Comments (10)
public_key
can't be the salt, its public, therefor not-secure. use the internal id (uuid) as salt
from kong.
Ah yes, it was with the id! Right, thanks
from kong.
I suggest using SHA1
from kong.
The only problem with encrypting keys is that the user will be able to retrieve it only the first time and never again. Of course this is not ideal.
I spoke with @thibaultcha and I agree that the only field that should be encrypted in the password in Basic Authentication, but not the secret_key
for other authentication types.
from kong.
Any news on this? Non-encrypted secrets at rest are a giant audit flag (for me, in particular, for PCI).
I would suggest that both the basic_auth and secret_key be hashed; really, if you are not going to pass it back to the backend API, there is no good reason to store it plaintext, including not being able to retrieve it more than once; if the secret key is lost (or stolen or compromised) - you just generate a new one.
from kong.
@bortels we have setup a roadmap here. We're working around the clock to deliver many new features, unfortunately "encrypt password" is not planned for the next release.
However, if you guys can help with a PR along the way, we would be more than happy to merge it for the v. 0.5
from kong.
moving forward with this, first draft with basic authentication plugin
configuration will add a new key 'encryption_method' which will hold:
- plain - plain passwords - default, for backward compatibility
- sha1 - sha1 for salted password with consumer id.
some code related questions:
- is there a way to use plugin 'conf' in the api.lua. to get encryption_method .
- for sha1 i use open-resty bundled https://github.com/openresty/lua-resty-string
there is no issue using this for test api using kong proxy.
but when i run the tests - it was failing. first because package.path was not pointing directly.
a manual fix was giving me error regarding no ffi (no Luajit) in tests.
how can i solve this ?
from kong.
Shouldn't we use bcrypt?
from kong.
bcrypt is fine by me.
are you suggesting having it instead of sha1 or along side with it (letting the user to decide).
from kong.
Having both would be better of course yeah
from kong.
Related Issues (20)
- URI is sometimes `/kong_error_handler` on upstream status 502s HOT 2
- lua/5.1/kong/db/schema/init.lua:1244: attempt to index a nil value HOT 2
- [kong] schedule.lua:172 [job prefetch]Redis bgsave failed. Error: ERR unknown command 'bgsave' HOT 2
- Control Plane fails to pull information from database pending "migrations finish" command HOT 2
- In Kong 3.6, X-Kong-Request-Debug-Output is not provided in the response header for successful scenarios HOT 3
- AI-Proxy plugin: "An unexpected error occurred" when upstream URL is missing port/path HOT 6
- AI Prompt Guard plugin: Unexpected error due to malformed `messages` array in request body HOT 4
- Problems with Kong installation via Helm Chart 2.38.0 HOT 3
- Admissionwebhook misses faulty regex HOT 1
- Exceptions while trying to store secrets using environment variables option HOT 8
- kong lua-resty-lock lock timeout 500 error {"message":"An unexpected error occurred"} HOT 2
- custom proxy_access_log still not working in 3.4.* HOT 2
- Kong prometheus plugin does not record 404 response codes from proxy HOT 1
- Timeout when running migrations from 3.5 to 3.6 leading to corrupted data (migration ran twice) HOT 3
- Admin API address in "New Connnection" form only support IP, not DNS. HOT 2
- Upsert target is not an upsert HOT 4
- failed to set X-Kong-Upstream-Status header while sending to client HOT 1
- [PostgreSQL error] failed to retrieve PostgreSQL server_version_num: connection refused HOT 2
- DNS resolution failed: dns server error: 3 name error HOT 14
- Optional capture groups are broken with the request-transformer plugin and traditional_compatible router HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kong.