github/MIND
1
1
Fork 0
mirror of https://github.com/Casvt/MIND.git synced 2026-02-19 11:54:46 -05:00
Code Issues Packages Projects Releases Wiki Activity

Changed generation and hashing of API keys

Browse Source 
Moved from generating API keys using os.urandom to secrets.token_hex. Moved from hashing the keys using stdlib.hash to hashlib.sha256.
This commit is contained in:
CasVT
2025-08-26 00:50:46 +02:00
parent 42891f5f32
commit b68284530b
2 changed files with 11 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
backend/base/definitions.py
View File

@@ -54,6 +54,7 @@ class Constants:
API_PREFIX = "/api"
ADMIN_API_EXTENSION = "/admin"
ADMIN_PREFIX = API_PREFIX + ADMIN_API_EXTENSION
API_KEY_LENGTH = 32 # hexadecimal characters
DB_FOLDER = ("db",)
DB_NAME = "MIND.db"

17
frontend/api.py
View File

@@ -1,9 +1,11 @@
# -*- coding: utf-8 -*-
from datetime import datetime
from hashlib import sha256
from io import BytesIO, StringIO
from os import remove, urandom
from os import remove
from os.path import basename, exists
from secrets import token_hex
from time import time as epoch_time
from typing import Any, Dict
@@ -48,7 +50,7 @@ from frontend.input_validation import (AboutData, AuthLoginData,
# region Auth and input
users = Users()
api_key_map: Dict[int, ApiKeyEntry] = {}
api_key_map: Dict[str, ApiKeyEntry] = {}
def auth() -> None:
@@ -59,7 +61,7 @@ def auth() -> None:
APIKeyExpired: The api key supplied has expired.
"""
api_key = request.values.get('api_key', '')
hashed_api_key = hash(api_key)
hashed_api_key = sha256(api_key.encode('utf-8')).hexdigest()
if hashed_api_key not in api_key_map:
raise APIKeyInvalid(api_key)
@@ -123,11 +125,12 @@ def api_login():
StartTypeHandlers.diffuse_timer(StartType.RESTART_DB_CHANGES)
StartTypeHandlers.diffuse_timer(StartType.RESTART_HOSTING_CHANGES)
# Generate an API key until one
# is generated that isn't used already
# Generate an API key until one is generated that isn't used already
while True:
api_key = urandom(16).hex() # <- length api key / 2
hashed_api_key = hash(api_key)
# Each byte is represented by two hexadecimal characters, so halve
# the desired amount of bytes.
api_key = token_hex(Constants.API_KEY_LENGTH // 2)
hashed_api_key = sha256(api_key.encode('utf-8')).hexdigest()
if hashed_api_key not in api_key_map:
break