Summary
Worker API keys are hashed using SHA-256 without per-key salt in api/worker_auth.py:
def hash_api_key(api_key: str) -> str:
"""Hash an API key using SHA-256."""
return hashlib.sha256(api_key.encode()).hexdigest()Issue
While the high entropy of generated API keys mitigates rainbow table attacks, using a salted hash algorithm like bcrypt or argon2 would provide defense-in-depth.
Recommendation
Consider migrating to argon2 or bcrypt for API key hashing:
- Add per-key random salt
- Use a password hashing algorithm designed to be slow
- Maintain backward compatibility during migration
Priority
Low - the current implementation is not insecure due to key entropy, but could be improved.
Identified during Distinguished Engineer code review
Summary
Worker API keys are hashed using SHA-256 without per-key salt in
api/worker_auth.py:Issue
While the high entropy of generated API keys mitigates rainbow table attacks, using a salted hash algorithm like bcrypt or argon2 would provide defense-in-depth.
Recommendation
Consider migrating to argon2 or bcrypt for API key hashing:
Priority
Low - the current implementation is not insecure due to key entropy, but could be improved.
Identified during Distinguished Engineer code review