Allow admins to view full api keys #276
Description
In order to help with support requests related to api keys not being delivered by e-mail (due to spam filtering), we need to adjust our logic for displaying the api keys to administrators. Currently the full keys are not displayed. Here's what I'm thinking in order to make this easier for agency admins to address these support requests themselves, while also maintaining security:
- Superuser admins should always be able to view the full keys.
- Agency admins can view full API keys for 2 weeks after its creation. I think this should strike a good balance between allowing an ample time for agency admins to deal with initial support while preventing a potentially naughty admin from harvesting a bunch of api keys.
- Full API keys will be hidden from agency admins as soon as any roles are added to an API key. Since adding roles is what turns a key from being like any other public key into something that's potentially more sensitive, this seems like a good trigger for hiding it. We'll also assume that the user already has their key if an admin is adding a role to it.