add deprecation for v1 tokens

keygen-sh · Nov 13, 2024 · 3eaa54c · 3eaa54c
1 parent 625b91c
commit 3eaa54c
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 3 deletions.
diff --git a/Gemfile b/Gemfile
@@ -6,7 +6,7 @@ ruby '3.3.6'
 gem 'rails', '~> 7.2.2'
 gem 'pg', '~> 1.3.4'
 gem 'puma', '~> 6.4.3'
-gem 'bcrypt', '~> 3.1.7'
+gem 'bcrypt', '3.1.17'
 gem 'rack', '~> 2.2.8.1'
 gem 'rack-timeout', require: 'rack/timeout/base'
 unless ENV.key?('NO_RACK_ATTACK')

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -530,7 +530,7 @@ DEPENDENCIES
   ar_lazy_preload (~> 2.0)
   aws-sdk-s3 (~> 1)
   barnes
-  bcrypt (~> 3.1.7)
+  bcrypt (= 3.1.17)
   bullet (~> 7.2)
   byebug
   compact_index

diff --git a/app/models/concerns/tokenable.rb b/app/models/concerns/tokenable.rb
@@ -57,7 +57,13 @@ def compare_hashed_token(attribute, token, version: ALGO_VERSION)
     case version
     when "v1"
       bcrypt = BCrypt::Password.new a
-      b = BCrypt::Engine.hash_secret Digest::SHA256.digest(token), bcrypt.salt
+      digest = Digest::SHA256.digest(token)
+
+      if digest.include?("\x00") # null byte
+        Keygen.logger.warn { "[tokenable] v1 token must be regenerated: tokenable_type=#{self.class.name.inspect} tokenable_id=#{id.inspect} tokenable_attr=#{attribute.inspect}" }
+      end
+
+      b = BCrypt::Engine.hash_secret digest, bcrypt.salt
     when "v2"
       b = OpenSSL::HMAC.hexdigest "SHA512", account.private_key, token
     when "v3"

diff --git a/app/services/license_key_lookup_service.rb b/app/services/license_key_lookup_service.rb
@@ -20,6 +20,8 @@ def call
       license = licenses.find_by(id: matches[:license_id])
 
       if license&.compare_hashed_token(:key, key, version: 'v1')
+        Keygen.logger.warn { "[license-key-lookup-service] v1 keys are deprecated and must be regenerated: license_id=#{license.id.inspect}" }
+
         license
       else
         nil

diff --git a/app/services/token_lookup_service.rb b/app/services/token_lookup_service.rb
@@ -32,6 +32,8 @@ def call
       instance = tokens.find_by(id: m[:token_id])
 
       if instance&.compare_hashed_token(:digest, token, version: 'v1')
+        Keygen.logger.warn { "[token-lookup-service] v1 tokens are deprecated and must be regenerated: bearer_type=#{instance.bearer.class.name.inspect} bearer_id=#{instance.bearer.id.inspect} token_id=#{instance.id.inspect}" }
+
         instance
       else
         nil
-Original file line number
+Diff line change
@@ Expand Up / @@ -20,6 +20,8 @@ def call @@
           license = licenses.find_by(id: matches[:license_id])
           if license&.compare_hashed_token(:key, key, version: 'v1')
+            Keygen.logger.warn { "[license-key-lookup-service] v1 keys are deprecated and must be regenerated: license_id=#{license.id.inspect}" }
             license
           else
             nil
@@ Expand Down @@