-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add API Token Cache #16547
Add API Token Cache #16547
Conversation
One of the issues holding back performance of the API is the problem of hashing. Whilst banning BASIC authentication with passwords will help, the API Token scheme still requires a PBKDF2 hash - which means that heavy API use (using Tokens) can still cause enormous numbers of hash computations. A slight solution to this whilst we consider moving to using JWT based tokens and/or a session orientated solution is to simply cache the successful tokens. This has some security issues but this should be balanced by the security issues of load from hashing. Related go-gitea#14668 Signed-off-by: Andrew Thornton <art27@cantab.net>
Codecov Report
@@ Coverage Diff @@
## main #16547 +/- ##
=======================================
Coverage 45.43% 45.43%
=======================================
Files 749 749
Lines 84441 84469 +28
=======================================
+ Hits 38368 38381 +13
- Misses 39900 39915 +15
Partials 6173 6173
Continue to review full report at Codecov.
|
I think we should use a uniform cache infrastructure to do the cache. Previously, we have |
This specific cache should only be in memory due to sensitive nature of content (api keys) |
Yeah, redis or memcache is also memory. And in fact, we have stored session id in redis which is also sensitive. |
But this does not needs to be shared between instances if we support such in the future so this can be left as is |
This is also speed dependent. If we are hitting an external cache be it in memory or otherwise the performance increase will be lost and it would likely be quicker to just perform the hash yourself. |
Btw does tokens has expire time? |
@zeripath Apologies for the imposition, but would it be possible to get this into the next 1.15 patch? |
One of the issues holding back performance of the API is the problem of hashing.
Whilst banning BASIC authentication with passwords will help, the API Token scheme
still requires a PBKDF2 hash - which means that heavy API use (using Tokens) can
still cause enormous numbers of hash computations.
A slight solution to this whilst we consider moving to using JWT based tokens and/or
a session orientated solution is to simply cache the successful tokens. This has some
security issues but this should be balanced by the security issues of load from
hashing.
Related #14668
Signed-off-by: Andrew Thornton art27@cantab.net