Skip to content

[public-api] Generate & Parse Personal Access Tokens #14806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 21, 2022
Merged

[public-api] Generate & Parse Personal Access Tokens #14806

merged 1 commit into from
Nov 21, 2022

Conversation

easyCZ
Copy link
Member

@easyCZ easyCZ commented Nov 20, 2022
edited
Loading

Description

Introduces generation & validation of Personal Access Tokens (PAT).

A PAT is used as a stand-in for a user, inheriting their identity.

A PAT looks like gitpod_pat_ko8KC1tJ-GkqIwqNliwF4tBUk2Jd5nEe9qOWqYfobtY.6ZDQVanpaTKj9hQuji0thCe8KFCcmEDGpsaTkSSb (this is a random token, not having access to anything).

It is composed out of the following:

  • Prefix gitpod_pat_
  • Signature ko8KC1tJ-GkqIwqNliwF4tBUk2Jd5nEe9qOWqYfobtY
  • Value 6ZDQVanpaTKj9hQuji0thCe8KFCcmEDGpsaTkSSb

A PAT has the following cryptographic properties:

  • Signature is an HS256 signature (HMAC with SHA-256), Raw Base64 URL encoded
  • Value is a random value with 172 bits of entropy
  • Prefix can be used for code-scanning

The signature generation requires a secret key.

When validating a token, we do the following:

  • Sanity check format
  • Extract value and signature
  • Use the signer to sign the value, encode to base64
  • compare against provided signature, fail if they do not match.

The reason for including a signature is to fail-early when tokens which are not issued by gitpod are received on the API. This acts as a defence for Auth DDoS and amplification attacks.

Related Issue(s)

How to test

Unit tests

Release Notes

NONE

Documentation

Werft options:

  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

@gitguardian
Copy link

gitguardian bot commented Nov 21, 2022
edited
Loading

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
Once a secret has been leaked into a git repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!

@roboquat roboquat added size/XL and removed size/L labels Nov 21, 2022
@easyCZ easyCZ force-pushed the mp/papi-generate-pat branch from 510cbaa to 54a1588 Compare November 21, 2022 11:09
@easyCZ easyCZ force-pushed the mp/papi-generate-pat branch from 54a1588 to b235292 Compare November 21, 2022 11:17
@easyCZ easyCZ marked this pull request as ready for review November 21, 2022 11:18
@easyCZ easyCZ requested a review from a team November 21, 2022 11:18
@github-actions github-actions bot added the team: webapp Issue belongs to the WebApp team label Nov 21, 2022
@laushinka
Copy link
Contributor

laushinka commented Nov 21, 2022
edited
Loading

Thanks for documenting this really well! 💪🏼

laushinka
laushinka approved these changes Nov 21, 2022
View reviewed changes
Copy link
Contributor

@laushinka laushinka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving and holding because the useful examples are not liked by gitguardian[1].

/hold

@easyCZ
Copy link
Member Author

easyCZ commented Nov 21, 2022

Approving and holding because the useful examples are not liked by gitguardian[1].

I've resolved it in GitGuardian as a test token.

@roboquat roboquat merged commit d17e2d6 into main Nov 21, 2022
@roboquat roboquat deleted the mp/papi-generate-pat branch November 21, 2022 12:06
@roboquat roboquat added deployed: webapp Meta team change is running in production deployed Change is completely running in production labels Nov 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laushinka laushinka laushinka approved these changes

Assignees
No one assigned
Labels
deployed: webapp Meta team change is running in production deployed Change is completely running in production release-note-none size/XL team: webapp Issue belongs to the WebApp team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@easyCZ @laushinka @roboquat