Implement access token for command line things.

app/Console/Commands/VerifyDatabase.php

@@ -27,6 +27,7 @@ use FireflyIII\User;
 use Illuminate\Console\Command;
 use Illuminate\Contracts\Encryption\DecryptException;
 use Illuminate\Database\Eloquent\Builder;
+use Preferences;
 use Schema;
 use stdClass;
 
@@ -102,6 +103,22 @@ class VerifyDatabase extends Command
         // create default link types if necessary
         $this->createLinkTypes();
 
+        // create user access tokens, if not present already.
+        $this->createAccessTokens();
+
+    }
+
+    private function createAccessTokens()
+    {
+        $users = User::get();
+        /** @var User $user */
+        foreach ($users as $user) {
+            $pref = Preferences::getForUser($user, 'access_token', null);
+            if (is_null($pref)) {
+                $token = $user->generateAccessToken();
+                Preferences::setForUser($user, 'access_token', $token);
+            }
+        }
     }
 
     /**

app/Http/Controllers/ProfileController.php

@@ -21,6 +21,7 @@ use FireflyIII\Repositories\User\UserRepositoryInterface;
 use FireflyIII\User;
 use Hash;
 use Log;
+use Preferences;
 use Session;
 use View;
 
@@ -84,7 +85,14 @@ class ProfileController extends Controller
         $subTitle = auth()->user()->email;
         $userId   = auth()->user()->id;
 
-        return view('profile.index', compact('subTitle', 'userId'));
+        // get access token or create one.
+        $accessToken = Preferences::get('access_token', null);
+        if (is_null($accessToken)) {
+            $token       = auth()->user()->generateAccessToken();
+            $accessToken = Preferences::set('access_token', $token);
+        }
+
+        return view('profile.index', compact('subTitle', 'userId', 'accessToken'));
     }
 
     /**
@@ -140,6 +148,17 @@ class ProfileController extends Controller
         return redirect(route('index'));
     }
 
+    /**
+     *
+     */
+    function regenerate()
+    {
+        $token = auth()->user()->generateAccessToken();
+        Preferences::set('access_token', $token);
+        Session::flash('success', strval(trans('firefly.token_regenerated')));
+
+        return redirect(route('profile.index'));
+    }
 
     /**
      * @param User   $user

app/User.php

@@ -136,6 +136,16 @@ class User extends Authenticatable
         return $this->hasMany('FireflyIII\Models\ExportJob');
     }
 
+    /**
+     * @return string
+     */
+    public function generateAccessToken(): string
+    {
+        $bytes = random_bytes(16);
+
+        return strval(bin2hex($bytes));
+    }
+
     /**
      * Checks if the user has a role by its name.
      *

resources/lang/en_US/firefly.php

@@ -416,7 +416,10 @@ return [
     'secure_pw_should'                           => 'Should I check the box?',
     'secure_pw_long_password'                    => 'If you just generated a long, single-use password for Firefly III using some kind of password generator: <strong>no</strong>.',
     'secure_pw_short'                            => 'If you just entered the password you always use: <em>Please yes</em>.',
-
+    'personal_access_token'                      => 'Personal access token',
+    'explain_access_token'                       => 'You need this token to perform command line options, such as importing or exporting data. Without it, such sensitive commands will not work. Do not share your access token. Nobody will ask you for this token, not even me. If you fear you lost this, or when you\'re paranoid, regenerate this token using the button.',
+    'regenerate_access_token'                    => 'Regenerate access token',
+    'token_regenerated'                          => 'A new token was generated',
 
     // attachments
     'nr_of_attachments'                          => 'One attachment|:count attachments',

resources/views/profile/index.twig

@@ -9,7 +9,7 @@
         <div class="col-lg-6 col-lg-offset-3 col-md-6 col-sm-12">
             <div class="box box-primary">
                 <div class="box-header with-border">
-                    <h3 class="box-title">Options</h3>
+                    <h3 class="box-title">{{ 'options'|_ }}</h3>
                 </div>
                 <div class="box-body">
                     <p>
@@ -23,4 +23,28 @@
             </div>
         </div>
     </div>
+    <div class="row">
+        <div class="col-lg-6 col-lg-offset-3 col-md-6 col-sm-12">
+            <div class="box box-primary">
+                <div class="box-header with-border">
+                    <h3 class="box-title">{{ 'personal_access_token'|_ }}</h3>
+                </div>
+                <div class="box-body">
+                    <p>
+                        {{ 'explain_access_token'|_ }}
+                    </p>
+                    <p>
+                        <input id="token" type="text" class="form-control" name="token" value="{{ accessToken.data }}" size="32" maxlength="32" readonly />
+
+                    </p>
+                    <p>
+                        <form action="{{ route('profile.regenerate') }}" method="post">
+                        <input type="hidden" name="_token" value="{{ csrf_token() }}"/>
+                            <button type="submit" class="btn btn-danger btn-xs"><i class="fa fa-refresh"></i> {{ 'regenerate_access_token'|_ }}</button>
+                    </form>
+                    </p>
+                </div>
+            </div>
+        </div>
+    </div>
 {% endblock %}

routes/web.php

@@ -526,6 +526,7 @@ Route::group(
 
     Route::post('delete-account', ['uses' => 'ProfileController@postDeleteAccount', 'as' => 'delete-account.post']);
     Route::post('change-password', ['uses' => 'ProfileController@postChangePassword', 'as' => 'change-password.post']);
+    Route::post('regenerate', ['uses' => 'ProfileController@regenerate', 'as' => 'regenerate']);
 }
 );