#2727 closed defect (fixed)

review api_auth_token changes on Magic Folder branch for security

Reported by: daira Owned by: warner
Priority: normal Milestone: 1.12.0
Component: code-frontend-web Version: unknown
Keywords: security api_auth_token Cc:
Launchpad Bug:

Change History (3)

comment:1 Changed at 2016-02-08T15:22:42Z by daira

E.g. does the token ever get logged?

comment:2 Changed at 2016-03-22T05:02:52Z by warner

  • Milestone changed from 1.11.0 to 1.12.0

Milestone renamed

comment:3 Changed at 2016-09-13T19:27:32Z by warner

  • Resolution set to fixed
  • Status changed from new to closed

We walked through the code briefly in today's devchat, and it looks good:

  • the token is 32 os.urandom bytes, regenerated at each node reboot, stored in private/ as base64 characters
  • the web/common.py TokenOnlyWebApi does timing-safe string comparison (of the base64 chars, no calls to b64decode)
  • it only accepts the token as a POST body argument, and there are tests of this (no GET, no queryargs)
  • POST bodies aren't logged

We discussed the ideal lifetime for this token. Right now, rebooting the node effectively revokes the token, which seems fine. If/when we implement a new WAPI (probably websocket-based), we'll add a bunch of smaller tokens (no ambient authority on the new WAPI), and we'll consider making tokens persistent (but adding a "tahoe api revoke" command to flush them).

Note: See TracTickets for help on using tickets.