Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API Keys saved in clear in the database #1

Closed
proxeus-dev opened this issue Sep 2, 2019 · 0 comments
Closed

API Keys saved in clear in the database #1

proxeus-dev opened this issue Sep 2, 2019 · 0 comments
Assignees
@loleg
Labels
backend Pull requests that update Go code

Comments

@proxeus-dev
Copy link

proxeus-dev commented Sep 2, 2019
edited by loleg
Loading

API Keys are currently saved in clear when configuring the Proxeus server. Instead, like modern Cloud Native applications, these keys should not be saved in the database at all. They should not need to be edited by system administrators on the fly.

It is in any case right now necessary to restart the application to apply changes to the keys. This should be made clear in the documentation.

Steps to reproduce

Go to configuration settings and edit the API keys to remote services.

Expected behaviour

Configuration keys are stored only in configuration files (.env or .yml), loaded on startup. They are not stored in the database.

Actual behaviour

It is not encrypted in the database, and shown in plain text to administrators, both are security risks.
@loleg loleg added $100 bounty There is a bounty attached to this issue! labels Jan 21, 2021
@loleg loleg removed the $100 label Apr 30, 2021
@m-javani m-javani mentioned this issue Oct 18, 2021
Merged
loleg pushed a commit that referenced this issue Nov 4, 2021
@m-javani
Added an encryption mechanism for API keys, Fixed the config syncing …
2e20bb0 
…problem (#229)

* Fix email from mismatch between env and settings db (#175)

* Encrypt Infura and SparkPost API keys inside the databse (#1)

* updated websocket package version to solve the go sum checksum mismatch problem

* Add golang.org/x/tools to go.sum by go mod download

* Modify dependencies to fix go.sum

* Modify go.sum

* Modify go.sum

* Modify go.sum

* Fix tests dependency problem

* Add encryption secret key to the Makefile

* change the encryption secret key in makefile
loleg added a commit that referenced this issue Nov 4, 2021
@loleg @m-javani
Updated module loading and documentation (#231)
5540696 
* Refactored start docs

* Changed source of go-bindata #197

* Updated go dep trackers

* Updated yarn dependencies

* Added update step to Makefile

* New auto-generated bindata tests

* Added doc note about make update

* yarn upgrade

* Doc: rename Infura key as "project ID" for clarity

* Set resource class to medium for CircleCI builds

* Use Debian 'stable' release in Docker

* Add .env configuration loader to make #204

* Copy env during bootstrap

* Documentation related to license finder

* go-bindata install path

* Docker documentation link

* README revised

* Added logging instruction

* Revert go-ethereum v1.9.25

* Detect window.ethereum (#203)

* mod clean

* Updated minor go dependencies

* Fix email from mismatch between env and settings db (#175)

* Encrypt Infura and SparkPost API keys inside the databse (#1)

* updated websocket package version to solve the go sum checksum mismatch problem

* Add golang.org/x/tools to go.sum by go mod download

* Modify dependencies to fix go.sum

* Modify go.sum

* Modify go.sum

* Modify go.sum

* Fix tests dependency problem

* Add encryption secret key to the Makefile

* Fix go mod tools loading and pin fasthttp/websocket version

* go.sum check

* Added documentation on PROXEUS_ENCRYPTION_SECRET_KEY

Co-authored-by: Mehdy javany <mehdy.javany@gmail.com>
Co-authored-by: javany <36955957+javany@users.noreply.github.com>
@m-javani m-javani mentioned this issue Nov 13, 2021
Closed
@loleg loleg closed this as completed Dec 15, 2021
@loleg loleg reopened this Dec 15, 2021
@loleg loleg mentioned this issue Dec 15, 2021
Open
@loleg loleg changed the title API Keys are currently saved in clear in the database API Keys saved in clear in the database Dec 15, 2021
@loleg loleg added backend Pull requests that update Go code and removed bounty There is a bounty attached to this issue! labels Dec 15, 2021
@loleg loleg self-assigned this Dec 15, 2021
loleg added a commit to loleg/proxeus-core that referenced this issue Apr 4, 2022
@loleg
Remove key hashes ProxeusApp#1
100df18
@loleg loleg closed this as completed Apr 4, 2022
tafonina pushed a commit that referenced this issue Jun 9, 2023
@sprotest
Merge pull request #1 from ProxeusApp/preprod
eb2d4a0 
Preprod from Main github merge to develop fork
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@loleg loleg

Labels
backend Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@loleg @proxeus-dev