Browse Source

hash the access token in the DB..

this is both to prevent stealing api keys (attacker will have to insert
their own API keys and leave a trace), but also prevent a possible side
channel attack (unlikely)...
main
John-Mark Gurney 3 years ago
parent
commit
a303dc28a6
1 changed files with 16 additions and 2 deletions
  1. +16
    -2
      bitelab/__init__.py

+ 16
- 2
bitelab/__init__.py View File

@@ -57,6 +57,7 @@ from .iso8601 import parse_date


import asyncio import asyncio
import contextlib import contextlib
import hashlib
import json import json
import logging import logging
import orm import orm
@@ -80,6 +81,8 @@ warnings.warn = lambda *args, **kwargs: None


epsilon = sys.float_info.epsilon epsilon = sys.float_info.epsilon


key_hash = lambda x: hashlib.blake2s(x.encode()).hexdigest()

# fix up parse_socket_addr for hypercorn # fix up parse_socket_addr for hypercorn
from hypercorn.utils import parse_socket_addr from hypercorn.utils import parse_socket_addr
from hypercorn.asyncio import tcp_server from hypercorn.asyncio import tcp_server
@@ -666,7 +669,7 @@ async def lookup_user(token: str = Depends(oauth2_scheme),
'''Using the token, look up the user that the token authorizes.''' '''Using the token, look up the user that the token authorizes.'''


try: try:
return (await data.APIKey.objects.get(key=token)).user
return (await data.APIKey.objects.get(key=key_hash(token))).user
except orm.exceptions.NoMatch: except orm.exceptions.NoMatch:
raise HTTPException( raise HTTPException(
status_code=HTTP_401_UNAUTHORIZED, status_code=HTTP_401_UNAUTHORIZED,
@@ -1048,6 +1051,17 @@ class TestCommon(unittest.IsolatedAsyncioTestCase):
def get_boardmanager_override(self): def get_boardmanager_override(self):
return self.brdmgr return self.brdmgr


@staticmethod
async def _setup_data(data):
fake_data = [
dict(user='foo', key='thisisanapikey'),
dict(user='bar', key='anotherlongapikey'),
]

for i in fake_data:
i['key'] = key_hash(i['key'])
await data.APIKey.objects.create(**i)

async def asyncSetUp(self): async def asyncSetUp(self):
self.app = getApp() self.app = getApp()


@@ -1057,7 +1071,7 @@ class TestCommon(unittest.IsolatedAsyncioTestCase):
self.dbtempfile.name) self.dbtempfile.name)
self.data = make_orm(self.database) self.data = make_orm(self.database)


await data._setup_data(self.data)
await self._setup_data(self.data)


# setup settings # setup settings
self.settings = config.Settings(db_file=self.dbtempfile.name, self.settings = config.Settings(db_file=self.dbtempfile.name,


Loading…
Cancel
Save