Skip to content

Team API Keys & Access Token management with hashing #295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 26 commits into from
Mar 19, 2025
Merged

Team API Keys & Access Token management with hashing #295

merged 26 commits into from
Mar 19, 2025

Conversation

dobrac
Copy link
Contributor

@dobrac dobrac commented Feb 13, 2025
edited
Loading

Changes

  • Database migration for api keys and access tokens hashing
  • New endpoints for Teams API Key and Access Tokens management
  • Adds Team API Keys and Access Tokens hashing

Hashing
Hashing of Team API Keys and Access Tokens is done using sha256. It should be okay, as we have already 160bits secure API Keys/Token generation + API Keys are "confidential data at rest". Hash is only generated from the key part, key/access_token prefix is excluded. It uses bytes array directly.

Hashes are stored in the format:
"$sha256$%hash"

DB Changes
Access Tokens

ADD COLUMN id uuid DEFAULT gen_random_uuid(), // Used for token deletion
ADD COLUMN access_token_hash text UNIQUE, // New hashed value
ADD COLUMN access_token_mask text, // Masked value used for showing to the user (if required)
ADD COLUMN name text NOT NULL DEFAULT 'Unnamed Access Token'; // Naming for us to reference sources of creation + if exposed to the user, the naming might help the user

Team API Keys

ADD COLUMN api_key_hash text UNIQUE, // New hashed value
ADD COLUMN api_key_mask character varying(44); // Masked value used for showing in the dashboard

Endpoints
Why to move API Key managent to the Infra API

  • There is a need of hashing API Keys on the /teams endpoint in the API - because of it's usage in CLI (so the hashing and key creation would have to be duplicit if part of dashboard)
  • For custom clusters, it will be easier to handle Team API Keys management on their cluster (connected to their Supabase instance) as opposed to if/switch of Supabase on the dashboard side
// Required headers: X-Supabase-Token
POST /access-tokens - create new access token
DELETE /access-tokens/{access_token_id} - delete existing access token

// Required headers: X-Supabase-Token, X-Supabase-Team
GET /api-keys - list of all team api keys
POST /api-keys - create new team api key
PATCH /api-keys/{api_key_id} - update team api key name
DELETE /api-keys/{api_key_id} - remove team api key

@dobrac dobrac self-assigned this Feb 13, 2025
@linear Linear
Copy link

linear bot commented Feb 13, 2025

E2B-1558 Start creating hashes alongside API keys/access tokens in DB when creating new ones

@dobrac dobrac added improvement Improvement for current functionality feature New feature labels Feb 13, 2025
@dobrac dobrac force-pushed the start-creating-hashes-alongside-api-keysaccess-tokens-in-db-e2b-1558 branch 2 times, most recently from 4d386af to 3352161 Compare February 14, 2025 00:31
@dobrac dobrac marked this pull request as ready for review February 14, 2025 21:03
@dobrac dobrac mentioned this pull request Feb 14, 2025
Merged
@ValentaTomas ValentaTomas requested a review from 0div February 24, 2025 03:31
0div
0div approved these changes Feb 24, 2025
View reviewed changes
Copy link
Contributor

@0div 0div left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, although—not to be that guy—but needs tests.

@dobrac dobrac force-pushed the start-creating-hashes-alongside-api-keysaccess-tokens-in-db-e2b-1558 branch from 49dbc33 to 608700d Compare March 18, 2025 10:08
@dobrac dobrac force-pushed the start-creating-hashes-alongside-api-keysaccess-tokens-in-db-e2b-1558 branch from 688c036 to 13a4fd0 Compare March 18, 2025 11:03
@dobrac
Copy link
Contributor Author

dobrac commented Mar 18, 2025

LGTM, although—not to be that guy—but needs tests.

Added unit and integration tests

jakubno
jakubno reviewed Mar 18, 2025
View reviewed changes
jakubno
jakubno reviewed Mar 18, 2025
View reviewed changes
Copy link
Member

@jakubno jakubno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am missing logs, at least for error and info in the end of an successful interaction as deleting an api key

@dobrac
Copy link
Contributor Author

dobrac commented Mar 18, 2025
edited
Loading

I am missing logs, at least for error and info in the end of an successful interaction as deleting an api key

all http endpoints are logged with their results, if it is an internal error, we log also the reason (sendAPIStoreError)

@jakubno jakubno merged commit ead25f0 into main Mar 19, 2025
10 checks passed
@jakubno jakubno deleted the start-creating-hashes-alongside-api-keysaccess-tokens-in-db-e2b-1558 branch March 19, 2025 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jakubno jakubno jakubno approved these changes

@ValentaTomas ValentaTomas Awaiting requested review from ValentaTomas ValentaTomas is a code owner

+1 more reviewer

@0div 0div 0div approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@dobrac dobrac

Labels

feature New feature improvement Improvement for current functionality

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dobrac @jakubno @0div