Skip to content

Commit

Permalink
fix(auth): use hashed secret as identity to verify token authenticity (
Browse files Browse the repository at this point in the history
  • Loading branch information
rektdeckard authored Aug 13, 2024
1 parent 6336374 commit d2e3f27
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
9 changes: 8 additions & 1 deletion cmd/lk/cloud.go
Original file line number Diff line number Diff line change
Expand Up @@ -246,7 +246,14 @@ func requireToken(_ context.Context, cmd *cli.Command) (*config.ProjectConfig, s
return nil, "", err
}

at := auth.NewAccessToken(cfg.APIKey, cfg.APISecret)
// construct a token from the chosen project, using the hashed secret as the identity
// as a means of preventing any old token generated with this key/secret pair from
// deleting it
hash, err := hashString(cfg.APISecret)
if err != nil {
return nil, "", err
}
at := auth.NewAccessToken(cfg.APIKey, cfg.APISecret).SetIdentity(hash)
token, err := at.ToJWT()
if err != nil {
return nil, "", err
Expand Down
11 changes: 11 additions & 0 deletions cmd/lk/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
package main

import (
"crypto/sha256"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
Expand Down Expand Up @@ -149,6 +151,15 @@ func wrapWith(wrap string) func(string) string {
}
}

func hashString(str string) (string, error) {
hash := sha256.New()
if _, err := hash.Write([]byte(str)); err != nil {
return "", err
}
bytes := hash.Sum(nil)
return hex.EncodeToString(bytes), nil
}

func PrintJSON(obj any) {
txt, _ := json.MarshalIndent(obj, "", " ")
fmt.Println(string(txt))
Expand Down

0 comments on commit d2e3f27

Please sign in to comment.