Closed orubel closed 1 year ago
setting var in application setting of starter called 'beapi.security.keyHash.salt' to allow for a default value.
This value can be overwritten by application and by a system value (thus allowing for hash rotation)
internal securityController endpoints one of which is 'generateKeyList()' which will regenerate keyList for ApiDescriptor which contains key/value of key and hash
This will be generated at runtime and can be regenerated on the fly at anytime.
for NOW we will hash ALL keys BUT IN FUTURE, we may allow a toggle to not hash some keys (always the 90% rule first and exceptions later).
closing. out of scope; to do this outside a DB (and rotate salt/hash on fly) would STILL require some kind of cache/nosql.
We could maintain the keys for encrypt/decrypt in the scope of the request/response but issues include:
Need to test if request/response variable TYPE is PKEY/FKEY and HASH (do not hash an 'INDEX' - if this isn't in there may need to add)
That way we can return PKEY/FKEY in response and have them sent in a way we can compare to original.
Also need to create a way to change/rotate SALT every 24 hrs NOTE : randSalt should be implemented as webHook that pushes value to all services which in turn writes it to local properties.