Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential security issue > User can connect to the same database with different API keys #62

Open
ljsinclair opened this issue Nov 13, 2023 · 0 comments
Open

Potential security issue > User can connect to the same database with different API keys #62

ljsinclair opened this issue Nov 13, 2023 · 0 comments

Comments

@ljsinclair
Copy link

Issue

Totally different API key allows access to an existing account on the same database

Steps to reproduce

  • Create a database
  • Create an API key "keyone"
  • Create an account with ai-featureBase.com using DB ID and keyone secret key
  • Create a template and node

Second key

  • Create an API key "keytwo"
  • Create an account with ai-featurebase.com using DB ID and keytwo secret key

Result: Account two has access to template and Node from keyone

The bigger issue

API private keys are not usually used for anything but the first connection setup. From there, other means are usually used.

Using them for a login is sub-optimal.

Solution

Unless there are compelling reasons to allow a user to generate an API key and access all the templates, nodes and pipelines for a database, then this should be disabled in favour of one of the following:

  1. use the public key for subsequent logins
  2. force the user to create an account password
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ljsinclair