API keys are stored as plain text in the database

Open on Drupal.org →

Created on 25 September 2023, almost 2 years ago

Problem/Motivation

This is a public follow up on a previous security report (179490).

The API key in a password in this context and therefore it must not be stored in plain text rather encrypted or hashed and only displayed once to a user.

https://owasp.org/www-community/vulnerabilities/Password_Plaintext_Storage
https://blog.mergify.com/api-keys-best-practice#encryption-vs-hashing

Steps to reproduce

Create a key auth as user 1 or any other user and check the content of users_field_data.api_key in the database for the given user.

Proposed resolution

Suggested fix for fixing this with hashing is changing the type of the api_key field on user from string to password. Basically this is how Simple OAuth stores consumer secrets as well, see \simple_oauth_entity_base_field_info(). After that, when authentication happens the incoming value has to be compared with the saved value using the password checker service. See: \Drupal\simple_oauth\Repositories\ClientRepository::validateClient()

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Active

Version

2.1

Component

Code

Created by

🇭🇺Hungary mxr576 Hungary

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Issue created by @mxr576
Comment almost 2 years ago →
solideogloria
I agree that they shouldn't be stored in plain text.

+1 for changing to a password field.
Comment almost 2 years ago →
solideogloria
Comment almost 2 years ago →
solideogloria
Comment almost 2 years ago →
solideogloria
Comment almost 2 years ago →
solideogloria
Comment 3 months ago →
solideogloria
First commit to issue fork.
Comment 12 days ago →
enertron
Hi, I've put together a partial solution to this. It migrates existing API key data and utilizes the standard password field type as suggested.

I say partial, because I haven't addressed automatic key setup. I'm not entirely sure how we should approach this, because my implementation so far uses Drupal's notification system to provide the generated API key's value once before it is encrypted automatically. Delivering a new key might entail using email but I wasn't sure if that's the approach that should be taken. I'm open to suggestions.
Comment 11 days ago →
solideogloria
Delivering a new key might entail using email but I wasn't sure if that's the approach that should be taken. I'm open to suggestions.

Email is definitely not a good approach. Stripe's website uses a modal, and once you close that modal, you won't see the full key again.
First commit to issue fork.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024