david
November 29, 2019, 3:56pm
16
Sorry @pfaffman , but I’m afraid I will have to remove this new rake task in an upcoming PR. We are going to be hashing API keys in the database, so it will be fundamentally impossible to retrieve an existing key.
master ← davidtaylorhq:api-key-hash
merged 11:45AM - 12 Dec 19 UTC
> ⚠️This change is completely irreversible. Once the migrations are run, the pla… in text keys will be deleted from the database. Marking as a draft PR for now to avoid accidental merging, but this is ready for review.
API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak.
Many of the changes in this diff are to implement the new post-create UI, which looks like:
<img width="1138" alt="Screenshot 2019-11-29 at 15 20 09" src="https://user-images.githubusercontent.com/6270921/69878077-c914f680-12bb-11ea-8645-435d7491f265.png">
From a security perspective, the key files to review are:
- `app/models/api_key.rb`
- `lib/auth/default_current_user_provider.rb`
- `db/migrate/20191128113434_add_hashed_api_key.rb`
- `db/post_migrate/20191128113435_remove_key_from_api_keys.rb`
@danielwaterworth I had some issues with `fab!` in the tests, because it 'refinds' the record from the database after the initial save. The keys are kept temporarily as instance variables, so this refind was causing the key to be lost. I set `refind:false` in these places, but would be interested if you know of a cleaner solution.
I’ve replaced the get_or_create_master task with a simpler create_master task
4 Likes