Scramble user apiKey in database

rspace-os / rspace-web

This the main repository for RSpace: rspace-web. Check https://github.com/rspace-os/rspace-web/blob/main/DevDocs/DeveloperNotes/GettingStarted/GettingStarted.md for setup instructions.

https://github.com/rspace-os/rspace-web/wiki

GNU Affero General Public License v3.0

12 stars 3 forks source link

Scramble user apiKey in database #58

Open ll4strw opened 1 month ago

ll4strw commented 1 month ago

UserApiKey.apiKey entries in db should be possibly scrambled.

mKowalski256 commented 1 month ago

Yes that's a fair request, although in current design we do allow user to view/copy their API key anytime after its creation, which means most secure scrambling mechanism based on hashes would not work in this case. We could encrypt/decrypt the keys based on a secret stored outside database, but that would only be a partial improvement.

We encourage users to revoke/regenerate their API keys on the schedule they believe is reasonable.

ll4strw commented 1 month ago

Fair enough. I do understand the motivations behind this design choice. My concerns are mainly the following

Should the db get compromised, the platform would be compromised. API keys let a bearer perform operations, on behalf of a user, that normally would have required MFA - at least in our case.
Privacy. sysadmins would have access to all API keys and impersonate users outside the impersonations scheme provided by the GUI app itself.

mKowalski256 commented 1 month ago

Privacy. sysadmins would have access to all API keys and impersonate users outside the impersonations scheme provided by the GUI app itself

Hmm, I've checked that and I believe you mean that 'operate as' functionality currently let sysadmin see the API key of the user? That's a bug/oversight, the API key shouldn't be displayed for sysadmin, I'll raise it as a separate issue.

mKowalski256 commented 1 month ago

I see that outside of 'operate as' scenario there is an API endpoint allowing sysadmin to retrieve API keys. The issue https://github.com/rspace-os/rspace-web/issues/73 will cover both cases.

ll4strw commented 3 weeks ago

Thanks for quickly completing #73. Could we open another issue just to do some brainstorming on how to avoid storing cleartext API keys in the db? Cheers, L.

mKowalski256 commented 3 weeks ago

Hi Leonardo, after internal discussion we've prioritized this ticket, and we're targeting the fix for 2.3/1.103 release (end of September 2024). We plan to go with solution where user see the API key only once, at the moment of creation, after which RSpace stores just a hashed value of the key.