[Emails] Hash the SMTP API key values

valyentdev / software-citadel

Software Citadel is an open-source cloud platform for developers.

https://softwarecitadel.com

GNU Affero General Public License v3.0

224 stars 5 forks source link

[Emails] Hash the SMTP API key values #5

Closed alexisbouchez closed 6 days ago

alexisbouchez commented 3 weeks ago

Context

As of today, SMTP API Keys values are stored in plaintext in the database.

The issue is that if the database gets leaked, the SMTP server will become vulnerable.

To fix this issue, we could hash the value, just as we would hash a user's password.

Tasks to solve this issue

[ ] Hash the value on creation
[ ] Show the API key value, only when created. Inform the user that he has to store the value, if he doesn't want the key to be lost forever.
[ ] Correctly check the password hash in the SMTP server AUTH part
?

j4m1n-t commented 1 week ago

I'd be interested in helping out on this issue. I've reviewed the code and it appears that the portion of consideration is smtp_backend.go. Are you wanting to utilize the AuthMechanisms, Auth or create a new function all together? Do you have standards you need to meet or will SHA256 be sufficient?

alexisbouchez commented 1 week ago

I'd be interested in helping out on this issue. I've reviewed the code and it appears that the portion of consideration is smtp_backend.go. Are you wanting to utilize the AuthMechanisms, Auth or create a new function all together? Do you have standards you need to meet or will SHA256 be sufficient?

You can do it in the Auth function, and make sure to use bcrypt (as it is already used to hash passwords). Feel free to join the Discord server to discuss it further.

alexisbouchez commented 6 days ago

Moving to https://github.com/valyentdev/ferdinand