hash the access token in the DB..

this is both to prevent stealing api keys (attacker will have to insert
their own API keys and leave a trace), but also prevent a possible side
channel attack (unlikely)...

bitelab/__init__.py

@@ -57,6 +57,7 @@ from .iso8601 import parse_date
 
 import asyncio
 import contextlib
+import hashlib
 import json
 import logging
 import orm
@@ -80,6 +81,8 @@ warnings.warn = lambda *args, **kwargs: None
 
 epsilon = sys.float_info.epsilon
 
+key_hash = lambda x: hashlib.blake2s(x.encode()).hexdigest()
+
 # fix up parse_socket_addr for hypercorn
 from hypercorn.utils import parse_socket_addr
 from hypercorn.asyncio import tcp_server
@@ -666,7 +669,7 @@ async def lookup_user(token: str = Depends(oauth2_scheme),
 	'''Using the token, look up the user that the token authorizes.'''
 
 	try:
-		return (await data.APIKey.objects.get(key=token)).user
+		return (await data.APIKey.objects.get(key=key_hash(token))).user
 	except orm.exceptions.NoMatch:
 		raise HTTPException(
 		    status_code=HTTP_401_UNAUTHORIZED,
@@ -1048,6 +1051,17 @@ class TestCommon(unittest.IsolatedAsyncioTestCase):
 	def get_boardmanager_override(self):
 		return self.brdmgr
 
+	@staticmethod
+	async def _setup_data(data):
+		fake_data = [
+			dict(user='foo', key='thisisanapikey'),
+			dict(user='bar', key='anotherlongapikey'),
+		]
+
+		for i in fake_data:
+			i['key'] = key_hash(i['key'])
+			await data.APIKey.objects.create(**i)
+
 	async def asyncSetUp(self):
 		self.app = getApp()
 
@@ -1057,7 +1071,7 @@ class TestCommon(unittest.IsolatedAsyncioTestCase):
 		    self.dbtempfile.name)
 		self.data = make_orm(self.database)
 
-		await data._setup_data(self.data)
+		await self._setup_data(self.data)
 
 		# setup settings
 		self.settings = config.Settings(db_file=self.dbtempfile.name,