FEATURE: Hash API keys in the database (PR #8438)

:warning:This change is completely irreversible. Once the migrations are run, the plain text keys will be deleted from the database. Marking as a draft PR for now to avoid accidental merging, but this is ready for review.

API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak.

Many of the changes in this diff are to implement the new post-create UI, which looks like:

Screenshot 2019-11-29 at 15 20 09

From a security perspective, the key files to review are:

  • app/models/api_key.rb

  • lib/auth/default_current_user_provider.rb

  • db/migrate/20191128113434_add_hashed_api_key.rb

  • db/post_migrate/20191128113435_remove_key_from_api_keys.rb

@danielwaterworth I had some issues with fab! in the tests, because it ‘refinds’ the record from the database after the initial save. The keys are kept temporarily as instance variables, so this refind was causing the key to be lost. I set refind:false in these places, but would be interested if you know of a cleaner solution.


You’ve signed the CLA, davidtaylorhq. Thank you! This pull request is ready for review.

This pull request has been mentioned on Discourse Meta. There might be relevant details there:


Guess it could be nice to have this in api-key model:

import { fmt } from "discourse/lib/computed";

truncatedKey: fmt("truncated_key", "%@...")

It’s minor but, it avoid repeating the ... each time we use it, and I like the idea of limit as much as possible snake_case in hbs files, obviously we will always have some…

sorry missed it was a draft…

Using a div here fixes the “double click & copy includes whitespace in firefox” issue. Unfortunately a span does not seem to help :cry:

1 Like

Oh ok, didn’t know this, totally fine :+1:

This looks great! :+1: