[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2727: review api_auth_token changes on Magic Folder branch for security

Tue Sep 13 19:27:32 UTC 2016

#2727: review api_auth_token changes on Magic Folder branch for security
-----------------------------------+-------------------------------------
     Reporter:  daira              |      Owner:  warner
         Type:  defect             |     Status:  closed
     Priority:  normal             |  Milestone:  1.12.0
    Component:  code-frontend-web  |    Version:  unknown
   Resolution:  fixed              |   Keywords:  security api_auth_token
Launchpad Bug:                     |
-----------------------------------+-------------------------------------
Changes (by warner):

 * status:  new => closed
 * resolution:   => fixed

Comment:

 We walked through the code briefly in today's devchat, and it looks good:

 * the token is 32 `os.urandom` bytes, regenerated at each node reboot,
 stored in private/ as base64 characters
 * the `web/common.py` `TokenOnlyWebApi` does timing-safe string comparison
 (of the base64 chars, no calls to `b64decode`)
 * it only accepts the token as a POST body argument, and there are tests
 of this (no GET, no queryargs)
 * POST bodies aren't logged

 We discussed the ideal lifetime for this token. Right now, rebooting the
 node effectively revokes the token, which seems fine. If/when we implement
 a new WAPI (probably websocket-based), we'll add a bunch of smaller tokens
 (no ambient authority on the new WAPI), and we'll consider making tokens
 persistent (but adding a "tahoe api revoke" command to flush them).

--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2727#comment:3>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage