Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-10 23:36:14 -05:00
Code Issues Activity

Shortened admin key length (#10418)

Browse source 
refs #10156

- Updated ApiKey model to use shorter secrets for admin keys
This commit is contained in:
Naz Gargol 2019-01-24 13:46:33 +00:00 committed by GitHub
parent 5fbad09a56
commit a0712d23e8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 28 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
core/server/models/api-key.js
View file

@ -18,10 +18,10 @@ const {Role} = require('./role');
* ref: https://en.wikipedia.org/wiki/Birthday_problem#Approximations * ref: https://en.wikipedia.org/wiki/Birthday_problem#Approximations
* *
* 26 char hex string = 13 bytes * 26 char hex string = 13 bytes
* 512 bit JWT secret = 64 bytes * 64 char hex string JWT secret = 32 bytes
*/ */
const createSecret = (type) => { const createSecret = (type) => {
const bytes = type === 'content' ? 13 : 64; const bytes = type === 'content' ? 13 : 32;
return crypto.randomBytes(bytes).toString('hex'); return crypto.randomBytes(bytes).toString('hex');
}; };
@ -68,7 +68,7 @@ const ApiKey = ghostBookshelf.Model.extend({
} }
}, { }, {
refreshSecret(data, options) { refreshSecret(data, options) {
const secret = createSecret(); const secret = createSecret(data.type);
return this.edit(Object.assign({}, data, {secret}), options); return this.edit(Object.assign({}, data, {secret}), options);
} }
}); });

2
core/test/acceptance/old/admin/integrations_spec.js
View file

@ -57,7 +57,7 @@ describe('Integrations API', function () {
should.exist(id); should.exist(id);
should.equal(id, adminApiKey.id); should.equal(id, adminApiKey.id);
should.exist(secret); should.exist(secret);
secret.length.should.equal(128); secret.length.should.equal(64);
done(); done();
}); });

26
core/test/unit/models/api-key_spec.js
View file

@ -7,11 +7,12 @@ describe('Unit: models/api_key', function () {
before(models.init); before(models.init);
describe('fn: refreshSecret', function () { describe('fn: refreshSecret', function () {
it('returns a call to edit passing a new secret', function () { it('returns a call to edit passing a new admin secret', function () {
const editStub = sinon.stub(models.ApiKey, 'edit').resolves(); const editStub = sinon.stub(models.ApiKey, 'edit').resolves();
const fakeData = { const fakeData = {
id: 'TREVOR' id: 'TREVOR',
type: 'admin'
}; };
const fakeOptions = {}; const fakeOptions = {};
@ -19,7 +20,26 @@ describe('Unit: models/api_key', function () {
should.equal(result, editStub.returnValues[0]); should.equal(result, editStub.returnValues[0]);
should.equal(editStub.args[0][0].id, 'TREVOR'); should.equal(editStub.args[0][0].id, 'TREVOR');
should.equal(editStub.args[0][0].secret.length, 128); should.equal(editStub.args[0][0].secret.length, 64);
should.equal(editStub.args[0][1], fakeOptions);
sinon.restore();
});
it('returns a call to edit passing a new content secret', function () {
const editStub = sinon.stub(models.ApiKey, 'edit').resolves();
const fakeData = {
id: 'TREVOR',
type: 'content'
};
const fakeOptions = {};
const result = models.ApiKey.refreshSecret(fakeData, fakeOptions);
should.equal(result, editStub.returnValues[0]);
should.equal(editStub.args[0][0].id, 'TREVOR');
should.equal(editStub.args[0][0].secret.length, 26);
should.equal(editStub.args[0][1], fakeOptions); should.equal(editStub.args[0][1], fakeOptions);
sinon.restore(); sinon.restore();

2
core/test/utils/fixtures/data-generator.js
View file

@ -386,7 +386,7 @@ DataGenerator.Content = {
{ {
id: ObjectId.generate(), id: ObjectId.generate(),
type: 'admin', type: 'admin',
secret: _.repeat('a', 128) secret: _.repeat('a', 64)
// integration_id: DataGenerator.Content.integrations[0].id // integration_id: DataGenerator.Content.integrations[0].id
}, },
{ {