Hash existing API keys, and do checks against the hash

2024-11-24 09:50:17 -06:00 · 2024-11-05 23:23:06 +01:00 · 2024-11-05 23:23:06 +01:00 · 1b9c8377ae
commit 1b9c8377ae
parent 9f6975119e
5 changed files with 61 additions and 10 deletions
--- a/module/Core/migrations/Version20241105215309.php
+++ b/module/Core/migrations/Version20241105215309.php
@ -0,0 +1,45 @@
 <?php
 declare(strict_types=1);
 namespace ShlinkMigrations;
 use Doctrine\DBAL\Platforms\MySQLPlatform;
 use Doctrine\DBAL\Schema\Schema;
 use Doctrine\Migrations\AbstractMigration;
 use function hash;
 /**
 * Hash API keys as SHA256
 */
 final class Version20241105215309 extends AbstractMigration
 {
    public function up(Schema $schema): void
    {
        $keyColumnName = $this->connection->quoteIdentifier('key');
        $qb = $this->connection->createQueryBuilder();
        $qb->select($keyColumnName)
           ->from('api_keys');
        $result = $qb->executeQuery();
        $updateQb = $this->connection->createQueryBuilder();
        $updateQb
            ->update('api_keys')
            ->set($keyColumnName, ':encryptedKey')
            ->where($updateQb->expr()->eq($keyColumnName, ':plainTextKey'));
        while ($key = $result->fetchOne()) {
            $updateQb->setParameters([
                'encryptedKey' => hash('sha256', $key),
                'plainTextKey' => $key,
            ])->executeStatement();
        }
    }
    public function isTransactional(): bool
    {
        return ! ($this->connection->getDatabasePlatform() instanceof MySQLPlatform);
    }
 }
--- a/module/Rest/src/Entity/ApiKey.php
+++ b/module/Rest/src/Entity/ApiKey.php
@ -44,8 +44,7 @@ class ApiKey extends AbstractEntity
     */
    public static function fromMeta(ApiKeyMeta $meta): self
    {
-//        $apiKey = new self(self::hashKey($meta->key), $meta->name, $meta->expirationDate);
+        $apiKey = new self(self::hashKey($meta->key), $meta->name, $meta->expirationDate);
        $apiKey = new self($meta->key, $meta->name, $meta->expirationDate);
        foreach ($meta->roleDefinitions as $roleDefinition) {
            $apiKey->registerRole($roleDefinition);
        }
--- a/module/Rest/src/Service/ApiKeyService.php
+++ b/module/Rest/src/Service/ApiKeyService.php
@ -67,8 +67,7 @@ readonly class ApiKeyService implements ApiKeyServiceInterface
    private function getByKey(string $key): ApiKey|null
    {
        return $this->em->getRepository(ApiKey::class)->findOneBy([
-//            'key' => ApiKey::hashKey($key),
+            'key' => ApiKey::hashKey($key),
            'key' => $key,
        ]);
    }
 }
--- a/module/Rest/test-db/ApiKey/Repository/ApiKeyRepositoryTest.php
+++ b/module/Rest/test-db/ApiKey/Repository/ApiKeyRepositoryTest.php
@ -24,9 +24,9 @@ class ApiKeyRepositoryTest extends DatabaseTestCase
        self::assertCount(0, $this->repo->findAll());
        self::assertNotNull($this->repo->createInitialApiKey('initial_value'));
        self::assertCount(1, $this->repo->findAll());
-        self::assertCount(1, $this->repo->findBy(['key' => 'initial_value']));
+        self::assertCount(1, $this->repo->findBy(['key' => ApiKey::hashKey('initial_value')]));
        self::assertNull($this->repo->createInitialApiKey('another_one'));
        self::assertCount(1, $this->repo->findAll());
-        self::assertCount(0, $this->repo->findBy(['key' => 'another_one']));
+        self::assertCount(0, $this->repo->findBy(['key' => ApiKey::hashKey('another_one')]));
    }
 }
--- a/module/Rest/test/Service/ApiKeyServiceTest.php
+++ b/module/Rest/test/Service/ApiKeyServiceTest.php
@ -74,7 +74,9 @@ class ApiKeyServiceTest extends TestCase
    #[Test, DataProvider('provideInvalidApiKeys')]
    public function checkReturnsFalseForInvalidApiKeys(ApiKey|null $invalidKey): void
    {
-        $this->repo->expects($this->once())->method('findOneBy')->with(['key' => '12345'])->willReturn($invalidKey);
+        $this->repo->expects($this->once())->method('findOneBy')->with(['key' => ApiKey::hashKey('12345')])->willReturn(
            $invalidKey,
        );
        $this->em->method('getRepository')->with(ApiKey::class)->willReturn($this->repo);
        $result = $this->service->check('12345');
@ -97,7 +99,9 @@ class ApiKeyServiceTest extends TestCase
    {
        $apiKey = ApiKey::create();
-        $this->repo->expects($this->once())->method('findOneBy')->with(['key' => '12345'])->willReturn($apiKey);
+        $this->repo->expects($this->once())->method('findOneBy')->with(['key' => ApiKey::hashKey('12345')])->willReturn(
            $apiKey,
        );
        $this->em->method('getRepository')->with(ApiKey::class)->willReturn($this->repo);
        $result = $this->service->check('12345');
@ -109,7 +113,9 @@ class ApiKeyServiceTest extends TestCase
    #[Test]
    public function disableThrowsExceptionWhenNoApiKeyIsFound(): void
    {
-        $this->repo->expects($this->once())->method('findOneBy')->with(['key' => '12345'])->willReturn(null);
+        $this->repo->expects($this->once())->method('findOneBy')->with(['key' => ApiKey::hashKey('12345')])->willReturn(
            null,
        );
        $this->em->method('getRepository')->with(ApiKey::class)->willReturn($this->repo);
        $this->expectException(InvalidArgumentException::class);
@ -121,7 +127,9 @@ class ApiKeyServiceTest extends TestCase
    public function disableReturnsDisabledApiKeyWhenFound(): void
    {
        $key = ApiKey::create();
-        $this->repo->expects($this->once())->method('findOneBy')->with(['key' => '12345'])->willReturn($key);
+        $this->repo->expects($this->once())->method('findOneBy')->with(['key' => ApiKey::hashKey('12345')])->willReturn(
            $key,
        );
        $this->em->method('getRepository')->with(ApiKey::class)->willReturn($this->repo);
        $this->em->expects($this->once())->method('flush');