Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improved and more secure API Key handling #2552

Open
2 tasks done
rkg-mm opened this issue Mar 2, 2023 · 5 comments
Open
2 tasks done

Improved and more secure API Key handling #2552

rkg-mm opened this issue Mar 2, 2023 · 5 comments
Labels
enhancement New feature or request

Comments

@rkg-mm
Copy link
Contributor

rkg-mm commented Mar 2, 2023
edited
Loading

Current Behavior

Each team gets an API key automatically. All API keys are visible for admins in the web interface (therefore must be stored somewhere in plaintext or only encrypted to be revertable).

Proposed Behavior

  1. By default a Team should not have API keys
  2. It shall be able to generate API keys by admins, ideally with an additional comment or name, to document the purpose
  3. API keys should not be visible in plain text except once after generation
  4. API keys should be stored as a secret with proper one-way hashing (basically it's a secret and must be handled like one!)
  5. We should consider improving the API key length or at least characters, not sure about best practices but most other systems I know use larger keys
  6. (Ideally) Creation Date and Last usage date should be shown next to the API key for the admin to be able to clear up
  7. Also consider Enhanced format of API keys (for easier leak detection) #2543

Checklist
@rkg-mm rkg-mm added the enhancement New feature or request label Mar 2, 2023
@valentijnscholten
Copy link
Contributor

I agree these improvements are welcome/needed, but probably should be moved to https://github.com/stevespringett/Alpine ?

@rkg-mm
Copy link
Contributor Author

rkg-mm commented Mar 7, 2023

If this is part of the alpine framework, then yes :D

@mum-viadee mum-viadee mentioned this issue Mar 19, 2024
Open
@mprencipe
Copy link
Contributor

Alpine doesn't automatically create API keys for teams, it's parametrized:
https://github.com/stevespringett/Alpine/blob/master/alpine-infra/src/main/java/alpine/persistence/AlpineQueryManager.java#L559

Dependency-Track invokes the inherited AlpineQueryManager#createTeam method with the "true" parameter which generates the API key: https://github.com/DependencyTrack/dependency-track/blob/master/src/main/java/org/dependencytrack/resources/v1/TeamResource.java#L135

The simplest fix would be changing true to false.

@nscuro
Copy link
Member

nscuro commented Mar 21, 2024

@mprencipe That sounds like a sensible thing to do. Do you fancy raising a PR for this?

@rkg-mm:

  1. It shall be able to generate API keys by admins, ideally with an additional comment or name, to document the purpose

Comments to document the purpose is coming in v4.11, as per DependencyTrack/frontend#768.

  1. (Ideally) Creation Date and Last usage date should be shown next to the API key for the admin to be able to clear up

Timestamps to track creation and "last used" timestamps are coming in v4.11, as per DependencyTrack/frontend#768.

  1. Also consider Enhanced format of API keys (for easier leak detection) #2543

This was shipped in v4.9.

@mprencipe
Copy link
Contributor

Sure, I can raise a PR.

mprencipe added a commit to mprencipe/dependency-track that referenced this issue Mar 21, 2024
@mprencipe
Disable automatic API key generation for teams. Fixes issue Dependenc…
1128536 
…yTrack#2552.
@mprencipe mprencipe mentioned this issue Mar 21, 2024
Merged
5 tasks
mprencipe added a commit to mprencipe/dependency-track that referenced this issue Mar 21, 2024
@mprencipe
Disable automatic API key generation for teams. Fixes issue Dependenc…
cbc4bcf 
…yTrack#2552.

Signed-off-by: Massimo Prencipe <mprencipe@gmail.com>
nscuro added a commit that referenced this issue Mar 22, 2024
@nscuro
Merge pull request #3574 from mprencipe/fix/2552-disable-automatic-te…
39615d1 
…am-apikey-generation

Disable automatic API key generation for teams. Fixes part of issue #2552.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mprencipe @valentijnscholten @nscuro @rkg-mm