- Issue created by @mxr576
I agree that they shouldn't be stored in plain text.
+1 for changing to a password field.
This is a public follow up on a previous security report (179490).
The API key in a password in this context and therefore it must not be stored in plain text rather encrypted or hashed and only displayed once to a user.
https://owasp.org/www-community/vulnerabilities/Password_Plaintext_Storage
https://blog.mergify.com/api-keys-best-practice#encryption-vs-hashing
Create a key auth as user 1 or any other user and check the content of users_field_data.api_key in the database for the given user.
Suggested fix for fixing this with hashing is changing the type of the api_key field on user from string to password. Basically this is how Simple OAuth stores consumer secrets as well, see simple_oauth_entity_base_field_info(). After that, when authentication happens the incoming value has to be compared with the saved value using the password checker service. See: \Drupal\simple_oauth\Repositories\ClientRepository::validateClient()
$this->passwordChecker->check() to validateActive
2.1
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
I agree that they shouldn't be stored in plain text.
+1 for changing to a password field.