github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 12:58:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(authn): make hashing/encryption keys used to secure cookies (#2536)

Browse Source 
fix(authn): configurable hashing/encryption keys used to secure cookies

If they are not configured zot will generate a random hashing key at startup,
invalidating all cookies if zot is restarted. closes: #2526

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
This commit is contained in:
peusebiu
2024-08-13 01:11:53 +03:00
committed by GitHub
parent 17dbb56ea1
commit b461619682
11 changed files with 219 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files
examples/README.md
+30
View File
@@ -370,6 +370,36 @@ Using that cookie on subsequent calls will authenticate them, asumming the cooki
In case of using filesystem storage sessions are saved in zot's root directory.
In case of using cloud storage sessions are saved in memory.
### Securing session based login
In order to secure session cookies used in session based authentication process you need to set the path to a file containg keys used to hash and encrypt the cookies:
`sessionKeysFile`
```
"auth": {
"htpasswd": {
"path": "test/data/htpasswd"
},
"sessionKeysFile": "/home/user/keys",
"apikey": true,
}
```
```
user@host:~/zot$ cat ../keys | jq
{
"hashKey": "my-very-secret",
"encryptKey": "another-secret"
}
```
- hashKey - used to authenticate the cookie value using HMAC. It is recommended to use a key with exactly 32 or 64 bytes.
- encryptKey - this is optional, used to encrypt the cookie value. If set, the length must correspond to the block size of the encryption algorithm. For AES, used by default, valid lengths are 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
If at least hashKey is not set zot will create a random one which on zot restarts it will invalidate all currently valid cookies and their sessions, requiring all users to login again.
#### API keys
zot allows authentication for REST API calls using your API key as an alternative to your password.
examples/config-openid.json
+1
View File
@@ -13,6 +13,7 @@
"htpasswd": {
"path": "test/data/htpasswd"
},
"sessionKeysFile": "examples/sessionKeys.json",
"apikey": true,
"openid": {
"providers": {
examples/sessionKeys.json
+4
View File
@@ -0,0 +1,4 @@
{
"hashKey": "3lrioGLGO2RfG9Y7HQGgWa3ayBjMLw2auMXqEWcSXjQKc9SoQ3fKTIbO+toPYa7e",
"encryptKey": "KOzt01JrDz2uC//UBC5ZikxQw4owfmI8"
}