Opened at 2016-02-08T15:21:51Z
Closed at 2016-09-13T19:27:32Z
#2727 closed defect (fixed)
review api_auth_token changes on Magic Folder branch for security
| Reported by: | daira | Owned by: | warner |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.12.0 |
| Component: | code-frontend-web | Version: | unknown |
| Keywords: | security api_auth_token | Cc: | |
| Launchpad Bug: |
Change History (3)
comment:1 Changed at 2016-02-08T15:22:42Z by daira
comment:2 Changed at 2016-03-22T05:02:52Z by warner
- Milestone changed from 1.11.0 to 1.12.0
Milestone renamed
comment:3 Changed at 2016-09-13T19:27:32Z by warner
- Resolution set to fixed
- Status changed from new to closed
We walked through the code briefly in today's devchat, and it looks good:
- the token is 32 os.urandom bytes, regenerated at each node reboot, stored in private/ as base64 characters
- the web/common.py TokenOnlyWebApi does timing-safe string comparison (of the base64 chars, no calls to b64decode)
- it only accepts the token as a POST body argument, and there are tests of this (no GET, no queryargs)
- POST bodies aren't logged
We discussed the ideal lifetime for this token. Right now, rebooting the node effectively revokes the token, which seems fine. If/when we implement a new WAPI (probably websocket-based), we'll add a bunch of smaller tokens (no ambient authority on the new WAPI), and we'll consider making tokens persistent (but adding a "tahoe api revoke" command to flush them).
Note: See
TracTickets for help on using
tickets.
E.g. does the token ever get logged?