You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: text/0032-improved-api-tokens.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,7 +33,7 @@ Improve on Sentry's API token implementation to a more secure pattern. We will h
33
33
1. Using hashed values in the database
34
34
2. Only display the token once to the end user upon creation
35
35
3. Allow users to _name_ the tokens ([#9600](https://github.com/getsentry/sentry/issues/9600))
36
-
4. Use a predictable prefix to integrate with various secret scanning services (ex. Github's Secret Scanning)
36
+
4. Use a predictable prefix and suffix to integrate with various secret scanning services (ex. Github's Secret Scanning)
37
37
38
38
# Motivation
39
39
@@ -60,7 +60,7 @@ A notice in the Sentry UI should be presented to suggest the user rotate and gen
60
60
61
61
We need a predictable token format in order to integrate properly with secret scanning services. Our current format is a 64 character alphanumeric string. This is insufficient and would likely produce a high amount of false positives in tooling like [TruffleHog](https://github.com/trufflesecurity/trufflehog), [detect-secrets](https://github.com/Yelp/detect-secrets), [Github's Secret Scanning](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning), etc.
62
62
63
-
The suggested pattern is `snty[a-zA-Z]_[a-zA-Z0-9]{64}`. The character _after_`snty` will be used to identify the token type.
63
+
The suggested pattern is `snty[a-zA-Z]_[a-zA-Z0-9]{64}io`. The character _after_`snty` will be used to identify the token type.
64
64
65
65
For example:
66
66
@@ -133,12 +133,12 @@ Instead of slowly generating the hashed token values over time of the legacy tok
133
133
134
134
## Option #3
135
135
136
-
To avoid the two different token versions, we could automatically prepend the prefix `sntyx_` (with `x` just being a placeholder here). We would then follow a similar approach to Option #1 or Option #2 to generate the hashed values.
136
+
To avoid the two different token versions, we could automatically prepend the prefix `sntyx_` (with `x` just being a placeholder here) and suffix `io`. We would then follow a similar approach to Option #1 or Option #2 to generate the hashed values.
137
137
138
138
### Drawbacks
139
139
140
-
- Users would not be able to benefit from the Github Secrets Scanning since they would still be using their 64 character alphanumeric string without the prefix.
141
-
- Authentication views/logic would become more complex with branching code to handle the with and without prefix cases.
140
+
- Users would not be able to benefit from the Github Secrets Scanning since they would still be using their 64 character alphanumeric string without the prefix and suffix.
141
+
- Authentication views/logic would become more complex with branching code to handle the with and without prefix + suffix cases.
0 commit comments