Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement "Soft Delete" for API Keys #106

Closed
3 tasks done
nelsonic opened this issue Sep 9, 2020 · 1 comment
Closed
3 tasks done

Implement "Soft Delete" for API Keys #106

nelsonic opened this issue Sep 9, 2020 · 1 comment
Labels
enhancement New feature or enhancement of existing functionality T1h Time Estimate 1 Hour technical A technical issue that requires understanding of the code, infrastructure or dependencies

Comments

@nelsonic
Copy link
Member

nelsonic commented Sep 9, 2020
edited
Loading

At present we have a "hard" delete for all records in our DB which means that when a record is gone, it's gone for everrrr! This is fine from a tidying up perspective but it's terrible from a Security Auditing perspective. If we are going to allow anyone to create an API Key for accessing the dwyl App (e.g: on their localhost) we want some level of accountability. We want people to be able to "soft delete" (i.e. invalidate an API Key) so that it can no longer be used, but we still want to have a record of it in case we need to do any security auditing. see: https://en.wikipedia.org/wiki/Information_security_audit

Todo

  • update delete_apikey/1 to set the :status of the apikey to 6 ("deleted")
  • Don't show API keys that are "deleted".
  • Deal with the fallout from not allowing hard deletes.
@nelsonic nelsonic added enhancement New feature or enhancement of existing functionality T1h Time Estimate 1 Hour technical A technical issue that requires understanding of the code, infrastructure or dependencies labels Sep 9, 2020
@nelsonic nelsonic mentioned this issue Sep 9, 2020
Merged
13 tasks
@nelsonic
Copy link
Member Author

This is working already in the "Reset API Key" function:
auth-app-reset-api-key

nelsonic added a commit that referenced this issue Sep 10, 2020
@nelsonic
check for API Keys that are "deleted" in get_client_secret/2 #107 + #106
3c4e5a2
nelsonic added a commit that referenced this issue Sep 10, 2020
@nelsonic
add test for "deleted" API Key #106
f45a850
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or enhancement of existing functionality T1h Time Estimate 1 Hour technical A technical issue that requires understanding of the code, infrastructure or dependencies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nelsonic