From 1f0ef020a9d1372f6786d55c907870a46493a818 Mon Sep 17 00:00:00 2001
From: Tobias Genannt <tobias.genannt@qbeyond.de>
Date: Wed, 8 Oct 2025 08:12:59 +0200
Subject: [PATCH] Support new API_TOKEN format

Allows configuration the new API_TOKEN_PEPPERS setting from an
ENV variable or secret file.

Feature request: https://github.com/netbox-community/netbox/issues/20210
Pull request: https://github.com/netbox-community/netbox/pull/20477
---
 .github/workflows/push.yml        | 3 ++-
 configuration/configuration.py    | 5 +++++
 env/netbox.env                    | 1 +
 test-configuration/test_config.py | 4 ++++
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index a4833e1..f4b6305 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -36,12 +36,13 @@ jobs:
           SUPPRESS_POSSUM: true
           LINTER_RULES_PATH: /
           VALIDATE_ALL_CODEBASE: false
+          VALIDATE_BIOME_FORMAT: false
           VALIDATE_CHECKOV: false
           VALIDATE_DOCKERFILE: false
+          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_GITLEAKS: false
           VALIDATE_JSCPD: false
           VALIDATE_TRIVY: false
-          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           FILTER_REGEX_EXCLUDE: (.*/)?(LICENSE|configuration/.*)
           EDITORCONFIG_FILE_NAME: .editorconfig-checker.json
           DOCKERFILE_HADOLINT_FILE_NAME: .hadolint.yaml
diff --git a/configuration/configuration.py b/configuration/configuration.py
index 6125e2b..8dfa736 100644
--- a/configuration/configuration.py
+++ b/configuration/configuration.py
@@ -116,6 +116,11 @@ REDIS = {
 # https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
 SECRET_KEY = _read_secret('secret_key', environ.get('SECRET_KEY', ''))
 
+API_TOKEN_PEPPERS = {}
+if api_token_pepper := _read_secret('api_token_pepper_1', environ.get('API_TOKEN_PEPPER_1', '')):
+    API_TOKEN_PEPPERS.update({1: api_token_pepper})
+
+
 
 #########################
 #                       #
diff --git a/env/netbox.env b/env/netbox.env
index c89844f..52fca3b 100644
--- a/env/netbox.env
+++ b/env/netbox.env
@@ -1,3 +1,4 @@
+API_TOKEN_PEPPER_1=Qy+F=OTeGskWQ(wTMgjc+NPPlz6YwFXY=KHIIg=wpYXT&e(6u8
 CORS_ORIGIN_ALLOW_ALL=True
 DB_HOST=postgres
 DB_NAME=netbox
diff --git a/test-configuration/test_config.py b/test-configuration/test_config.py
index 308d437..10f414c 100644
--- a/test-configuration/test_config.py
+++ b/test-configuration/test_config.py
@@ -10,3 +10,7 @@ PLUGINS = [
 ALLOW_TOKEN_RETRIEVAL = True
 
 DEFAULT_PERMISSIONS = {}
+
+API_TOKEN_PEPPERS = {
+    1: 'TEST-VALUE-DO-NOT-USE-TEST-VALUE-DO-NOT-USE-TEST-VALUE-DO-NOT-USE',
+}