liza/conf at 2d1582059f5c7248111218bb3990e50b1d3ef81e - liza

employer

liza

History

Mike Gerwitz 6733556582 Remove hard-coded skey This wasn't intended to make its way into a public repo. :) The existing key was a long-forgotten kluge that was supposed to be temporary, allowing internal services to create quotes without authentication. The chances of this being practically exploited are minimal in our environment, and it's auditable using webserver logs. This moves the skey into a configuration file, which allows it to vary by server and be rotated until a better solution is made available. skey is disabled by default (empty string), and when used by us internally, the keys are now generated using a CSPRNG rather than a brute-forcable 5-byte key that was hard-coded. The fact that this appears in webserver logs is a big issue as well. I added a task to address that. * conf/vanilla-server.json (skey): New key. Default empty. * src/server/daemon/Daemon.js (start): Provide skey to `#getRouters'. (getRouters): Provide skey to `#getProgramController'. (getProgramController): Set skey on `controller'. * src/server/daemon/controller.js (skey): New mutable export (unideal; quick change). (has_skey): Use it.	2018-04-03 15:29:47 -04:00
..
vanilla-server.json	Remove hard-coded skey	2018-04-03 15:29:47 -04:00

Mike Gerwitz 6733556582 Remove hard-coded skey

This wasn't intended to make its way into a public repo. :)

The existing key was a long-forgotten kluge that was supposed to be
temporary, allowing internal services to create quotes without
authentication.  The chances of this being practically exploited are minimal
in our environment, and it's auditable using webserver logs.

This moves the skey into a configuration file, which allows it to vary by
server and be rotated until a better solution is made available.  skey is
disabled by default (empty string), and when used by us internally, the keys
are now generated using a CSPRNG rather than a brute-forcable 5-byte key
that was hard-coded.

The fact that this appears in webserver logs is a big issue as well.  I
added a task to address that.

* conf/vanilla-server.json (skey): New key.  Default empty.
* src/server/daemon/Daemon.js (start): Provide skey to `#getRouters'.
  (getRouters): Provide skey to `#getProgramController'.
  (getProgramController): Set skey on `controller'.
* src/server/daemon/controller.js (skey): New mutable export (unideal; quick
    change).
  (has_skey): Use it.

2018-04-03 15:29:47 -04:00

vanilla-server.json

Remove hard-coded skey

2018-04-03 15:29:47 -04:00