokens[idx];
+		tokenObj.lastSeen = lastSeen[idx];
+		tokenObj.lastSeenISO = lastSeen[idx] ? new Date(lastSeen[idx]).toISOString() : null;
+		tokenObj.timestampISO = new Date(parseInt(tokenObj.timestamp, 10)).toISOString();
+
+		return tokenObj;
+	});
+
+	return singular ? tokenObjs[0] : tokenObjs;
+};
+
+utils.tokens.generate = async ({ uid, description }) => {
+	if (parseInt(uid, 10) !== 0) {
+		const uidExists = await user.exists(uid);
+		if (!uidExists) {
+			throw new Error('[[error:no-user]]');
+		}
+	}
+
+	const token = srcUtils.generateUUID();
+	const timestamp = Date.now();
+
+	return utils.tokens.add({ token, uid, description, timestamp });
+};
+
+utils.tokens.add = async ({ token, uid, description = '', timestamp = Date.now() }) => {
+	if (!token || uid === undefined) {
+		throw new Error('[[error:invalid-data]]');
+	}
+
+	await Promise.all([
+		db.setObject(`token:${token}`, { uid, description, timestamp }),
+		db.sortedSetAdd(`tokens:createtime`, timestamp, token),
+		db.sortedSetAdd(`tokens:uid`, uid, token),
+	]);
+
+	return token;
+};
+
+utils.tokens.update = async (token, { uid, description }) => {
+	await Promise.all([
+		db.setObject(`token:${token}`, { uid, description }),
+		db.sortedSetAdd(`tokens:uid`, uid, token),
+	]);
+
+	return await utils.tokens.get(token);
+};
+
+utils.tokens.roll = async (token) => {
+	const [createTime, uid, lastSeen] = await db.sortedSetsScore([`tokens:createtime`, `tokens:uid`, `tokens:lastSeen`], token);
+	const newToken = srcUtils.generateUUID();
+
+	const updates = [
+		db.rename(`token:${token}`, `token:${newToken}`),
+		db.sortedSetRemove(`tokens:createtime`, token),
+		db.sortedSetRemove(`tokens:uid`, token),
+		db.sortedSetRemove(`tokens:lastSeen`, token),
+		db.sortedSetAdd(`tokens:createtime`, createTime, newToken),
+		db.sortedSetAdd(`tokens:uid`, uid, newToken),
+	];
+
+	if (lastSeen) {
+		updates.push(db.sortedSetAdd(`tokens:lastSeen`, lastSeen, newToken));
+	}
+
+	await Promise.all(updates);
+
+	return newToken;
+};
+
+utils.tokens.delete = async (token) => {
+	await Promise.all([
+		db.delete(`token:${token}`),
+		db.sortedSetRemove(`tokens:createtime`, token),
+		db.sortedSetRemove(`tokens:uid`, token),
+		db.sortedSetRemove(`tokens:lastSeen`, token),
+	]);
+};
 
-utils.log = async (token) => {
+utils.tokens.log = async (token) => {
 	await db.sortedSetAdd('tokens:lastSeen', Date.now(), token);
 };
 
-utils.getLastSeen = async tokens => await db.sortedSetScores('tokens:lastSeen', tokens);
+utils.tokens.getLastSeen = async tokens => await db.sortedSetScores('tokens:lastSeen', tokens);

src/controllers/admin/settings.js

@@ -111,14 +111,6 @@ settingsController.social = async function (req, res) {
 };
 
 settingsController.api = async (req, res) => {
-	const { tokens } = await meta.settings.get('core.api');
+	const tokens = await api.utils.tokens.list();
-	const scores = await api.utils.getLastSeen(tokens.map(t => t.token));
+	res.render('admin/settings/api', { tokens });
-
-	const [lastSeen, lastSeenISO] = tokens.reduce((memo, cur, idx) => {
-		memo[0][cur.token] = scores[idx];
-		memo[1][cur.token] = new Date(scores[idx]).toISOString();
-		return memo;
-	}, [{}, {}]);
-
-	res.render('admin/settings/api', { lastSeen, lastSeenISO });
 };

src/controllers/write/admin.js

@@ -28,3 +28,32 @@ Admin.getAnalyticsData = async (req, res) => {
 		units: req.query.units,
 	}));
 };
+
+Admin.generateToken = async (req, res) => {
+	const { uid, description } = req.body;
+	const token = await api.utils.tokens.generate({ uid, description });
+	helpers.formatApiResponse(200, res, await api.utils.tokens.get(token));
+};
+
+Admin.getToken = async (req, res) => {
+	helpers.formatApiResponse(200, res, await api.utils.tokens.get(req.params.token));
+};
+
+Admin.updateToken = async (req, res) => {
+	const { uid, description } = req.body;
+	const { token } = req.params;
+
+	helpers.formatApiResponse(200, res, await api.utils.tokens.update(token, { uid, description }));
+};
+
+Admin.rollToken = async (req, res) => {
+	let { token } = req.params;
+
+	token = await api.utils.tokens.roll(token);
+	helpers.formatApiResponse(200, res, await api.utils.tokens.get(token));
+};
+
+Admin.deleteToken = async (req, res) => {
+	const { token } = req.params;
+	helpers.formatApiResponse(200, res, await api.utils.tokens.delete(token));
+};

src/meta/configs.js

@@ -7,8 +7,6 @@ const winston = require('winston');
 
 const db = require('../database');
 const pubsub = require('../pubsub');
-const plugins = require('../plugins');
-const utils = require('../utils');
 const Meta = require('./index');
 const cacheBuster = require('./cacheBuster');
 const defaults = require('../../install/data/defaults.json');
@@ -148,46 +146,6 @@ Configs.remove = async function (field) {
 	await db.deleteObjectField('config', field);
 };
 
-Configs.registerHooks = () => {
-	plugins.hooks.register('core', {
-		hook: 'filter:settings.set',
-		method: async ({ plugin, settings, quiet }) => {
-			if (plugin === 'core.api' && Array.isArray(settings.tokens)) {
-				// Generate tokens if not present already
-				settings.tokens.forEach((set) => {
-					if (set.token === '') {
-						set.token = utils.generateUUID();
-					}
-
-					if (isNaN(parseInt(set.uid, 10))) {
-						set.uid = 0;
-					}
-				});
-			}
-
-			return { plugin, settings, quiet };
-		},
-	});
-
-	plugins.hooks.register('core', {
-		hook: 'filter:settings.get',
-		method: async ({ plugin, values }) => {
-			if (plugin === 'core.api' && Array.isArray(values.tokens)) {
-				values.tokens = values.tokens.map((tokenObj) => {
-					tokenObj.uid = parseInt(tokenObj.uid, 10);
-					if (tokenObj.timestamp) {
-						tokenObj.timestampISO = new Date(parseInt(tokenObj.timestamp, 10)).toISOString();
-					}
-
-					return tokenObj;
-				});
-			}
-
-			return { plugin, values };
-		},
-	});
-};
-
 Configs.cookie = {
 	get: () => {
 		const cookie = {};

src/middleware/index.js

@@ -128,7 +128,7 @@ middleware.prepareAPI = function prepareAPI(req, res, next) {
 middleware.logApiUsage = async function logApiUsage(req, res, next) {
 	if (req.headers.hasOwnProperty('authorization')) {
 		const [, token] = req.headers.authorization.split(' ');
-		await api.utils.log(token);
+		await api.utils.tokens.log(token);
 	}
 
 	next();

src/plugins/index.js

@@ -10,7 +10,6 @@ const request = require('request-promise-native');
 
 const user = require('../user');
 const posts = require('../posts');
-const meta = require('../meta');
 
 const { pluginNamePattern, themeNamePattern, paths } = require('../constants');
 
@@ -125,7 +124,6 @@ Plugins.reload = async function () {
 
 	// Core hooks
 	posts.registerHooks();
-	meta.configs.registerHooks();
 
 	// Deprecation notices
 	Plugins.hooks._deprecated.forEach((deprecation, hook) => {

src/routes/authentication.js

@@ -6,10 +6,10 @@ const passportLocal = require('passport-local').Strategy;
 const BearerStrategy = require('passport-http-bearer').Strategy;
 const winston = require('winston');
 
-const meta = require('../meta');
 const controllers = require('../controllers');
 const helpers = require('../controllers/helpers');
 const plugins = require('../plugins');
+const api = require('../api');
 const { generateToken } = require('../middleware/csrf');
 
 let loginStrategies = [];
@@ -45,8 +45,8 @@ Auth.getLoginStrategies = function () {
 };
 
 Auth.verifyToken = async function (token, done) {
-	const { tokens = [] } = await meta.settings.get('core.api');
+	const tokens = await api.utils.tokens.list();
-	const tokenObj = tokens.find(t => t.token === token);
+	const tokenObj = tokens.filter((t => t.token === token)).pop();
 	const uid = tokenObj ? tokenObj.uid : undefined;
 
 	if (uid !== undefined) {

src/routes/write/admin.js

@@ -15,5 +15,11 @@ module.exports = function () {
 	setupApiRoute(router, 'get', '/analytics', [...middlewares], controllers.write.admin.getAnalyticsKeys);
 	setupApiRoute(router, 'get', '/analytics/:set', [...middlewares], controllers.write.admin.getAnalyticsData);
 
+	setupApiRoute(router, 'post', '/tokens', [...middlewares], controllers.write.admin.generateToken);
+	setupApiRoute(router, 'get', '/tokens/:token', [...middlewares], controllers.write.admin.getToken);
+	setupApiRoute(router, 'put', '/tokens/:token', [...middlewares], controllers.write.admin.updateToken);
+	setupApiRoute(router, 'delete', '/tokens/:token', [...middlewares], controllers.write.admin.deleteToken);
+	setupApiRoute(router, 'post', '/tokens/:token/roll', [...middlewares], controllers.write.admin.rollToken);
+
 	return router;
 };

src/upgrades/3.2.0/migrate_api_tokens.js

@@ -0,0 +1,38 @@
+'use strict';
+
+const assert = require('assert');
+const winston = require('winston');
+
+const db = require('../../database');
+const meta = require('../../meta');
+const api = require('../../api');
+
+module.exports = {
+	name: 'Migrate tokens away from sorted-list implementation',
+	timestamp: Date.UTC(2023, 4, 2),
+	method: async () => {
+		const { tokens = [] } = await meta.settings.get('core.api');
+
+		await Promise.all(tokens.map(async (tokenObj) => {
+			const { token, uid, description } = tokenObj;
+			await api.utils.tokens.add({ token, uid, description });
+		}));
+
+		// Validate
+		const oldCount = await db.sortedSetCard('settings:core.api:sorted-list:tokens');
+		const newCount = await db.sortedSetCard('tokens:createtime');
+		try {
+			if (oldCount > 0) {
+				assert.strictEqual(oldCount, newCount);
+			}
+
+			// Delete old tokens
+			await meta.settings.set('core.api', {
+				tokens: [],
+			});
+			await db.delete('settings:core.api:sorted-lists');
+		} catch (e) {
+			winston.warn('Old token count does not match migrated tokens count, leaving old tokens behind.');
+		}
+	},
+};

src/views/admin/partials/api/sorted-list/item.tpl

@@ -1,21 +0,0 @@
-<li data-type="item" class="list-group-item">
-    <div class="row">
-        <div class="col-9">
-            <span class="badge bg-primary">{{{ if uid }}}uid {uid}{{{ else }}}master{{{ end }}}</span>
-            {{{ if token }}}<input class="form-control-plaintext" type="text" readonly="readonly" value="{token}" size="32" />{{{ else }}}<em class="text-warning">[[admin/settings/api:token-on-save]]</em>{{{ end }}}<br />
-            <p>
-                {{{ if description }}}
-                {description}
-                {{{ else }}}
-                <em>[[admin/settings/api:no-description]]</em>
-                {{{ end }}}
-                <br />
-                <small class="text-info">{./lastSeen}</small>
-            </p>
-        </div>
-        <div class="col-3 text-end">
-            <button type="button" data-type="edit" class="btn btn-info">Edit</button>
-            <button type="button" data-type="remove" class="btn btn-danger">Delete</button>
-        </div>
-    </div>
-</li>

src/views/admin/partials/edit-token-modal.tpl

@@ -1,15 +1,13 @@
-<form>
+<form role="form">
-    <input type="hidden" name="token" />
-    <input type="hidden" name="timestamp" />
     <div class="mb-3">
         <label class="form-label" for="uid">[[admin/settings/api:uid]]</label>
-        <input type="text" inputmode="numeric" pattern="\d+" name="uid" class="form-control" placeholder="1" />
+        <input type="text" inputmode="numeric" pattern="\d+" name="uid" class="form-control" placeholder="0" value="{./uid}" />
         <p class="form-text">
             [[admin/settings/api:uid-help-text]]
         </p>
     </div>
     <div class="mb-3">
         <label class="form-label" for="description">[[admin/settings/api:description]]</label>
-        <input type="text" name="description" class="form-control" placeholder="Description" />
+        <input type="text" name="description" class="form-control" placeholder="Description" value="{./description}" />
     </div>
 </form>

src/views/admin/settings/api.tpl

@@ -1,14 +1,76 @@
 <form role="form" class="core-api-settings">
 	<p class="lead">[[admin/settings/api:lead-text]]</p>
 	<p>[[admin/settings/api:intro]]</p>
-	<p>
+	<p class="text-danger">[[admin/settings/api:warning]]</p>
-		<a href="https://docs.nodebb.org/api">
+	<p class="d-flex align-items-center">
+		<a class="flex-grow-1" href="https://docs.nodebb.org/api">
 			<i class="fa fa-external-link"></i>
 			[[admin/settings/api:docs]]
 		</a>
+		<button type="button" class="btn btn-primary float-end" data-action="create">
+			<i class="fa fa-plus"></i>
+			[[admin/settings/api:create-token]]
+		</button>
 	</p>
 
-	<hr />
+	<table class="table mb-5" data-component="acp/tokens">
+		<thead>
+			<tr>
+				<th>[[admin/settings/api:token]]</th>
+				<th>[[admin/settings/api:description]]</th>
+				<th>[[admin/settings/api:uid]]</th>
+				<th>[[admin/settings/api:last-seen]]</th>
+				<th>[[admin/settings/api:created]]</th>
+				<th>[[admin/settings/api:actions]]</th>
+			</tr>
+		</thead>
+		<tbody>
+			{{{ each tokens }}}
+			<tr data-token="{./token}">
+				<td>
+					<button type="button" class="btn btn-link" data-action="copy" data-clipboard-text="{./token}"><i class="fa fa-fw fa-clipboard" aria-hidden="true"></i></button>
+					<div class="vr me-3" aria-hidden="true"></div>
+					<span class="user-select-all">{./token}</span>
+				</td>
+				<td class="align-middle">
+					{{{ if ./description }}}
+					{./description}
+					{{{ else }}}
+					<em class="text-secondary">[[admin/settings/api:no-description]]</em>
+					{{{ end }}}
+				</td>
+				<td class="align-middle">
+					{{{ if (./uid == "0") }}}
+					<em>[[admin/settings/api:master-token]]</em>
+					{{{ else }}}
+					{./uid}
+					{{{ end }}}
+				</td>
+				<td class="align-middle">
+					{{{ if ./lastSeen }}}
+					<span class="timeago" title="{./lastSeenISO}"></span>
+					{{{ else }}}
+					<em class="text-secondary">[[admin/settings/api:last-seen-never]]</em>
+					{{{ end }}}
+				</td>
+				<td class="align-middle">
+					<span class="timeago" title="{./timestampISO}"></span>
+				</td>
+				<td>
+					<button type="button" class="btn btn-link" data-action="edit">
+						<i class="fa fa-edit"></i>
+					</button>
+					<button type="button" class="btn btn-link" data-action="roll">
+						<i class="fa fa-refresh"></i>
+					</button>
+					<button type="button" class="btn btn-link link-danger" data-action="delete">
+						<i class="fa fa-trash"></i>
+					</button>
+				</td>
+			</tr>
+			{{{ end }}}
+		</tbody>
+	</table>
 
 	<div class="row mb-4">
 		<div class="col-sm-2 col-12 settings-header">[[admin/settings/api:settings]]</div>
@@ -20,17 +82,6 @@
 			</div>
 		</div>
 	</div>
-
-	<div class="row mb-4">
-		<div class="col-sm-2 col-12 settings-header">[[admin/settings/api:tokens]]</div>
-		<div class="col-sm-10 col-12">
-			<div class="form-group" data-type="sorted-list" data-sorted-list="tokens" data-item-template="admin/partials/api/sorted-list/item" data-form-template="admin/partials/api/sorted-list/form">
-				<input type="hidden" name="tokens">
-				<ul data-type="list" class="list-group mb-3"></ul>
-				<button type="button" data-type="add" class="btn btn-info">Create Token</button>
-			</div>
-		</div>
-	</div>
 </form>
 
 <!-- IMPORT admin/partials/save_button.tpl -->

test/api.js

@@ -56,8 +56,23 @@ describe('API', async () => {
 					example: '', // to be defined later...
 				},
 			],
+			'/admin/tokens/{token}': [
+				{
+					in: 'path',
+					name: 'token',
+					example: '', // to be defined later...
+				},
+			],
+		},
+		post: {
+			'/admin/tokens/{token}/roll': [
+				{
+					in: 'path',
+					name: 'token',
+					example: '', // to be defined later...
+				},
+			],
 		},
-		post: {},
 		put: {
 			'/groups/{slug}/pending/{uid}': [
 				{
@@ -71,6 +86,13 @@ describe('API', async () => {
 					example: '', // to be defined later...
 				},
 			],
+			'/admin/tokens/{token}': [
+				{
+					in: 'path',
+					name: 'token',
+					example: '', // to be defined later...
+				},
+			],
 		},
 		patch: {},
 		delete: {
@@ -134,6 +156,13 @@ describe('API', async () => {
 					example: '', // to be defined later...
 				},
 			],
+			'/admin/tokens/{token}': [
+				{
+					in: 'path',
+					name: 'token',
+					example: '', // to be defined later...
+				},
+			],
 		},
 	};
 
@@ -170,6 +199,16 @@ describe('API', async () => {
 		}
 		await groups.join('administrators', adminUid);
 
+		// Create api token for testing read/updating/deletion
+		const token = await api.utils.tokens.generate({ uid: adminUid });
+		mocks.get['/admin/tokens/{token}'][0].example = token;
+		mocks.put['/admin/tokens/{token}'][0].example = token;
+		mocks.delete['/admin/tokens/{token}'][0].example = token;
+
+		// Create another token for testing rolling
+		const token2 = await api.utils.tokens.generate({ uid: adminUid });
+		mocks.post['/admin/tokens/{token}/roll'][0].example = token2;
+
 		// Create sample group
 		await groups.create({
 			name: 'Test Group',

test/authentication.js

@@ -15,6 +15,7 @@ const utils = require('../src/utils');
 const meta = require('../src/meta');
 const plugins = require('../src/plugins');
 const privileges = require('../src/privileges');
+const api = require('../src/api');
 const helpers = require('./helpers');
 
 describe('authentication', () => {
@@ -596,24 +597,14 @@ describe('authentication', () => {
 		let masterToken;
 		before(async () => {
 			newUid = await user.create({ username: 'apiUserTarget' });
-			const settings = await meta.settings.get('core.api');
+			userToken = await api.utils.tokens.generate({
-			settings.tokens = settings.tokens || [];
-			userToken = {
-				token: utils.generateUUID(),
 				uid: newUid,
 				description: `api token for uid ${newUid}`,
-				timestamp: Date.now(),
+			});
-			};
+			masterToken = await api.utils.tokens.generate({
-			settings.tokens.push(userToken);
-			masterToken = {
-				token: utils.generateUUID(),
 				uid: 0,
 				description: 'api master token',
-				timestamp: Date.now(),
+			});
-			};
-			settings.tokens.push(masterToken);
-
-			await meta.settings.set('core.api', settings);
 		});
 
 		it('should fail with invalid token', async () => {
@@ -635,7 +626,7 @@ describe('authentication', () => {
 			const { res, body } = await helpers.request('get', `/api/self`, {
 				json: true,
 				headers: {
-					Authorization: `Bearer ${userToken.token}`,
+					Authorization: `Bearer ${userToken}`,
 				},
 			});
 
@@ -648,7 +639,7 @@ describe('authentication', () => {
 				form: {},
 				json: true,
 				headers: {
-					Authorization: `Bearer ${masterToken.token}`,
+					Authorization: `Bearer ${masterToken}`,
 				},
 			});
 
@@ -663,7 +654,7 @@ describe('authentication', () => {
 				},
 				json: true,
 				headers: {
-					Authorization: `Bearer ${masterToken.token}`,
+					Authorization: `Bearer ${masterToken}`,
 				},
 			});
 

test/tokens.js

@@ -0,0 +1,178 @@
+'use strict';
+
+const assert = require('assert');
+const nconf = require('nconf');
+
+const db = require('./mocks/databasemock');
+const api = require('../src/api');
+const user = require('../src/user');
+const utils = require('../src/utils');
+
+describe('API tokens', () => {
+	let token;
+
+	beforeEach(async () => {
+		// Generate a different token for use in each test
+		token = await api.utils.tokens.generate({ uid: 0 });
+	});
+
+	describe('.list()', () => {
+		it('should list available tokens', async () => {
+			await api.utils.tokens.generate({ uid: 0 });
+			const tokens = await api.utils.tokens.list();
+
+			assert(Array.isArray(tokens));
+			assert.strictEqual(tokens.length, 2);
+			assert.strictEqual(parseInt(tokens[0].uid, 10), 0);
+			assert.strictEqual(parseInt(tokens[1].uid, 10), 0);
+		});
+	});
+
+	describe('.create()', () => {
+		it('should fail to create a token for a user that does not exist', async () => {
+			assert.rejects(api.utils.tokens.generate({ uid: 1 }), { message: '[[error:no-user]]' });
+		});
+
+		it('should create a token for a user that exists', async () => {
+			const uid = await user.create({ username: utils.generateUUID().slice(0, 8) });
+			const token = await api.utils.tokens.generate({ uid });
+			const tokenObj = await api.utils.tokens.get(token);
+
+			assert(tokenObj);
+			assert.strictEqual(parseInt(tokenObj.uid, 10), uid);
+		});
+	});
+
+	describe('.get()', () => {
+		it('should retrieve a token', async () => {
+			const tokenObj = await api.utils.tokens.get(token);
+
+			assert(tokenObj);
+			assert.strictEqual(parseInt(tokenObj.uid, 10), 0);
+		});
+
+		it('should retrieve multiple tokens', async () => {
+			const second = await api.utils.tokens.generate({ uid: 0 });
+			const tokens = await api.utils.tokens.get([token, second]);
+
+			assert(Array.isArray(tokens));
+			tokens.forEach((t) => {
+				assert(t);
+				assert.strictEqual(parseInt(t.uid, 10), 0);
+			});
+		});
+
+		it('should fail if you pass in invalid data', async () => {
+			assert.rejects(api.utils.tokens.get(token), { message: '[[error:invalid-data]]' });
+		});
+
+		it('should show lastSeen and lastSeenISO as undefined/null if it is a new token', async () => {
+			const { lastSeen, lastSeenISO } = await api.utils.tokens.get(token);
+
+			assert.strictEqual(lastSeen, null);
+			assert.strictEqual(lastSeenISO, null);
+		});
+
+		it('should show lastSeenISO as an ISO formatted datetime string if the token has been used', async () => {
+			const now = new Date();
+			await db.sortedSetAdd('tokens:lastSeen', now.getTime(), token);
+			const { lastSeen, lastSeenISO } = await api.utils.tokens.get(token);
+
+			assert.strictEqual(lastSeen, now.getTime());
+			assert.strictEqual(lastSeenISO, now.toISOString());
+		});
+	});
+
+	describe('.generate()', () => {
+		it('should generate a new token', async () => {
+			const second = await api.utils.tokens.generate({ uid: 0 });
+			const token = await api.utils.tokens.get(second);
+
+			assert(token);
+			assert(await db.exists(`token:${second}`));
+			assert.equal(await db.sortedSetScore(`tokens:uid`, second), 0);
+			assert.strictEqual(parseInt(token.uid, 10), 0);
+		});
+	});
+
+	describe('.update()', () => {
+		it('should update the description of a token', async () => {
+			await api.utils.tokens.update(token, { uid: 0, description: 'foobar' });
+			const tokenObj = await api.utils.tokens.get(token);
+
+			assert(tokenObj);
+			assert.strictEqual(parseInt(tokenObj.uid, 10), 0);
+			assert.strictEqual(tokenObj.description, 'foobar');
+		});
+
+		it('should update the uid of a token', async () => {
+			await api.utils.tokens.update(token, { uid: 1, description: 'foobar' });
+			const tokenObj = await api.utils.tokens.get(token);
+			const uid = await db.sortedSetScore('tokens:uid', token);
+
+			assert(tokenObj);
+			assert.strictEqual(parseInt(tokenObj.uid, 10), 1);
+			assert.strictEqual(parseInt(uid, 10), 1);
+			assert.strictEqual(tokenObj.description, 'foobar');
+		});
+	});
+
+	describe('.roll()', () => {
+		it('should invalidate the old token', async () => {
+			const newToken = await api.utils.tokens.roll(token);
+			assert(newToken);
+
+			const gets = await api.utils.tokens.get([token, newToken]);
+			assert.strictEqual(gets[0], null);
+			assert(gets[1]);
+		});
+
+		it('should change a token but leave all other metadata intact', async () => {
+			await api.utils.tokens.update(token, { uid: 1, description: 'foobar' });
+			const newToken = await api.utils.tokens.roll(token);
+			const tokenObj = await api.utils.tokens.get(newToken);
+
+			assert.strictEqual(parseInt(tokenObj.uid, 10), 1);
+			assert.strictEqual(tokenObj.description, 'foobar');
+		});
+	});
+
+	describe('.delete()', () => {
+		it('should delete a token from a system', async () => {
+			await api.utils.tokens.delete(token);
+
+			assert.strictEqual(await db.exists(`token:${token}`), false);
+			assert.strictEqual(await db.sortedSetScore(`tokens:uid`, token), null);
+			assert.strictEqual(await db.sortedSetScore(`tokens:createtime`, token), null);
+			assert.strictEqual(await db.sortedSetScore(`tokens:lastSeen`, token), null);
+		});
+	});
+
+	describe('.log()', () => {
+		it('should record the current time as the last seen time of that token', async () => {
+			await api.utils.tokens.log(token);
+
+			assert(await db.sortedSetScore(`tokens:lastSeen`, token));
+		});
+	});
+
+	describe('.getLastSeen()', () => {
+		it('should retrieve the time the token was last seen', async () => {
+			await api.utils.tokens.log(token);
+			const time = await api.utils.tokens.getLastSeen([token]);
+
+			assert(time[0]);
+			assert(isFinite(time[0]));
+		});
+
+		it('should return null if the token has never been seen', async () => {
+			const time = await api.utils.tokens.getLastSeen([token]);
+
+			assert.strictEqual(time[0], null);
+		});
+	});
+
+	afterEach(async () => {
+		await api.utils.tokens.delete(token);
+	});
+});