[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2727: review api_auth_token changes on Magic Folder branch for security
Tahoe-LAFS
trac at tahoe-lafs.org
Tue Sep 13 19:27:32 UTC 2016
#2727: review api_auth_token changes on Magic Folder branch for security
-----------------------------------+-------------------------------------
Reporter: daira | Owner: warner
Type: defect | Status: closed
Priority: normal | Milestone: 1.12.0
Component: code-frontend-web | Version: unknown
Resolution: fixed | Keywords: security api_auth_token
Launchpad Bug: |
-----------------------------------+-------------------------------------
Changes (by warner):
* status: new => closed
* resolution: => fixed
Comment:
We walked through the code briefly in today's devchat, and it looks good:
* the token is 32 `os.urandom` bytes, regenerated at each node reboot,
stored in private/ as base64 characters
* the `web/common.py` `TokenOnlyWebApi` does timing-safe string comparison
(of the base64 chars, no calls to `b64decode`)
* it only accepts the token as a POST body argument, and there are tests
of this (no GET, no queryargs)
* POST bodies aren't logged
We discussed the ideal lifetime for this token. Right now, rebooting the
node effectively revokes the token, which seems fine. If/when we implement
a new WAPI (probably websocket-based), we'll add a bunch of smaller tokens
(no ambient authority on the new WAPI), and we'll consider making tokens
persistent (but adding a "tahoe api revoke" command to flush them).
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2727#comment:3>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list