mirror of
https://github.com/louislam/uptime-kuma.git
synced 2024-11-27 16:54:04 +00:00
Switched to crypto.randomBytes fpr key generation
Keys are now 32 bytes long encoded in a URL safe base64 string Signed-off-by: Matthew Nickson <mnickson@sidingsmedia.com>
This commit is contained in:
parent
b8720b46c3
commit
42a69c16ca
2 changed files with 7 additions and 6 deletions
|
@ -44,8 +44,9 @@ async function verifyAPIKey(key) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
let index = key.substring(0, key.indexOf("-"));
|
// uk prefix + key ID is before _
|
||||||
let clear = key.substring(key.indexOf("-") + 1, key.length);
|
let index = key.substring(2, key.indexOf("_"));
|
||||||
|
let clear = key.substring(key.indexOf("_") + 1, key.length);
|
||||||
|
|
||||||
let hash = await R.findOne("api_key", " id=? ", [ index ]);
|
let hash = await R.findOne("api_key", " id=? ", [ index ]);
|
||||||
|
|
||||||
|
@ -137,7 +138,7 @@ exports.basicAuth = async function (req, res, next) {
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Use X-API-Key header if API keys enabled, else use basic auth
|
* Use use API Key if API keys enabled, else use basic auth
|
||||||
* @param {express.Request} req Express request object
|
* @param {express.Request} req Express request object
|
||||||
* @param {express.Response} res Express response object
|
* @param {express.Response} res Express response object
|
||||||
* @param {express.NextFunction} next
|
* @param {express.NextFunction} next
|
||||||
|
|
|
@ -17,7 +17,7 @@ module.exports.apiKeySocketHandler = (socket) => {
|
||||||
socket.on("addAPIKey", async (key, callback) => {
|
socket.on("addAPIKey", async (key, callback) => {
|
||||||
try {
|
try {
|
||||||
checkLogin(socket);
|
checkLogin(socket);
|
||||||
let clearKey = crypto.randomUUID();
|
let clearKey = crypto.randomBytes(32).toString("base64url");
|
||||||
let hashedKey = passwordHash.generate(clearKey);
|
let hashedKey = passwordHash.generate(clearKey);
|
||||||
key["key"] = hashedKey;
|
key["key"] = hashedKey;
|
||||||
let bean = await APIKey.save(key, socket.userID);
|
let bean = await APIKey.save(key, socket.userID);
|
||||||
|
@ -25,9 +25,9 @@ module.exports.apiKeySocketHandler = (socket) => {
|
||||||
log.debug("apikeys", "Added API Key");
|
log.debug("apikeys", "Added API Key");
|
||||||
log.debug("apikeys", key);
|
log.debug("apikeys", key);
|
||||||
|
|
||||||
// Append key ID to start of key seperated by -, used to get
|
// Append key ID and prefix to start of key seperated by _, used to get
|
||||||
// correct hash when validating key.
|
// correct hash when validating key.
|
||||||
let formattedKey = bean.id + "-" + clearKey;
|
let formattedKey = "uk" + bean.id + "_" + clearKey;
|
||||||
await sendAPIKeyList(socket);
|
await sendAPIKeyList(socket);
|
||||||
|
|
||||||
// Enable API auth if the user creates a key, otherwise only basic
|
// Enable API auth if the user creates a key, otherwise only basic
|
||||||
|
|
Loading…
Reference in a new issue