discourse/spec/components/auth
Osama Sayegh 70fa67a9e1
FIX: Don't leak unhashed user API keys to redis (#14682)
User API keys (not the same thing as admin API keys) are currently
leaked to redis when rate limits are applied to them since redis is the
backend for rate limits in Discourse and the API keys are included in
the redis keys that are used to track usage of user API keys in the last
24 hours.

This commit stops the leak by using a SHA-256 representation of the user
API key instead of the key itself to form the redis key.

We don't need to manually delete the existing redis keys that contain
unhashed user API keys because they're not long-lived and will be
automatically deleted within 48 hours after this commit is deployed to
your Discourse instance.
2021-10-21 19:43:26 +03:00
..
default_current_user_provider_spec.rb FIX: Don't leak unhashed user API keys to redis (#14682) 2021-10-21 19:43:26 +03:00
discord_authenticator_spec.rb
facebook_authenticator_spec.rb
github_authenticator_spec.rb DEV: Correct typos and spelling mistakes (#12812) 2021-05-21 11:43:47 +10:00
google_oauth2_authenticator_spec.rb
managed_authenticator_spec.rb FIX: Handle empty email address from authentication provider (#12046) 2021-02-11 16:26:43 +00:00
twitter_authenticator_spec.rb