diff --git a/cmd/lk/cloud.go b/cmd/lk/cloud.go index 0a98773f..0571e9e6 100644 --- a/cmd/lk/cloud.go +++ b/cmd/lk/cloud.go @@ -246,7 +246,14 @@ func requireToken(_ context.Context, cmd *cli.Command) (*config.ProjectConfig, s return nil, "", err } - at := auth.NewAccessToken(cfg.APIKey, cfg.APISecret) + // construct a token from the chosen project, using the hashed secret as the identity + // as a means of preventing any old token generated with this key/secret pair from + // deleting it + hash, err := hashString(cfg.APISecret) + if err != nil { + return nil, "", err + } + at := auth.NewAccessToken(cfg.APIKey, cfg.APISecret).SetIdentity(hash) token, err := at.ToJWT() if err != nil { return nil, "", err diff --git a/cmd/lk/utils.go b/cmd/lk/utils.go index b3197fa4..de1d5c11 100644 --- a/cmd/lk/utils.go +++ b/cmd/lk/utils.go @@ -15,6 +15,8 @@ package main import ( + "crypto/sha256" + "encoding/hex" "encoding/json" "errors" "fmt" @@ -149,6 +151,15 @@ func wrapWith(wrap string) func(string) string { } } +func hashString(str string) (string, error) { + hash := sha256.New() + if _, err := hash.Write([]byte(str)); err != nil { + return "", err + } + bytes := hash.Sum(nil) + return hex.EncodeToString(bytes), nil +} + func PrintJSON(obj any) { txt, _ := json.MarshalIndent(obj, "", " ") fmt.Println(string(txt))