Only display redacted versions of API keys #228, fixed deployment password

Author: Forceu

internal/configuration/Configuration.go

@@ -129,6 +129,7 @@ func MigrateToV2(authPassword string) {
 
 	for _, apiKey := range database.GetAllApiKeys() {
 		apiKey.UserId = user.Id
+		apiKey.PublicId = helper.GenerateRandomString(35)
 		database.SaveApiKey(apiKey)
 	}
 
@@ -227,7 +228,9 @@ func SetDeploymentPassword(newPassword string) {
 		os.Exit(1)
 	}
 	serverSettings.Authentication.SaltAdmin = helper.GenerateRandomString(30)
-	err := database.EditSuperAdmin(serverSettings.Authentication.Username, serverSettings.Authentication.Username, newPassword)
+	err := database.EditSuperAdmin(serverSettings.Authentication.Username,
+		serverSettings.Authentication.Username,
+		hashUserPassword(newPassword))
 	if err != nil {
 		fmt.Println("No super-admin user found, but database contains other users. Aborting.")
 		os.Exit(1)

internal/configuration/database/Database.go

@@ -135,6 +135,11 @@ func GetSystemKey(userId int) (models.ApiKey, bool) {
 	return db.GetSystemKey(userId)
 }
 
+// GetApiKeyByPublicKey returns an API key by using the public key
+func GetApiKeyByPublicKey(publicKey string) (string, bool) {
+	return db.GetApiKeyByPublicKey(publicKey)
+}
+
 // E2E Section
 
 // SaveEnd2EndInfo stores the encrypted e2e info

internal/configuration/database/dbabstraction/DbAbstraction.go

@@ -45,6 +45,8 @@ type Database interface {
 	DeleteApiKey(id string)
 	// GetSystemKey returns the latest UI API key
 	GetSystemKey(userId int) (models.ApiKey, bool)
+	// GetApiKeyByPublicKey returns an API key by using the public key
+	GetApiKeyByPublicKey(publicKey string) (string, bool)
 
 	// SaveEnd2EndInfo stores the encrypted e2e info
 	SaveEnd2EndInfo(info models.E2EInfoEncrypted, userId int)

internal/configuration/database/provider/redis/apikeys.go

@@ -64,6 +64,17 @@ func (p DatabaseProvider) GetSystemKey(userId int) (models.ApiKey, bool) {
 	return keys[foundKey], true
 }
 
+// GetApiKeyByPublicKey returns an API key by using the public key
+func (p DatabaseProvider) GetApiKeyByPublicKey(publicKey string) (string, bool) {
+	keys := p.GetAllApiKeys()
+	for _, key := range keys {
+		if key.PublicId == publicKey {
+			return key.Id, true
+		}
+	}
+	return "", false
+}
+
 // SaveApiKey saves the API key to the database
 func (p DatabaseProvider) SaveApiKey(apikey models.ApiKey) {
 	p.setHashMap(p.buildArgs(prefixApiKeys + apikey.Id).AddFlat(apikey))

internal/configuration/database/provider/sqlite/Sqlite.go

@@ -38,7 +38,8 @@ func (p DatabaseProvider) Upgrade(currentDbVersion int) {
 	}
 	// < v2.0.0-beta
 	if currentDbVersion < 7 {
-		err := p.rawSqlite(`ALTER TABLE "ApiKeys" ADD COLUMN UserId INTEGER NOT NULL DEFAULT 0;`)
+		err := p.rawSqlite(`ALTER TABLE "ApiKeys" ADD COLUMN UserId INTEGER NOT NULL DEFAULT 0;
+									 ALTER TABLE "ApiKeys" ADD COLUMN PublicId TEXT NOT NULL DEFAULT '';`)
 		helper.Check(err)
 		err = p.rawSqlite(`DELETE FROM "ApiKeys" WHERE IsSystemKey = 1`)
 		helper.Check(err)
@@ -145,6 +146,7 @@ func (p DatabaseProvider) createNewDatabase() error {
 			"Expiry"	INTEGER,
 			"IsSystemKey"	INTEGER,
 			"UserId" INTEGER NOT NULL,
+			"PublicId" TEXT NOT NULL UNIQUE ,
 			PRIMARY KEY("Id")
 		) WITHOUT ROWID;
 		CREATE TABLE "E2EConfig" (

internal/configuration/database/provider/sqlite/apikeys.go

@@ -16,6 +16,7 @@ type schemaApiKeys struct {
 	Expiry       int64
 	IsSystemKey  int
 	UserId       int
+	PublicId     string
 }
 
 // currentTime is used in order to modify the current time for testing purposes in unit tests
@@ -32,10 +33,11 @@ func (p DatabaseProvider) GetAllApiKeys() map[string]models.ApiKey {
 	defer rows.Close()
 	for rows.Next() {
 		rowData := schemaApiKeys{}
-		err = rows.Scan(&rowData.Id, &rowData.FriendlyName, &rowData.LastUsed, &rowData.Permissions, &rowData.Expiry, &rowData.IsSystemKey, &rowData.UserId)
+		err = rows.Scan(&rowData.Id, &rowData.FriendlyName, &rowData.LastUsed, &rowData.Permissions, &rowData.Expiry, &rowData.IsSystemKey, &rowData.UserId, &rowData.PublicId)
 		helper.Check(err)
 		result[rowData.Id] = models.ApiKey{
 			Id:           rowData.Id,
+			PublicId:     rowData.PublicId,
 			FriendlyName: rowData.FriendlyName,
 			LastUsed:     rowData.LastUsed,
 			Permissions:  uint8(rowData.Permissions),
@@ -51,7 +53,7 @@ func (p DatabaseProvider) GetAllApiKeys() map[string]models.ApiKey {
 func (p DatabaseProvider) GetApiKey(id string) (models.ApiKey, bool) {
 	var rowResult schemaApiKeys
 	row := p.sqliteDb.QueryRow("SELECT * FROM ApiKeys WHERE Id = ?", id)
-	err := row.Scan(&rowResult.Id, &rowResult.FriendlyName, &rowResult.LastUsed, &rowResult.Permissions, &rowResult.Expiry, &rowResult.IsSystemKey, &rowResult.UserId)
+	err := row.Scan(&rowResult.Id, &rowResult.FriendlyName, &rowResult.LastUsed, &rowResult.Permissions, &rowResult.Expiry, &rowResult.IsSystemKey, &rowResult.UserId, &rowResult.PublicId)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return models.ApiKey{}, false
@@ -62,6 +64,7 @@ func (p DatabaseProvider) GetApiKey(id string) (models.ApiKey, bool) {
 
 	result := models.ApiKey{
 		Id:           rowResult.Id,
+		PublicId:     rowResult.PublicId,
 		FriendlyName: rowResult.FriendlyName,
 		LastUsed:     rowResult.LastUsed,
 		Permissions:  uint8(rowResult.Permissions),
@@ -77,7 +80,7 @@ func (p DatabaseProvider) GetApiKey(id string) (models.ApiKey, bool) {
 func (p DatabaseProvider) GetSystemKey(userId int) (models.ApiKey, bool) {
 	var rowResult schemaApiKeys
 	row := p.sqliteDb.QueryRow("SELECT * FROM ApiKeys WHERE IsSystemKey = 1 AND UserId = ? ORDER BY Expiry DESC LIMIT 1", userId)
-	err := row.Scan(&rowResult.Id, &rowResult.FriendlyName, &rowResult.LastUsed, &rowResult.Permissions, &rowResult.Expiry, &rowResult.IsSystemKey, &rowResult.UserId)
+	err := row.Scan(&rowResult.Id, &rowResult.FriendlyName, &rowResult.LastUsed, &rowResult.Permissions, &rowResult.Expiry, &rowResult.IsSystemKey, &rowResult.UserId, &rowResult.PublicId)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return models.ApiKey{}, false
@@ -88,6 +91,7 @@ func (p DatabaseProvider) GetSystemKey(userId int) (models.ApiKey, bool) {
 
 	result := models.ApiKey{
 		Id:           rowResult.Id,
+		PublicId:     rowResult.PublicId,
 		FriendlyName: rowResult.FriendlyName,
 		LastUsed:     rowResult.LastUsed,
 		Permissions:  uint8(rowResult.Permissions),
@@ -98,14 +102,29 @@ func (p DatabaseProvider) GetSystemKey(userId int) (models.ApiKey, bool) {
 	return result, true
 }
 
+// GetApiKeyByPublicKey returns an API key by using the public key
+func (p DatabaseProvider) GetApiKeyByPublicKey(publicKey string) (string, bool) {
+	var rowResult schemaApiKeys
+	row := p.sqliteDb.QueryRow("SELECT Id FROM ApiKeys WHERE PublicId = ? LIMIT 1", publicKey)
+	err := row.Scan(&rowResult.Id)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return "", false
+		}
+		helper.Check(err)
+		return "", false
+	}
+	return rowResult.Id, true
+}
+
 // SaveApiKey saves the API key to the database
 func (p DatabaseProvider) SaveApiKey(apikey models.ApiKey) {
 	isSystemKey := 0
 	if apikey.IsSystemKey {
 		isSystemKey = 1
 	}
-	_, err := p.sqliteDb.Exec("INSERT OR REPLACE INTO ApiKeys (Id, FriendlyName, LastUsed, Permissions, Expiry, IsSystemKey, UserId) VALUES (?, ?, ?, ?, ?, ?, ?)",
-		apikey.Id, apikey.FriendlyName, apikey.LastUsed, apikey.Permissions, apikey.Expiry, isSystemKey, apikey.UserId)
+	_, err := p.sqliteDb.Exec("INSERT OR REPLACE INTO ApiKeys (Id, FriendlyName, LastUsed, Permissions, Expiry, IsSystemKey, UserId, PublicId) VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
+		apikey.Id, apikey.FriendlyName, apikey.LastUsed, apikey.Permissions, apikey.Expiry, isSystemKey, apikey.UserId, apikey.PublicId)
 	helper.Check(err)
 }
 

internal/models/ApiKey.go

@@ -32,6 +32,7 @@ const ApiPermDefault = ApiPermAll - ApiPermApiMod - ApiPermManageUsers - ApiPerm
 // ApiKey contains data of a single api key
 type ApiKey struct {
 	Id           string `json:"Id" redis:"Id"`
+	PublicId     string `json:"PublicId" redis:"PublicId"`
 	FriendlyName string `json:"FriendlyName" redis:"FriendlyName"`
 	LastUsed     int64  `json:"LastUsed" redis:"LastUsed"`
 	Permissions  uint8  `json:"Permissions" redis:"Permissions"`
@@ -48,6 +49,12 @@ func (key *ApiKey) GetReadableDate() string {
 	return time.Unix(key.LastUsed, 0).Format("2006-01-02 15:04:05")
 }
 
+// GetRedactedId returns a redacted version of the API key
+func (key *ApiKey) GetRedactedId() string {
+	return key.Id[0:2] + "**************************" + key.Id[28:]
+
+}
+
 // GrantPermission sets one or more permissions
 func (key *ApiKey) GrantPermission(permission uint8) {
 	key.Permissions |= permission
@@ -103,6 +110,7 @@ func (key *ApiKey) HasPermissionManageUsers() bool {
 
 // ApiKeyOutput is the output that is used after a new key is created
 type ApiKeyOutput struct {
-	Result string
-	Id     string
+	Result   string
+	Id       string
+	PublicId string
 }

internal/webserver/api/Api.go

@@ -17,6 +17,9 @@ import (
 	"time"
 )
 
+const lengthPublicId = 35
+const lengthApiKey = 30
+
 // Process parses the request and executes the API call or returns an error message to the sender
 func Process(w http.ResponseWriter, r *http.Request, maxMemory int) {
 	w.Header().Set("cache-control", "no-store")
@@ -180,21 +183,20 @@ func DeleteKey(id string) bool {
 }
 
 // NewKey generates a new API key
-func NewKey(defaultPermissions bool, userId int) string {
+func NewKey(defaultPermissions bool, userId int) models.ApiKey {
 	newKey := models.ApiKey{
-		Id:           helper.GenerateRandomString(30),
+		Id:           helper.GenerateRandomString(lengthApiKey),
+		PublicId:     helper.GenerateRandomString(lengthPublicId),
 		FriendlyName: "Unnamed key",
-		LastUsed:     0,
 		Permissions:  models.ApiPermDefault,
-		Expiry:       0,
 		IsSystemKey:  false,
 		UserId:       userId,
 	}
 	if !defaultPermissions {
 		newKey.Permissions = models.ApiPermNone
 	}
 	database.SaveApiKey(newKey)
-	return newKey.Id
+	return newKey
 }
 
 // newSystemKey generates a new API key that is only used internally for the GUI
@@ -215,9 +217,9 @@ func newSystemKey(userId int) string {
 	}
 
 	newKey := models.ApiKey{
-		Id:           helper.GenerateRandomString(30),
+		Id:           helper.GenerateRandomString(lengthApiKey),
+		PublicId:     helper.GenerateRandomString(lengthPublicId),
 		FriendlyName: "Internal System Key",
-		LastUsed:     0,
 		Permissions:  tempKey.Permissions,
 		Expiry:       time.Now().Add(time.Hour * 48).Unix(),
 		IsSystemKey:  true,
@@ -320,11 +322,12 @@ func isValidUserForEditing(w http.ResponseWriter, request apiRequest) (models.Us
 func createApiKey(w http.ResponseWriter, request apiRequest, user models.User) {
 	key := NewKey(request.apiInfo.basicPermissions, user.Id)
 	output := models.ApiKeyOutput{
-		Result: "OK",
-		Id:     key,
+		Result:   "OK",
+		Id:       key.Id,
+		PublicId: key.PublicId,
 	}
 	if request.apiInfo.friendlyName != "" {
-		err := renameApiKeyFriendlyName(key, request.apiInfo.friendlyName)
+		err := renameApiKeyFriendlyName(key.Id, request.apiInfo.friendlyName)
 		if err != nil {
 			sendError(w, http.StatusInternalServerError, err.Error())
 			return
@@ -848,7 +851,7 @@ func parseRequest(r *http.Request) (apiRequest, error) {
 		},
 		apiInfo: apiModInfo{
 			friendlyName:     r.Header.Get("friendlyName"),
-			apiKeyToModify:   r.Header.Get("apiKeyToModify"),
+			apiKeyToModify:   publicKeyToApiKey(r.Header.Get("apiKeyToModify")),
 			permission:       uint8(apiPermission),
 			grantPermission:  r.Header.Get("permissionModifier") == "GRANT",
 			basicPermissions: r.Header.Get("basicPermissions") == "true",
@@ -866,6 +869,18 @@ func parseRequest(r *http.Request) (apiRequest, error) {
 	}, nil
 }
 
+// publicKeyToApiKey tries to convert a (possible) public key to a private key
+// If not a public key or if invalid, the original value is returned
+func publicKeyToApiKey(publicKey string) string {
+	if len(publicKey) == lengthPublicId {
+		privateApiKey, ok := database.GetApiKeyByPublicKey(publicKey)
+		if ok {
+			return privateApiKey
+		}
+	}
+	return publicKey
+}
+
 func apiRequestToUploadRequest(request *http.Request) (models.UploadRequest, int, string, error) {
 	paramsToChange := 0
 	allowedDownloads := 0

internal/webserver/web/static/apidocumentation/openapi.json

@@ -548,7 +548,7 @@
           {
             "name": "apiKeyToModify",
             "in": "header",
-            "description": "The API key to change the name of",
+            "description": "The API key to change the name of. Can be either the public ID or the actual API key",
             "required": true,
             "style": "simple",
             "explode": false,
@@ -598,7 +598,7 @@
           {
             "name": "apiKeyToModify",
             "in": "header",
-            "description": "The API key to change the permission of",
+            "description": "The API key to change the permission of. Can be either the public ID or the actual API key",
             "required": true,
             "style": "simple",
             "explode": false,
@@ -664,7 +664,7 @@
           {
             "name": "apiKeyToModify",
             "in": "header",
-            "description": "The API key to delete",
+            "description": "The API key to delete. Can be either the public ID or the actual API key",
             "required": true,
             "style": "simple",
             "explode": false,
@@ -1064,6 +1064,10 @@
           "Id": {
             "type": "string",
             "example": "ar3iecahghiethiemeeR"
+          },
+          "PublicId": {
+            "type": "string",
+            "example": "oepah5iesae8YeeZohrain5ahNgax8su"
           }
         },
         "description": "NewApiKey is the struct used for the result after creating a new API key",