Delete API Key

[farisdurrani]

Issue Hi. As with any other secrets, they should be able to be changed or deleted to prevent security leakages. I don't see any function to delete an existing API key if that key has been leaked to the public.

Proposed solution 1 A simple way to resolve this is to create an input box taking in the API key given by the user. The backend will then query the database and delete the API key from usage so it can't be used anymore

Proposed solution 2 Another way is to have an expiration for each API key produced, either as a static value or a user-given value

[jonquandt]

This is probably a better question/issue for the api.data.gov team, who manage the shared Federal service that issues the keys. You may want to enter it as an issue here:

https://github.com/18F/api.data.gov/issues

[deepesh611]

An option may be to save an encrypted API key, if we don't want to delete it.

[farisdurrani]

I feel that's like saying you should save your passwords in encrypted format so they won't be stolen and you never have to change them. It's a poor security posture

[deepesh611]

I feel that's like saying you should save your passwords in encrypted format so they won't be stolen and you never have to change them. It's a poor security posture

u r right abt that tho

[deepesh611]

so the api key is present in the code ?

[farisdurrani]

Not really, but api keys, like passwords, tend to get lost or leaked all the time. So it's an important security feature to change or disable them

[deepesh611]

if we don't want to delete it, how about storing it in a flash and removing it from the code/program?

[farisdurrani]

Again, same problem with passwords. Why not store it in a flash and clear your clipboards and cookies so it doesn't leak? It doesn't work all the time

[deepesh611]

I see, so did u get any solution to that problem yet ?

[farisdurrani]

This problem can only be solved by the developers of this repo, which I am not a part of

[deepesh611]

I see

thx for engaging in chat with me.