Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hash API keys #3842

Open
wants to merge 3 commits into
base: feature/1027-reset-api-key
Choose a base branch
from
Open

Hash API keys #3842

wants to merge 3 commits into from
+127 −28

Conversation

tillprochaska
Copy link
Contributor

@tillprochaska tillprochaska commented Aug 5, 2024
edited
Loading

This is based on #3094. Review and merge #3094 first!

Aleph used to store user API keys as plaintext in the database. This commit changes that to store only a hash of the API key.

API keys are generated using the built-in secrets.token_urlsafe method which returns a random 256 bit token. In contrast to passwords, API keys are not provided by users, have a high entropy, and need to be validated on every request. It seems to be generally accepted that, given 256 bit tokens, salting or using an expensive key derivation functions isn't necessary. (But please challenge this!) For this reason, we’re storing an unsalted SHA-256 hash of the API key which also makes it easy to look up and verify a given API key.

I've added a separate column for the hashed API key rather than reusing the existing column. This allows us to batch-hash all existing plaintext keys without having to differentiate between keys that have already been hashed and those that haven't. Once all existing plaintext API keys have been hashed, the old api_key column can simply be dropped.

This is a breaking change. After deployment, admins need to run the aleph hash-plaintext-api-keys CLI command to hash legacy plaintext API keys. Alternatively, users can regenerate their API key.

@tillprochaska
Store hashed API keys
97252b1 
Aleph used to store user API keys as plaintext in the database. This commit changes that to store only a hash of the API key.

API keys are generated using the built-in `secrets.token_urlsafe` method which returns a random 256 bit token. In contrast to passwords, API keys are not provided by users, have a high entropy, and need to be validated on every request. It seems to be generally accepted that, given 256 bit tokens, salting or using an expensive key derivation functions isn't necessary. For this reason, we’re storing an unsalted SHA-256 hash of the API key which also makes it easy to look up and verify a given API key.

I've added a separate column for the hashed API key rather than reusing the existing column. This allows us to batch-hash all existing plaintext keys without having to differentiate between keys that have already been hashed and those that haven't. Once all existing plaintext API keys have been hashed, the old `api_key` column can simply be dropped.
@tillprochaska
Add CLI command to store legacy plaintext API keys
15b52eb
@tillprochaska
Remove prefilled API key from OpenRefine endpoints
5f94f9b 
Required as we do not store plaintext API keys anymore. Also, we want to remove the option to pass API keys via URL parameters in the future.

This makes it impossible to use OpenRefine with non-public collections. This was never documented, and most users weren't aware that they can indeed use OpenRefine with non-public collections anyway.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
breaking-changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tillprochaska