From 42a69c16ca42de0b34688b95e1f2e0188ad2811b Mon Sep 17 00:00:00 2001 From: Matthew Nickson Date: Sun, 26 Feb 2023 16:47:34 +0000 Subject: [PATCH] Switched to crypto.randomBytes fpr key generation Keys are now 32 bytes long encoded in a URL safe base64 string Signed-off-by: Matthew Nickson --- server/auth.js | 7 ++++--- server/socket-handlers/api-key-socket-handler.js | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/server/auth.js b/server/auth.js index eddae4c3c..c42a74c40 100644 --- a/server/auth.js +++ b/server/auth.js @@ -44,8 +44,9 @@ async function verifyAPIKey(key) { return false; } - let index = key.substring(0, key.indexOf("-")); - let clear = key.substring(key.indexOf("-") + 1, key.length); + // uk prefix + key ID is before _ + let index = key.substring(2, key.indexOf("_")); + let clear = key.substring(key.indexOf("_") + 1, key.length); let hash = await R.findOne("api_key", " id=? ", [ index ]); @@ -137,7 +138,7 @@ exports.basicAuth = async function (req, res, next) { }; /** - * Use X-API-Key header if API keys enabled, else use basic auth + * Use use API Key if API keys enabled, else use basic auth * @param {express.Request} req Express request object * @param {express.Response} res Express response object * @param {express.NextFunction} next diff --git a/server/socket-handlers/api-key-socket-handler.js b/server/socket-handlers/api-key-socket-handler.js index cf124cad3..546226f69 100644 --- a/server/socket-handlers/api-key-socket-handler.js +++ b/server/socket-handlers/api-key-socket-handler.js @@ -17,7 +17,7 @@ module.exports.apiKeySocketHandler = (socket) => { socket.on("addAPIKey", async (key, callback) => { try { checkLogin(socket); - let clearKey = crypto.randomUUID(); + let clearKey = crypto.randomBytes(32).toString("base64url"); let hashedKey = passwordHash.generate(clearKey); key["key"] = hashedKey; let bean = await APIKey.save(key, socket.userID); @@ -25,9 +25,9 @@ module.exports.apiKeySocketHandler = (socket) => { log.debug("apikeys", "Added API Key"); log.debug("apikeys", key); - // Append key ID to start of key seperated by -, used to get + // Append key ID and prefix to start of key seperated by _, used to get // correct hash when validating key. - let formattedKey = bean.id + "-" + clearKey; + let formattedKey = "uk" + bean.id + "_" + clearKey; await sendAPIKeyList(socket); // Enable API auth if the user creates a key, otherwise only basic