Imported Google Group message.
Date:Thursday, 19 March 2015 19:55:06 UTC.
I've added this to the roadmap for the next version of Tyk (1.6) as its a valid issue considering how these keys need to be secure.
However, and this is a bit annoying I guess, the new portal feature we are adding allows devs to self-serve API keys, and in their dashboard they get to see their usage graphs. The keys that are generated here are stored alongside the developer profile in Mongo and are not hashed (we need them for the analytics lookups as well as some ownership tests).
Which poses a dilemma, we close a potential security hole in the gateway only for it to still exist in the portal and dashboard, since if the database is breached then there's a treasure trove of key data to be exploited.
API keys are also stored alongside analytics data, this would need to be changed to use the hashed representation, then the hashed key can be stored alongside the developer profile, this would make analytics work for the portal.
In the dashboard, API key rankings (biggest users, etc) wouldn't be possible as only the hashed key would be available to the admin.
Overall it's quite a large bit of work to make all the components behave properly, but it's key to securing the solution so I'm quite eager to solve it.
Any input would be appreciated
show quoted text -
show quoted text -
You received this message because you are subscribed to the Google Groups "Tyk Community Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to email@example.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/f568cc5f-e993-413e-b085-afcc33c479d4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.