perf(api-keys): move from encrypted to hashed api key

GaloyMoney · Jan 12, 2024 · 471748e · 471748e
1 parent 16ab555
commit 471748e
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 8 deletions.
diff --git a/...c3e0d47b8795823a8676a7588e4ed9d03108.json → ...22456b1025b26b1d3ee5fcc4b51b16f59c4f.json b/...c3e0d47b8795823a8676a7588e4ed9d03108.json → ...22456b1025b26b1d3ee5fcc4b51b16f59c4f.json
diff --git a/...0dec28654d37c9812ddd7a6245cf26cf64ec.json → ...a94dc74d493856497ed2e4f6cd140d51eab8.json b/...0dec28654d37c9812ddd7a6245cf26cf64ec.json → ...a94dc74d493856497ed2e4f6cd140d51eab8.json
diff --git a/...pi-keys/.sqlx/query-89a4ce6e68b5a8ee259effe93c1cc4975977cf0220c7fad78e53c8ea6c08afce.json b/...pi-keys/.sqlx/query-89a4ce6e68b5a8ee259effe93c1cc4975977cf0220c7fad78e53c8ea6c08afce.json
diff --git a/core/api-keys/migrations/20240112183422_add_hashed_key_to_identity_api_keys.sql b/core/api-keys/migrations/20240112183422_add_hashed_key_to_identity_api_keys.sql
@@ -0,0 +1,2 @@
+ALTER TABLE identity_api_keys
+ADD COLUMN hashed_key BYTEA UNIQUE DEFAULT gen_random_bytes(256);
diff --git a/core/api-keys/src/identity/mod.rs b/core/api-keys/src/identity/mod.rs
@@ -67,8 +67,9 @@ impl Identities {
     ) -> Result<(IdentityApiKey, ApiKeySecret), IdentityError> {
         let code = Alphanumeric.sample_string(&mut rand::thread_rng(), 64);
         let record = sqlx::query!(
-            r#"INSERT INTO identity_api_keys (encrypted_key, identity_id, name, expires_at, read_only)
-            VALUES (crypt($1, gen_salt('bf')), $2, $3, $4, $5) RETURNING id, created_at"#,
+            r#"INSERT INTO identity_api_keys (hashed_key, encrypted_key, identity_id, name, expires_at, read_only)
+            VALUES (digest($1, 'sha256'), crypt($1, gen_salt('bf')), $2, $3, $4, $5)
+            RETURNING id, created_at"#,
             code,
             identity_id as IdentityId,
             name,
@@ -111,7 +112,7 @@ impl Identities {
                  FROM identities i
                  WHERE k.identity_id = i.id
                  AND k.revoked = false
-                 AND k.encrypted_key = crypt($1, k.encrypted_key)
+                 AND k.hashed_key = digest($1, 'sha256')
                  AND (k.expires_at > NOW() OR k.expires_at IS NULL)
                  RETURNING k.id, i.subject_id, k.read_only
                )
@@ -128,7 +129,33 @@ impl Identities {
                 record.read_only,
             ))
         } else {
-            Err(IdentityError::NoActiveKeyFound)
+            // look up by encrypted key and set hashed_key
+            let record = sqlx::query!(
+                r#"WITH updated_key AS (
+                 UPDATE identity_api_keys k
+                 SET last_used_at = NOW(), hashed_key = digest($1, 'sha256')
+                 FROM identities i
+                 WHERE k.identity_id = i.id
+                 AND k.revoked = false
+                 AND k.encrypted_key = crypt($1, k.encrypted_key)
+                 AND (k.expires_at > NOW() OR k.expires_at IS NULL)
+                 RETURNING k.id, i.subject_id, k.read_only
+               )
+               SELECT id, subject_id, read_only FROM updated_key"#,
+                code
+            )
+            .fetch_optional(&self.pool)
+            .await?;
+
+            if let Some(record) = record {
+                Ok((
+                    IdentityApiKeyId::from(record.id),
+                    record.subject_id,
+                    record.read_only,
+                ))
+            } else {
+                Err(IdentityError::NoActiveKeyFound)
+            }
         }
     }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		ALTER TABLE identity_api_keys
		ADD COLUMN hashed_key BYTEA UNIQUE DEFAULT gen_random_bytes(256);