Labels Milestones

push monitor: increase token security #912

Open

andreasbrett wants to merge 1 commits from andreasbrett/securepush into master

pull from: andreasbrett/securepush

merge into: topaLE:master

topaLE:1.6.X

topaLE:1.7.X

topaLE:1.9.X

topaLE:Mikhail5555/feature/remote-header-auth

topaLE:Nuckerr/master

topaLE:Saibamen/fix_871

topaLE:WillianRod/feat/add-favicon-badges

topaLE:andreasbrett/logging

topaLE:bertyhell/bugfix/heartbeat-bar-animation

topaLE:bertyhell/feature/monitor-checks

topaLE:bertyhell/feature/translations-extraction-script

topaLE:cert-notification

topaLE:chakflying/settings-redesign

topaLE:debian-docker

topaLE:deefdragon/Template-Engine

topaLE:deefdragon/notif-tests

topaLE:e2e-test

topaLE:fdcastel/push-api-tags

topaLE:free-disk-space

topaLE:ivanbratovic/http-basicauth

topaLE:ivanbratovic/improve-translatables

topaLE:k8s-unofficial

topaLE:lucasra1/overall_status

topaLE:master

topaLE:mhkarimi1383/master

topaLE:mrphuongbn/master

topaLE:no-need-build

topaLE:philippdormann/feature/release-management

topaLE:proffalken/feature/680_add_labels_to_prometheus_metrics

topaLE:proffalken/feature/auto_build_and_release

topaLE:rebasesoftware/feature/request-with-http-proxy

topaLE:restructure-status-page

topaLE:sqlite-upgrade-prebuilt

topaLE:tarun7singh/master

topaLE:thomasleveil/feature/565-duplicate-monitor

topaLE:thomasleveil/ux/add-group-at-the-top

Conversation 0 Commits 1 Files Changed 4

andreasbrett commented 3 years ago (Migrated from github.com)

Owner

Description

As push monitor tokens are not short-lived I propose to raise their length from 10 to 32.

There are no best practices or RFCs recommending specific webtoken lengths but 10 chars seems unnecessarily short. Calculation times for a 32-char token are super fast and tokens are mostly set-and-forget strings and also won't be typed in by hand but rather copy&paste.

Additionally it should be easier to rotate them (think enterprise policies requiring to regularly change/rotate credentials). Therefore I added a "Reset Token" button in the "Edit Monitor" dialog. This also allows users with existing push monitors to upgrade their tokens easily.

This is a non-breaking change but if released, the release notes should advise resetting the token (not a MUST though).

Type of change

Please delete options that are not relevant.

• New feature (non-breaking change which adds functionality)

Checklist

• My code follows the style guidelines of this project
• I ran ESLint and other linters for modified files
• I have performed a self-review of my own code and test it
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings
• My code needed automated testing. I have added them (this is optional task)

Screenshots (if any)

# Description As push monitor tokens are not short-lived I propose to raise their length from 10 to 32. There are no best practices or RFCs recommending specific webtoken lengths but 10 chars seems unnecessarily short. Calculation times for a 32-char token are super fast and tokens are mostly set-and-forget strings and also won't be typed in by hand but rather copy&paste. Additionally it should be easier to rotate them (think enterprise policies requiring to regularly change/rotate credentials). Therefore I added a "Reset Token" button in the "Edit Monitor" dialog. This also allows users with existing push monitors to upgrade their tokens easily. This is a non-breaking change but if released, the release notes should advise resetting the token (not a MUST though). ## Type of change Please delete options that are not relevant. - New feature (non-breaking change which adds functionality) ## Checklist - [x] My code follows the style guidelines of this project - [x] I ran ESLint and other linters for modified files - [x] I have performed a self-review of my own code and test it - [x] I have commented my code, particularly in hard-to-understand areas - [x] My changes generate no new warnings - [ ] My code needed automated testing. I have added them (this is optional task) ## Screenshots (if any) 

This pull request can be merged automatically.

You are not authorized to merge this pull request.

Sign in to join this conversation.

Reviewers

Request review

No reviewers

Labels

Apply labels

Clear labels

bug
Something isn't working dependencies
Pull requests that update a dependency file discussion doc
Improvements or additions to documentation duplicate
This issue or pull request already exists feature-request
New feature or request good first issue
Good for newcomers hacktoberfest hacktoberfest-accepted help help wanted
Extra attention is needed High
High Priority impossible invalid
This doesn't seem right investigating k8s Low
Low Priority Medium
Medium Priority News prerelease bug question
Further information is requested resolved Unknown wontfix
This will not be worked on

No Label bug dependencies discussion doc duplicate feature-request good first issue hacktoberfest hacktoberfest-accepted help help wanted High impossible invalid investigating k8s Low Medium News prerelease bug question resolved Unknown wontfix

Milestone

Set milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Assign users

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

This pull request currently doesn't have any dependencies.

Write Preview

Loading…

Cancel

Save

There is no content yet.