April 19, 2018, 5:13pm
We have an API Key associated with a API Definition by the Keys Access Control list, and Authentication by token turned on.
We can access this API with the Key as expected. HOWEVER, we can also access this API using any Authorization value that has 3 characters or less.
Obviously this is a concern. Including API Def
See the Authorization Header?
The same request with 4 charactors
Here is the Auth section of API dev
Any help or guidance here?
Hi, thanks for reporting this, which gateway version are you using?
April 19, 2018, 7:06pm
We are using 2.3.5 and have 2.6.0 in some environments. We are seeing this in both.
April 19, 2018, 7:09pm
If it helps, we are in configured in Hashed Key mode
Thank you for raising the issue - we believe this is down to our hashing algorithm and we actively working to fix it.
There are a few mitigating factors worth considering:
This does not affect our cloud our hybrid environment
This does not affect environments that are not using key hashing
We believe it only affects environments that are sparsely populated - I.e have few keys issued
For new installations: the workaround is to disable key hashing in the Tyk.conf
Alternatively - generating several dummy keys (doing so with a separate organisation would be better) should also suffice.
We’ll post more information here as we investigate.
June 5, 2018, 1:48pm
Quick update for you that a fix for the 3 character key bug was pushed today with further enhancements and refinements to our key auth system coming in upcoming releases. Please see our release notes here:
Gateway 2.6.2, Dashboard 1.6.2, Pump 0.5.3, MDCB 1.5.4 for more details.