Format API keys in hexa instead of base64

meilisearch · Jul 5, 2022 · eb65a60 · eb65a60
1 parent c01ea05
commit eb65a60
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 22 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/meilisearch-auth/Cargo.toml b/meilisearch-auth/Cargo.toml
@@ -4,7 +4,6 @@ version = "0.28.0"
 edition = "2021"
 
 [dependencies]
-base64 = "0.13.0"
 enum-iterator = "0.7.0"
 hmac = "0.12.1"
 meilisearch-types = { path = "../meilisearch-types" }
@@ -15,4 +14,4 @@ serde_json = { version = "1.0.79", features = ["preserve_order"] }
 sha2 = "0.10.2"
 thiserror = "1.0.30"
 time = { version = "0.3.7", features = ["serde-well-known", "formatting", "parsing", "macros"] }
-uuid = { version = "0.8.2", features = ["serde", "v4"] }
+uuid = { version = "1.1.2", features = ["serde", "v4"] }
diff --git a/meilisearch-auth/src/lib.rs b/meilisearch-auth/src/lib.rs
@@ -18,7 +18,7 @@ pub use action::{actions, Action};
 use error::{AuthControllerError, Result};
 pub use key::Key;
 use meilisearch_types::star_or::StarOr;
-use store::generate_key_as_base64;
+use store::generate_key_as_hexa;
 pub use store::open_auth_store_env;
 use store::HeedAuthStore;
 
@@ -139,7 +139,7 @@ impl AuthController {
     pub fn generate_key(&self, uid: Uuid) -> Option<String> {
         self.master_key
             .as_ref()
-            .map(|master_key| generate_key_as_base64(uid.as_bytes(), master_key.as_bytes()))
+            .map(|master_key| generate_key_as_hexa(uid, master_key.as_bytes()))
     }
 
     /// Check if the provided key is authorized to make a specific action

diff --git a/meilisearch-auth/src/store.rs b/meilisearch-auth/src/store.rs
@@ -13,8 +13,9 @@ use hmac::{Hmac, Mac};
 use meilisearch_types::star_or::StarOr;
 use milli::heed::types::{ByteSlice, DecodeIgnore, SerdeJson};
 use milli::heed::{Database, Env, EnvOpenOptions, RwTxn};
-use sha2::{Digest, Sha256};
+use sha2::Sha256;
 use time::OffsetDateTime;
+use uuid::fmt::Hyphenated;
 use uuid::Uuid;
 
 use super::error::Result;
@@ -141,13 +142,16 @@ impl HeedAuthStore {
             .remap_data_type::<DecodeIgnore>()
             .iter(&rtxn)?
             .filter_map(|res| match res {
-                Ok((uid, _))
-                    if generate_key_as_base64(uid, master_key).as_bytes() == encoded_key =>
-                {
+                Ok((uid, _)) => {
                     let (uid, _) = try_split_array_at(uid)?;
-                    Some(Uuid::from_bytes(*uid))
+                    let uid = Uuid::from_bytes(*uid);
+                    if generate_key_as_hexa(uid, master_key).as_bytes() == encoded_key {
+                        Some(uid)
+                    } else {
+                        None
+                    }
                 }
-                _ => None,
+                Err(_) => None,
             })
             .next();
 
@@ -253,13 +257,17 @@ impl<'a> milli::heed::BytesEncode<'a> for KeyIdActionCodec {
     }
 }
 
-pub fn generate_key_as_base64(uid: &[u8], master_key: &[u8]) -> String {
-    let master_key_sha = Sha256::digest(master_key);
-    let mut mac = Hmac::<Sha256>::new_from_slice(master_key_sha.as_slice()).unwrap();
-    mac.update(uid);
+pub fn generate_key_as_hexa(uid: Uuid, master_key: &[u8]) -> String {
+    // format uid as hyphenated allowing user to generate their own keys.
+    let mut uid_buffer = [0; Hyphenated::LENGTH];
+    let uid = uid.hyphenated().encode_lower(&mut uid_buffer);
+
+    // new_from_slice function never fail.
+    let mut mac = Hmac::<Sha256>::new_from_slice(master_key).unwrap();
+    mac.update(uid.as_bytes());
 
     let result = mac.finalize();
-    base64::encode_config(result.into_bytes(), base64::URL_SAFE_NO_PAD)
+    format!("{:x}", result.into_bytes())
 }
 
 /// Divides one slice into two at an index, returns `None` if mid is out of bounds.

diff --git a/meilisearch-http/Cargo.toml b/meilisearch-http/Cargo.toml
@@ -75,7 +75,7 @@ thiserror = "1.0.30"
 time = { version = "0.3.7", features = ["serde-well-known", "formatting", "parsing", "macros"] }
 tokio = { version = "1.17.0", features = ["full"] }
 tokio-stream = "0.1.8"
-uuid = { version = "0.8.2", features = ["serde", "v4"] }
+uuid = { version = "1.1.2", features = ["serde", "v4"] }
 walkdir = "2.3.2"
 
 [dev-dependencies]

diff --git a/meilisearch-http/tests/auth/api_keys.rs b/meilisearch-http/tests/auth/api_keys.rs
@@ -42,6 +42,7 @@ async fn add_valid_api_key() {
         "name": "indexing-key",
         "description": "Indexing API key",
         "uid": "4bc0887a-0e41-4f3b-935d-0c451dcee9c8",
+        "key": "d9e776b8412f1db6974c9a5556b961c3559440b6588216f4ea5d9ed49f7c8f3c",
         "indexes": ["products"],
         "actions": [
             "search",

diff --git a/meilisearch-lib/Cargo.toml b/meilisearch-lib/Cargo.toml
@@ -51,7 +51,7 @@ tempfile = "3.3.0"
 thiserror = "1.0.30"
 time = { version = "0.3.7", features = ["serde-well-known", "formatting", "parsing", "macros"] }
 tokio = { version = "1.17.0", features = ["full"] }
-uuid = { version = "0.8.2", features = ["serde", "v4"] }
+uuid = { version = "1.1.2", features = ["serde", "v4"] }
 walkdir = "2.3.2"
 whoami = { version = "1.2.1", optional = true }