Download & Extend
Services » Issues

Wrong usage of API key as secret key

Posted by PieterDC on January 11, 2009 at 2:27pm
Project:Services
Version:6.x-2.x-dev
Component:Code
Category:feature request
Priority:normal
Assigned:Unassigned
Status:closed (won't fix)

Issue Summary

See Proposition for a new services module's API key security model to read what's wrong with the current API key and domain name usage in generating the hash, etc.

If you apply the patch (and execute update.php):
* the domain name won't be used as hash parameter any more
* the API key will be used as public key
* a secret will be used as shared, private key
* you will be able to link a Drupal user to an API key. he/she will then be able to see (and regenerate) his/her secret.
* the service browser will continue to work as intended

AttachmentSizeStatusTest resultOperations
20090111_services6.x-0.13_key_secret.patch14.55 KBIgnored: Check issue status.NoneNone
20090111_services6.x-0.13_key_secret.png32.3 KBIgnored: Check issue status.NoneNone
Login or register to post comments

Comments

#1

Posted by marcingy on January 11, 2009 at 6:08pm
Assigned to:Anonymous» marcingy

#2

Posted by PGiro on March 7, 2009 at 2:43pm

subscribe, looks good to me for smartphone apps where user accounts will require keys

#3

Posted by MattKelly on March 7, 2009 at 6:05pm

This is the right step, but not bullet proof. Clients that can be decompiled (the majority of the use, it seems--Flash) are still threats. See this for more info: http://groups.drupal.org/node/17578#comment-68329

#4

Posted by PGiro on March 9, 2009 at 8:35am

@MattKelly : see my reply, you need to assign a different key/secret to each user; not to assign a key/secret to your application !

#5

Posted by PieterDC on July 15, 2009 at 9:48am

@MattKelly: nothing is bullet proof. The only thing we can aim for is to make things harder for abusers. If flash files contain passwords/keys, that's a problem for the flash architecture, not the services server. Maybe it's possible to store that sensitive data outside the flash file on a more secure place? But this question is a little off-topic here.

#6

Posted by heyrocker on December 4, 2009 at 4:15am
Status:needs review» postponed

This issue is very old obviously but it is worthy of consideration and I'm trying to clean out the queue before finally doing a stable release before year's end.

The problem with this patch it is going to break the vast majority of implementations out there since the vast majority of implementations use the current API key structure, and that's not really something I can do midstream. The current implementation has been vetted by the security team which is enough for me.

That said, I'd love a more robust key something and I think it's something we can tackle for D7 and possibly a 3.x branch of D6. So I'm marking this as postponed for future consideration. Thanks for the patch it is appreciated.

#7

Posted by yajnin on March 11, 2010 at 9:40pm

sub

#8

Posted by marcingy on March 11, 2010 at 10:09pm
Version:6.x-0.13» 6.x-2.x-dev
Assigned to:marcingy» Anonymous

Bumping version but to be honest I'm actually thinking it will be a case of won't fix.

#9

Posted by swati_patel_8497 on September 17, 2010 at 8:33am

#10

Posted by marcingy on May 3, 2010 at 2:42pm

Please do not post on threads issues that are not related to original issue.

#11

Posted by kylebrowning on December 11, 2010 at 6:04pm
Status:postponed» closed (won't fix)

It is a case of wont fix since key_auth is going by by is 3.x and were no longer currentl working on 2.x

nobody click here