search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
89 stars 12 forks source link

Make API keys more secure by hashing the keys before storing them #2536

Open mooreds opened 10 months ago

mooreds commented 10 months ago

Make API keys more secure by hashing the keys before storing them

Problem

API keys are readable in the database.

Solution

We should have API keys be available/displayable only at creation. Then we should store a hash of the value in the database. When an API key is received, we'd hash it and then compare that value to the one in the database. If they match, it is a correct API key.

This is what AWS does with the AWS secret key, which is why you can only view it once.

This could be a system setting with the default to on. This could be transparent to existing instances, as when we received an API key, we could examine the value stored in the db and if it is the same as the one we received, we could then hash and store that value. Probably need to store some metadata to determine if the key is hashed as well.

The one exception is the API key API would have breaking changes, since retrieving an API key could no longer return the key value.

Alternatives/workarounds

n/a

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

robotdan commented 9 months ago

This sounds like a nice enhancement. I imagine this would be a choice at API creation to "never show me this key again" (more secure) or "allow me to see it again" (less secure). This would allow for backwards compatibility and various use cases.

mooreds commented 9 months ago

I suggested the breaking, more secure by default option above, but I think what you offer is a good idea too.

This could be a system setting with the default to on. This could be transparent to existing instances, as when we received an API key, we could examine the value stored in the db and if it is the same as the one we received, we could then hash and store that value. Probably need to store some metadata to determine if the key is hashed as well.

robotdan commented 9 months ago

We don't break APIs unless the design is fundamentally flawed and it is a risk to continue using it.

I don't think that is the case here, the API is working as designed and we are discussing adding a higher security option.

If the comment is just to prefer or have the pre-selected option to use the hashed version, this seems reasonable. TBD if we would want the API to do the same because this would be a change in behavior.