Hi, I work on the LaunchDarkly product security team, and I'm working on adding a caller-identity API endpoint, which could be used to validate a LaunchDarkly credential (API token, SDK key, mobile key, etc). It will give some information about which account/environment that token belongs to, to help give the caller some context.
The idea is that this will work for any LD token, of any type, with any permission level (so you don't have to risk trying an API that might not be allowed for the credential you have, but it is still valid for other types of access).
My intended use-cases include tools like trufflehog, but also LD admins/users who find a token in a config management tool somewhere, and need to determine if it is still valid, and what it is used for.
So, my question: would the Trufflehog project be interested in a contribution from me to update the current LaunchDarkly detector to use this new purpose-built API?
Please review the Community Note before submitting
Description
Hi, I work on the LaunchDarkly product security team, and I'm working on adding a
caller-identity
API endpoint, which could be used to validate a LaunchDarkly credential (API token, SDK key, mobile key, etc). It will give some information about which account/environment that token belongs to, to help give the caller some context.The idea is that this will work for any LD token, of any type, with any permission level (so you don't have to risk trying an API that might not be allowed for the credential you have, but it is still valid for other types of access).
My intended use-cases include tools like trufflehog, but also LD admins/users who find a token in a config management tool somewhere, and need to determine if it is still valid, and what it is used for.
So, my question: would the Trufflehog project be interested in a contribution from me to update the current LaunchDarkly detector to use this new purpose-built API?
Preferred Solution
I am proposing simplifying https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/launchdarkly/launchdarkly.go to call a single API that is made for this purpose, rather than using the API token list endpoint, and instantiating an LD SDK, to try to validate the different types of credentials.
Additional Context
References