Security of the API key

[maggie44]

Is your feature request related to a problem? Please describe. I’m just about ready to pull the trigger on using the Hub. I think you’re really on to something here and this will scale well.

My only blocker is the level of access the Hub needs to my Cloudflare account. I keep coming back to the Hub, reach the point of the Cloudflare key and then dropping off again.

A few things here I think could help and would like to explore:

Can there be more transparency over how the key is stored? It says three factor auth but that really tells us very little. For hobby projects it’s fine but for anything of real scale or business critical I think we would need to know a lot more before committing to a service to know we have protected our infrastructure.

Additionally, I wonder if there is a process that could be established to reduce the scope of the token. How about a setup token with wider privileges and then an access token with less privilege that is then used. Or an adaption of the self host where it is removed entirely. I will read the docs more on how the Hub works and will then be able to contribute more to this but I wonder if there is a way to apply the principle of least privilege a little more than the current way.

[atinux]

Hi @maggie44 and thank you for asking, I understand your concerns and I will try to explain as clear as possible.

While I can't disclose all the details of our security implementation, I can provide an overview of our "three-factor" approach to securing the API tokens.

• Your API token is never stored in plain text. We use a robust, industry-standard encryption algorithm to secure the token before it's stored in our database. We use Cloudflare D1 to store the tokens, and they have good data security.
• Each API token is encrypted using a unique key. This key is derived from multiple factors, including account-specific information, which means that even in the unlikely event of one token being compromised, others remain secure.
• Secure Key Management. The components needed to reconstruct the encryption key are stored separately and securely. No single point of failure can expose your token. For example, one of the component is a secret environment variable (see secret vs plain text env variable) which no one knows the value (including myself).

Additional Security Measures:

• Encrypted tokens are only decrypted when necessary to make API calls to Cloud
• We do regular security audits and updates of our dependencies
• We have strict access of the codebase and all our developers needs 2FA activated
• Same for our Cloudflare account (2FA required)
• We encrypt the token using a well known library, Iron, which relies upon secure crypto provided by Node, which is open source, and very secure.

If you have any specific concerns or questions about our security practices, please don't hesitate to reach out. I am committed to being as transparent as possible while maintaining the integrity of our security systems.

[maggie44]

Thanks @atinux for the time to send the detailed reply.

It is nice peace of mind, thanks. Glad it is here for people to find too.

I wasn't quite following on the last point about using the secret in Cloudflare as one of the three. As the question was around the Cloudflare API token, I couldn't see how a token stored in the Cloudflare account of the user could then be used to decrypt the key needed to access Cloudflare. Reading it again though I'm wondering if you meant stored on your Cloudflare infrastructure rather than mine.

I'm still giving some thought to how I can further reduce risk. One approach is to create a dedicated Cloudflare account for this integration. Not ideal from a billing perspective, or from maintenance, but at least it helps scope the access only to what is required for Nuxt Hub.

Another thing I considered is issuing a Cloudflare token with a short expiry, then can re-auth when I log back in to the Hub. Would reduce the amount of time a token is stored in the Hub. I suspect this would also mean I couldn't benefit from web hooks. Perhaps local dev implications too? But with Cloudflare handling the CI I could still develop off the repo. Also considered whether the communication could be done browser side so the token didn't ever need to be stored, but would limit features.

Ultimately though, it's a Cloudflare API token scoping issue more than anything. I'm assured in hearing the diligence in the security, but the current approach involves giving over a key to the whole castle, not just the R2, KV or D1 related to my Nuxt Hub content. Having a separate Nuxt Hub Cloudflare account seems to be only way I can think of right now.

[atinux]

I wasn't quite following on the last point about using the secret in Cloudflare as one of the three. As the question was around the Cloudflare API token, I couldn't see how a token stored in the Cloudflare account of the user could then be used to decrypt the key needed to access Cloudflare. Reading it again though I'm wondering if you meant stored on your Cloudflare infrastructure rather than mine.

Your API token is stored on our Cloudflare infrastructure, and we use an env secret (among other factors) to encrypt it. If someone access our database, he won't be able to do anything with it.

Another thing I considered is issuing a Cloudflare token with a short expiry, then can re-auth when I log back in to the Hub.

This can work, you won't be able to deploy with the NuxtHub CLI, create or delete projects or access some metrics, so might not be the best.

Ultimately though, it's a Cloudflare API token scoping issue more than anything. I'm assured in hearing the diligence in the security, but the current approach involves giving over a key to the whole castle, not just the R2, KV or D1 related to my Nuxt Hub content. Having a separate Nuxt Hub Cloudflare account seems to be only way I can think of right now.

I do understand this concern, sadly this is related to Cloudflare API token scopes being limited.

I have another solution that may interest you though: self-host the whole NuxtHub admin platform on your Cloudflare account (on-premise plan), this way, your API token stay in your CF account.

[maggie44]

I have another solution that may interest you though: self-host the whole NuxtHub admin platform on your Cloudflare account (on-premise plan), this way, your API token stay in your CF account.

This may be an option in the future, and would solve the key issue for those high priority services, or those that require ensuring certain security standards. I don't think it will be an option for me during Beta, but will keep it in mind for the future.

Thanks for your replies.