Skip to content

API key security improvements #320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
goralczyks wants to merge 18 commits into
base: develop
Choose a base branch
from
Open

API key security improvements #320

goralczyks wants to merge 18 commits into from

Conversation

@goralczyks
Copy link
Collaborator

@goralczyks goralczyks commented Nov 7, 2025
edited
Loading

πŸ“ƒ Ticket

#318, #319

✍ Description

  1. removed GET /api-token method
  2. token created with POST /api-token consists of 2 parts:
  • id
  • confidential secret (stored in DB as hash)
  1. user need to provide both parts for verification as single string in format: "id.secret": id is used to search user in DB, secret is verified against hash

@goralczyks goralczyks linked an issue Nov 7, 2025 that may be closed by this pull request
[Feature Request]: Implement Secure API Key Storage with Hashing #319
Open
@github-actions github-actions bot added the feature Adding a new feature label Nov 7, 2025
@goralczyks goralczyks linked an issue Nov 7, 2025 that may be closed by this pull request
[Feature Request]: Enhance API Key Length to 128+ bits #318
Open
@github-actions github-actions bot added the test Adding or correcting existing tests label Nov 13, 2025
@codecov-commenter
Copy link

codecov-commenter commented Nov 13, 2025
edited
Loading

Codecov Report

βœ… All modified and coverable lines are covered by tests.

Files with missing lines Coverage Ξ”
backend/oqtopus_cloud/common/models/user.py 100.00% <100.00%> (ΓΈ)
backend/oqtopus_cloud/user/routers/api_token.py 100.00% <100.00%> (ΓΈ)
backend/oqtopus_cloud/user/schemas/api_token.py 100.00% <100.00%> (ΓΈ)
πŸš€ New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@goralczyks goralczyks marked this pull request as ready for review November 14, 2025 09:11
@shgokita
Copy link
Contributor

shgokita commented Dec 5, 2025

Here are two points of feedback:

  • From a cryptographic strength perspective, please change the hash function from bcrypt to argon2id.
    Reference: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

  • Regarding the GET /api-token API, I had planned to remove it, but since we want to retain the functionality to retrieve the expiration date, could you modify it to only return the expiration date as GET /api-token/status?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@orangekame3 orangekame3 Awaiting requested review from orangekame3 orangekame3 is a code owner

@shgokita shgokita Awaiting requested review from shgokita shgokita is a code owner

@katsujukou katsujukou Awaiting requested review from katsujukou katsujukou is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@goralczyks goralczyks

Labels

feature Adding a new feature test Adding or correcting existing tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request]: Implement Secure API Key Storage with Hashing [Feature Request]: Enhance API Key Length to 128+ bits

4 participants

@goralczyks @codecov-commenter @shgokita