Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security framework for the API #2461

Merged
merged 1 commit into from
Feb 25, 2019
Merged

Security framework for the API #2461

merged 1 commit into from
Feb 25, 2019

Conversation

blabno
Copy link

@blabno blabno commented Feb 24, 2019

No description provided.

@ManfredKarrer ManfredKarrer removed the request for review from cbeams February 24, 2019 16:15
ManfredKarrer
ManfredKarrer suggested changes Feb 24, 2019
View reviewed changes
api/src/main/java/bisq/api/http/service/auth/TokenRegistry.java
private Map<String, Long> tokens = new HashMap<>();

public TokenRegistry() {
this(() -> UUID.randomUUID().toString(), System::currentTimeMillis);
Copy link
Member

@ManfredKarrer ManfredKarrer Feb 24, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you have to use SecureRandom for cryptographically secure randomness.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UUID.randomUUID uses SecureRandom by default.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah ok.

api/src/main/java/bisq/api/http/service/auth/TokenRegistry.java
}

public TokenRegistry(RandomStringGenerator randomStringGenerator, TimeProvider timeProvider) {
this.timeProvider = timeProvider;
Copy link
Member

@ManfredKarrer ManfredKarrer Feb 24, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you have to use SecureRandom for cryptographically secure randomness.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Time provider is meant to provide actual time. It is used as abstraction for unit tests.

api/src/test/java/bisq/api/http/service/auth/ApiPasswordManagerTest.java



import com.github.javafaker.Faker;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont find that class in the source code at https://github.com/Javafaker.
Do we really need that? It is one of those examples where I don't want to get new dependencies (unknown developer, small functionality)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah sorry, just saw its a test class. So then I dont care so much about that dependency anymore, but still would like to know better what the class provides.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Faker is random data generator. On the top level it has methods with categories.

api/src/test/java/bisq/api/http/service/auth/ApiPasswordManagerTest.java
private static String getRandomPasswordDifferentThan(String otherPassword) {
String newPassword;
do {
newPassword = Faker.instance().internet().password();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is that supposed to do? internet() is a weird method name...
As said above I prefer to not add that dependency.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah sorry, just saw its a test class. So then I dont care so much about that dependency anymore, but still would like to know better what the class provides.

@blabno
Copy link
Author

blabno commented Feb 25, 2019

I've substituted Random with SecureRandom. I'm using the one created with default constructor.
I've tried SecureRandom.getInstanceStrong() but it takes about a minute to generate single long. So it's absolutely unacceptable performance.

ManfredKarrer
ManfredKarrer approved these changes Feb 25, 2019
View reviewed changes
Copy link
Member

@ManfredKarrer ManfredKarrer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK

@ManfredKarrer
Copy link
Member

I will merge master after the PR. Please update your branch afterwards to be in sync.

@ManfredKarrer ManfredKarrer merged commit 5977e0b into bisq-network:http-api Feb 25, 2019
@blabno blabno deleted the api-security branch February 25, 2019 16:35
@freimair freimair mentioned this pull request Sep 5, 2019
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ManfredKarrer ManfredKarrer ManfredKarrer approved these changes

Assignees
No one assigned
Labels
in:api
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@blabno @ManfredKarrer @ripcurlx