-
Notifications
You must be signed in to change notification settings - Fork 421
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to rotate hmac secret ? #691
Labels
Comments
Note that even for non Basic Auth backend we are still using the hmac secret to generate the bucket ID of a given authenticated user. |
Oh. Well this is restricted to the |
Yes the bucket ID generated is the name of the user default bucket |
Closed
Agree. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, with the default BasicAuth authentication policy, a unique «userid» is generated from the tuple
user:pass
using the hmac secret in the settings.If the hmac secret changes, the resulting «userid» will differ. Although technically the existing data won't disappear, the user won't be able to access them!
We have to identify every bit that relies on the hmac secret and make sure that we provide a mecanism to change it without consequence for the users.
Regarding BasicAuth, we could just list this among the limitations of this authentication policy.
Related #297
The text was updated successfully, but these errors were encountered: