Level 7 / Project 06 - Token Rotation Simulator¶

Learn Your Way¶

Read	Build	Watch	Test	Review	Visualize	Try
—	This project	—	—	Flashcards	—	—

Focus¶

credential lifecycle simulation

Why this project exists¶

This project gives you level-appropriate practice in a realistic operations context. Goal: run the baseline, alter behavior, break one assumption, recover safely, and explain the fix.

Run (copy/paste)¶

Use <repo-root> as the folder containing this repository's README.md.

cd <repo-root>/projects/level-7/06-token-rotation-simulator
python project.py --input data/sample_input.txt --output data/output_summary.json
pytest -q

Expected terminal output¶

... output_summary.json written ...
2 passed

Expected artifacts¶

data/output_summary.json
Passing tests
Updated notes.md

Alter it (required)¶

Add a grace_period parameter so old tokens remain valid for N seconds after rotation.
Add a list_active() method that returns all non-revoked, non-expired tokens.
Re-run script and tests — verify grace period and listing work correctly.

Break it (required)¶

Call rotate() when no token has been generated yet (empty manager).
Set ttl_seconds to 0 so tokens expire immediately upon creation.
Observe that is_valid returns False for brand-new tokens.

Fix it (required)¶

Have rotate() call generate() if no current token exists instead of crashing.
Validate that ttl_seconds > 0 in the TokenManager constructor.
Add tests for rotating with no current token and for zero-TTL edge case.

Explain it (teach-back)¶

Why is token rotation important for API security?
What happened when rotate was called without an existing token?
How did the constructor validation prevent zero-TTL tokens?
How does the audit trail help in a real security incident investigation?

Mastery check¶

You can move on when you can: - run baseline without docs, - explain one core function line-by-line, - break and recover in one session, - keep tests passing after your change.

← Prev	Home	Next →