dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Improved and more secure API Key handling

Open rkg-mm opened this issue 2 years ago • 5 comments

Current Behavior

Each team gets an API key automatically. All API keys are visible for admins in the web interface (therefore must be stored somewhere in plaintext or only encrypted to be revertable).

Proposed Behavior

  1. By default a Team should not have API keys
  2. It shall be able to generate API keys by admins, ideally with an additional comment or name, to document the purpose
  3. API keys should not be visible in plain text except once after generation
  4. API keys should be stored as a secret with proper one-way hashing (basically it's a secret and must be handled like one!)
  5. We should consider improving the API key length or at least characters, not sure about best practices but most other systems I know use larger keys
  6. (Ideally) Creation Date and Last usage date should be shown next to the API key for the admin to be able to clear up
  7. Also consider #2543

Checklist

rkg-mm avatar Mar 02 '23 14:03 rkg-mm

I agree these improvements are welcome/needed, but probably should be moved to https://github.com/stevespringett/Alpine ?

valentijnscholten avatar Mar 07 '23 16:03 valentijnscholten

If this is part of the alpine framework, then yes :D

rkg-mm avatar Mar 07 '23 20:03 rkg-mm

Alpine doesn't automatically create API keys for teams, it's parametrized: https://github.com/stevespringett/Alpine/blob/master/alpine-infra/src/main/java/alpine/persistence/AlpineQueryManager.java#L559

Dependency-Track invokes the inherited AlpineQueryManager#createTeam method with the "true" parameter which generates the API key: https://github.com/DependencyTrack/dependency-track/blob/master/src/main/java/org/dependencytrack/resources/v1/TeamResource.java#L135

The simplest fix would be changing true to false.

mprencipe avatar Mar 21 '24 09:03 mprencipe

@mprencipe That sounds like a sensible thing to do. Do you fancy raising a PR for this?

@rkg-mm:

  1. It shall be able to generate API keys by admins, ideally with an additional comment or name, to document the purpose

Comments to document the purpose is coming in v4.11, as per https://github.com/DependencyTrack/frontend/pull/768.

  1. (Ideally) Creation Date and Last usage date should be shown next to the API key for the admin to be able to clear up

Timestamps to track creation and "last used" timestamps are coming in v4.11, as per https://github.com/DependencyTrack/frontend/pull/768.

  1. Also consider https://github.com/DependencyTrack/dependency-track/issues/2543

This was shipped in v4.9.

nscuro avatar Mar 21 '24 09:03 nscuro

Sure, I can raise a PR.

mprencipe avatar Mar 21 '24 11:03 mprencipe