cwinfo/powerdns-admin
5
0
Fork 0
mirror of https://github.com/cwinfo/powerdns-admin.git synced 2025-01-07 19:05:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Clarify salt re-use for API keys (#1037)

Browse Source
This commit is contained in:
zoeller-freinet 2021-11-09 21:09:15 +01:00 committed by GitHub
parent dd04a837bb
commit bfaf5655ae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
powerdnsadmin/models/api_key.py
View File

@ -87,6 +87,15 @@ class ApiKey(db.Model):
else: else:
pw = self.plain_text_password pw = self.plain_text_password
# The salt value is currently re-used here intentionally because
# the implementation relies on just the API key's value itself
# for database lookup: ApiKey.is_validate() would have no way of
# discerning whether any given key is valid if bcrypt.gensalt()
# was used. As far as is known, this is fine as long as the
# value of new API keys is randomly generated in a
# cryptographically secure fashion, as this then makes
# expendable as an exception the otherwise vital protection of
# proper salting as provided by bcrypt.gensalt().
return bcrypt.hashpw(pw.encode('utf-8'), return bcrypt.hashpw(pw.encode('utf-8'),
current_app.config.get('SALT').encode('utf-8')) current_app.config.get('SALT').encode('utf-8'))