Closed
Bug 1216241
Opened 9 years ago
Closed 8 years ago
Show API secret only once.
Categories
(addons.mozilla.org Graveyard :: API, defect)
addons.mozilla.org Graveyard
API
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: nolski, Assigned: kumar)
References
Details
For security purposes, let's only show the API secret to the user upon generation and store a hash in our database for authentication
Reporter | ||
Updated•9 years ago
|
Assignee: nobody → me
Comment 1•9 years ago
|
||
I don't think we can store a hash of the secret because we need the original value to verify the signature. I was originally thinking the same thing but I think the best we could do is encrypt it. Another thought I had was to hash the key instead of the secret which would prevent gaining access to all accounts if the whole table was compromised but that wouldn't help if you knew the key you wanted to attack. Probably best to get security to weigh in on how to securely store this stuff. Encryption seems like our best bet but it's also the most work.
Assignee | ||
Comment 2•9 years ago
|
||
Yes, the secret cannot be hashed because the signature needs access to it. The secret is already encrypted in the database so hiding it from the UI won't require any additional backend work.
Assignee | ||
Updated•9 years ago
|
Assignee: me → kumar.mcmillan
Assignee | ||
Comment 3•9 years ago
|
||
The UX needs to be very clear on key creation that the secret will never be seen again.
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
Assignee | ||
Comment 4•8 years ago
|
||
This did not get moved to github during the triage
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•