tooManySecrets

Or, failing that, a sensible error message. Don’t give me back 201 Created and put `”ErrorLines”: “Not authorized”` in the body.

(Yes this is in production, yes it’s a billion dollar enterprise. FML)

I currently work with an external api where sometimes you have to manually go do a captcha for an account. No new credentials or API keys are generated, mind you. Just casually breaking the integration for fun I guess

There are some key formats that include their own expiry time, not using those is a sin

There are two expiration intervals that make sense:
1) Continuous. The credentials expire quickly (30 days or less). Anyone who wields the credential in production will need to create automation to refresh the credential from launch.
2) No automated expiration. Credentials are valid until manually revoked by either party.

Anything else is illogical. Suppose you have a credential expiration time of 5 years. What is the implication exactly … that it is okay for adversary to wield that credential for 4 years and 364 days … but 5 years, that’s just too much.

Multi-year expirations just cause outages, period. They don’t improve security at all.

My Socrates Note

Better yet, don’t use an API key at all. It’s 2024, there are countless SAAS services that offer standard-compliant oauth2 for pocket change, so why does your API need its own custom auth solution?

Honestly, the state of auth is absolutely dire, and I cannot understand why. Even in my company, getting people to follow established standards instead of inventing their own inferior auth protocol is like pulling teeth. I’m beginning to suspect that this is the Great Filter – there’s something baked into our DNA that makes otherwise intelligent people want to waste their lives writing an auth system.

not using JWT make u stupid

It comes with the key.

Meanwhile, the refresh token endpoint:

I’m working part time as a QA Engineer for free when implementing an integration for a big name company. You’d think they’d have a bounty program 🙂

classic programmer problem, secrets everywhere but mine

One of my favorites:

Gitlab has this nice API to rotate tokens that you can call using that same token – this is great, since you can easily automate pre-emptively updating your tokens.

Or at least, it _would_ have been if they hadn’t implemented a non-optional “feature” that instantly and permanently revokes all the API tokens (including the new one) if you ever, even once, accidentally re-use the old token for any reason, no grace period or anything.

Gitlab claims it’s for security, which would be fine if there was any kind of grace period or it was optional.

But instead it makes the feature worse than useless, especially in larger systems/orgs with service accounts/tokens. Because now you have to halt everything to guarantee nothing might accidentally re-use the old token even if it’s mere seconds after rotation, or else you now have to re-provision the token using a higher level account (which often means manual intervention, with everything broken until you do).

Clearly OP has not aware of TOCTOU bugs. Providing such an API is considered bad practice. We have learned from the mistakes of `man 2 access`

Hobbyist programmer here. What if the first or last few bits of the key represented the expiration date/time? Kinda like discord snowflake ids with creation time. Is there any obvious vulnerability? Because this feels like a very easy and cheap fix for a company to adopt. What’s the catch?

It’s a “security” “feature” to not have that function.

Isn’t it a way to secure the resource? Having generic errors on prod and specific ones on a testing environment I mean

isn’t that the 401 you received? 😀 j/k and agreed

Yes, please.

If it’s a JWT you can determine this yourself

Too many secrets?

I think you mean *C-Tech Astronomy*

The title ref gave me thrills

If this is a Sneakers reference, I approve.