Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hash API keys #3842

Open
wants to merge 25 commits into
base: feature/1027-reset-api-key
Choose a base branch
from
Open

Hash API keys #3842

wants to merge 25 commits into from

Commits on Aug 5, 2024

  1. Allow users to reset their API key 

    Fix #1027
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    fa12188 View commit details
    Browse the repository at this point in the history

  2. Only return API key once after it has been generated

    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    01481fa View commit details
    Browse the repository at this point in the history

  3. Add new UI to reset and display API key 

    How API keys are reset and displayed has changed since the initial version of API keys: Users will be able to view an API key exactly once after it has been created/reset. This requires a slightly different user interface. We’re also planning a few more changes to API keys in the future, and these UI changes prepare for that.
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    4d8b027 View commit details
    Browse the repository at this point in the history

  4. Refactor existing settings screen 

    The existing settings UI was a little cluttered and unstructured. We’re going to add new settings in this PR and in follow-up PRs, so I took the time to clean up the UI (both visually and implementation-wise).
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    7097196 View commit details
    Browse the repository at this point in the history

  5. Ensure that toasts are always visible, even when scrolling 

    This is a hacky workaround, but a proper fix would require quite some refactoring. Considering that this hack is pretty isolated and not going to affect any other parts of the UI and that we will need to upgrade to Blueprint 5 at some point anyway, I’ve opted for the quick-and-dirty solution for now.
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    64fd321 View commit details
    Browse the repository at this point in the history

  6. Do not display password setting when password auth is disabled

    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    6a4268c View commit details
    Browse the repository at this point in the history

  7. Use session tokens for authentication in API tests 

    In the future, roles won’t have an API key by default anymore. As an alternative, we generate session tokens explicitly.
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    e743aaa View commit details
    Browse the repository at this point in the history

  8. Do not generate API tokens for new roles 

    Most users do not need API access so there’s no reason to generate an API key for them by default.
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    f1821b6 View commit details
    Browse the repository at this point in the history

  9. Handle users without an API key properly in the settings UI 

    Previously, an API was generate automatically for new users, i.e. every user had an API key. This has now changed, and the settings UI needs to properly handle situations where a user doesn’t yet have an API key.

As this increases the complexity of the UI state, I’ve refactored the component to make use of a local reducer.
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    a59f346 View commit details
    Browse the repository at this point in the history

  10. Update wording to clarify that API keys are secrets

    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    f643993 View commit details
    Browse the repository at this point in the history

  11. Rename "reset_api_key" to "generate_api_key" 

    This method is now also used to generate an initial key for users who do not yet have an API key.
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    7fae093 View commit details
    Browse the repository at this point in the history

  12. Send email notification when API key is (re-)generated

    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    9e643db View commit details
    Browse the repository at this point in the history

  13. Extract logic to regenerate API keys into separate module 

    While the logic initially was quite simply, there will be more business logic related to API keys, e.g. sending notifications ahead of and when an API key has expired.
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    154f8cf View commit details
    Browse the repository at this point in the history

  14. Let API keys expire after 90 days

    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    27ebe7b View commit details
    Browse the repository at this point in the history

  15. Extract generate_api_key method from role model 

    Initially, I added this to the role model as the model to be consistent with the model's `set_password` method. However, as the logic to generate an API token has become more complex, it is clear that it shouldn't live in the model.
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    758d939 View commit details
    Browse the repository at this point in the history

  16. Send notification when API keys are about to expire/have expired

    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    89b40f3 View commit details
    Browse the repository at this point in the history

  17. Display API key expiration date in UI

    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    e701e80 View commit details
    Browse the repository at this point in the history

  18. Add CLI command to reset API key expiration of non-expiring API keys

    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    df51af5 View commit details
    Browse the repository at this point in the history

  19. Replace use of deprecated utcnow method 

    https://docs.python.org/3/library/datetime.html#datetime.datetime.utcnow
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    f57f678 View commit details
    Browse the repository at this point in the history

  20. Remove unnecessary keys from API JSON response 

    Aleph represents both users and groups using the role model. However, some API keys (such as `has_password` or `has_api_key` are not relevant for groups).
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    3591e04 View commit details
    Browse the repository at this point in the history

  21. Add note to remind us to remove/update logic handling legacy API keys

    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    470e919 View commit details
    Browse the repository at this point in the history

  22. Send API key expiration notifications on a daily basis

    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    fd5a17e View commit details
    Browse the repository at this point in the history

  23. Store hashed API keys 

    Aleph used to store user API keys as plaintext in the database. This commit changes that to store only a hash of the API key.

API keys are generated using the built-in `secrets.token_urlsafe` method which returns a random 256 bit token. In contrast to passwords, API keys are not provided by users, have a high entropy, and need to be validated on every request. It seems to be generally accepted that, given 256 bit tokens, salting or using an expensive key derivation functions isn't necessary. For this reason, we’re storing an unsalted SHA-256 hash of the API key which also makes it easy to look up and verify a given API key.

I've added a separate column for the hashed API key rather than reusing the existing column. This allows us to batch-hash all existing plaintext keys without having to differentiate between keys that have already been hashed and those that haven't. Once all existing plaintext API keys have been hashed, the old `api_key` column can simply be dropped.
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    97252b1 View commit details
    Browse the repository at this point in the history

  24. Add CLI command to store legacy plaintext API keys

    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    15b52eb View commit details
    Browse the repository at this point in the history

  25. Remove prefilled API key from OpenRefine endpoints 

    Required as we do not store plaintext API keys anymore. Also, we want to remove the option to pass API keys via URL parameters in the future.

This makes it impossible to use OpenRefine with non-public collections. This was never documented, and most users weren't aware that they can indeed use OpenRefine with non-public collections anyway.
    @tillprochaska
    tillprochaska committed Aug 5, 2024
    Configuration menu
    Copy the full SHA
    5f94f9b View commit details
    Browse the repository at this point in the history