-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[docs] Explain concepts and cryptography for API key construction #1065
Comments
Good point, we should expand the docs! Before we do, what do you mean by "wrapped" data? and regarding this:
yes they could and we are working to migrate towards preventing this, but a malicious customer could also take that same key and just spam requests against your API endpoint, which would result in the same outcome. other than requiring a 2nd factor (apiId or ideally root key), we're also building out a system to detect abuse to alert you and you can disable the key manually or potentially automatically |
I was referring to the phrase "unwrap the data" somewhere in the documentation, which might be misleading, because it suggests that the associated metadata including owner and role are somehow encoded in the data?
My API is under my control and I could easily take precautions against such actions, like first level rate limitation, exponential time penalties, firewall blocking etc. |
Type of documentation issue
Missing Information
Describe the problem and the proposed solution
Unkey is great software that fills a need!
I've read the current docs, and they are pretty comprehensive when it comes to usage. But for the security architecture I only see the statement, that API keys are checked using their hashes. Without digging into the source code, I can't answer fundamental questions like:
Related questions are:
I noted that keys can be unwrapped by anyone without authentication using the public unkey API (which also seems to count against the API call limits, so a malicious customer could easily consume the API calls in an endless while-curl-loop, but that's a different topic). Due to this fact, I assume that wrapped data is considered public. That's however important, as the data can be used for authorization and should then not contain data which should not be visible to end users.
Just my two cents: I think a little cryptography, like real root keys and signing in the cryptographic sense, could make the whole architecture more robust and secure. But for judging, I'd need to understand the very basics asked here.
The text was updated successfully, but these errors were encountered: