Dear all,
@Josh
I have found a bug for tyk verify key in my test case.
I create one api(TestOauth-key1) of the Authentication mode is “Auth Token”, then create a api key add the my api(TestOauth-key1) to Access right. generat the key value is:5b6a9a6ae138230df675f3c00cf3d74a183c40e48a7ecd403fd74711
case 1: use the correct key to request API data,
curl -X GET -H ‘Authorization: 5b6a9a6ae138230df675f3c00cf3d74a183c40e48a7ecd403fd74711’ -i ’ http://10.4.2.98:8080/testoauth-key1’
Response successful, 200.
case 2: change the key value add 3 digits at the end, the value as:5b6a9a6ae138230df675f3c00cf3d74a183c40e48a7ecd403fd74711389
then request the API(testoauth-key1) data as:
[root@localhost ~]# curl -X GET -H ‘Authorization: 5b6a9a6ae138230df675f3c00cf3d74a183c40e48a7ecd403fd74711389’ -i ‘http://10.4.2.98:8080/testoauth-key1’
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Content-Length: 342
Content-Type: application/json
Date: Fri, 07 Dec 2018 04:29:17 GMT
Server: gunicorn/19.9.0
Via: 1.1 vegur
X-Ratelimit-Limit: -1
X-Ratelimit-Remaining: -1
X-Ratelimit-Reset: 1544156500
{
“args”: {},
“headers”: {
“Accept”: “/”,
“Accept-Encoding”: “gzip”,
“Authorization”: “5b6a9a6ae138230df675f3c00cf3d74a183c40e48a7ecd403fd74711389”,
“Connection”: “close”,
“Host”: “httpbin.org”,
“User-Agent”: “curl/7.29.0”
},
“origin”: “10.4.2.98, 113.116.23.35”,
“url”: “http://httpbin.org/get”
}
This is a bug of verify key value when request API data. I want to know which mechanism you use to verify the key ?This mechanism is currently vulnerable and is not safe for our API data.