gofiber/keyauth

Suggestion: Improve examples to follow best security practices

aosti opened this issue · 2 comments

aosti commented

Hello, first of all nice work with the gofiber library and all of the middlewares. My issue is only a suggestions to better guide developers which may not be familiar with security issues. My suggestion is to update the examples to follow the best practices regarding security, because many developers may copy/paste the examples and not adjust the security sensitive aspects of it.

** Unsafe Example of URL Filtering**
Creates a map with the paths that should be verified and uses c.OriginalURL() to get the path from the request. However, this is not safe. By simple changing the case of the path or adding additional bars at the end of the uri, it can be bypassed. I'm not sure how to solve this one in Go.

** Unsafe URL passing**
Keys should not be passed through the URL as that may cause the token to be saved in the server logs. Simply use an authentication header.

** All examples vulnerable to timing attacks **
It may not be viable to perform in all scenarios, however there may be timing differences during the comparison of the submitted client token and the backend response, which may allow an attacker to recover the token from the backend.
This can be solved by first hashing with at least SHA256 the user entry and the apikey itself, and then comparing both of them using the subtle.ConstantTimeCompare function.

gaby commented

I will update the 2nd example this weekend. Thanks for pointing this out. The first one is a little more complicated.

gaby commented

@aosti I have implemented all your suggestions in #99

  • The URL filtering was fixed by normalizing the URL and using a Regex for the check.
  • Added support for sha256/subtle.ConstantTimeCompare to all examples
  • Replaced the param example with an Authorization Header example