Comments (10)
ahmadnassri
commented on May 12, 2024
public_key can't be the salt, its public, therefor not-secure. use the internal id (uuid) as salt
from kong.
thibaultcha
commented on May 12, 2024
Ah yes, it was with the id! Right, thanks
from kong.
subnetmarco
commented on May 12, 2024
I suggest using SHA1
from kong.
subnetmarco
commented on May 12, 2024
The only problem with encrypting keys is that the user will be able to retrieve it only the first time and never again. Of course this is not ideal.
I spoke with @thibaultcha and I agree that the only field that should be encrypted in the password in Basic Authentication, but not the secret_key for other authentication types.
from kong.
bortels
commented on May 12, 2024
Any news on this? Non-encrypted secrets at rest are a giant audit flag (for me, in particular, for PCI).
I would suggest that both the basic_auth and secret_key be hashed; really, if you are not going to pass it back to the backend API, there is no good reason to store it plaintext, including not being able to retrieve it more than once; if the secret key is lost (or stolen or compromised) - you just generate a new one.
from kong.
sonicaghi
commented on May 12, 2024
@bortels we have setup a roadmap here. We're working around the clock to deliver many new features, unfortunately "encrypt password" is not planned for the next release.
However, if you guys can help with a PR along the way, we would be more than happy to merge it for the v. 0.5
from kong.
tyiss
commented on May 12, 2024
moving forward with this, first draft with basic authentication plugin
configuration will add a new key 'encryption_method' which will hold:
- plain - plain passwords - default, for backward compatibility
- sha1 - sha1 for salted password with consumer id.
some code related questions:
- is there a way to use plugin 'conf' in the api.lua. to get encryption_method .
- for sha1 i use open-resty bundled https://github.com/openresty/lua-resty-string
there is no issue using this for test api using kong proxy.
but when i run the tests - it was failing. first because package.path was not pointing directly.
a manual fix was giving me error regarding no ffi (no Luajit) in tests.
how can i solve this ?
from kong.
thibaultcha
commented on May 12, 2024
Shouldn't we use bcrypt?
from kong.
tyiss
commented on May 12, 2024
bcrypt is fine by me.
are you suggesting having it instead of sha1 or along side with it (letting the user to decide).
from kong.
thibaultcha
commented on May 12, 2024
Having both would be better of course yeah
from kong.
Related Issues (20)
- [Plugin Server] RPC call has unexpected type <nil> HOT 1
- Kong 3.6: resty.openssl.auxiliary.nginx doesn't support Nginx version 1025003 HOT 5
- Kong manager is broken after upgrade to 3.4.3.4 HOT 4
- Reading issues with array elements in configuration files in DB less mode HOT 6
- request-size-limiting http2 requests are not supported without content-length header HOT 5
- Plugin schema not found on Control Plane HOT 1
- Log message does not match plugin HOT 5
- failed fetching KongUpstreamPolicy after upgrade to Kong 3.6 HOT 8
- Zipkin plugin: Support for Datadog tracing headers
- fail use jwt_parser:base64_decode to decode when upgrade kong 3.4.2 to 3.6.0 HOT 5
- ai-proxy buffers streamed responses HOT 5
- Kong Community - JWT Authentication Based Route 401 HOT 3
- Buggy behavior after failed health check recover HOT 14
- Failed to load module script: Expected a JavaScript module script but the server responded with a MIME type of "". Strict MIME type checking is enforced for module scripts per HTML spec. HOT 3
- Can't start postgresql 16 over tls HOT 6
- reference resolving issue HOT 3
- How to add official support for s390x arch HOT 1
- Kong unit tests using busted framework does not with kong 3.0.0 using cassandra db (3.10, 3.11). These are working fine with kong 2.8.3 HOT 3
- Custom kong plugins are not displayed in kong manager with the list of plugins HOT 3
- Kong plugin file-log always logs response connection header as close HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kong.