From b6e6f6dd94cb03b8505fb61ee02ae8812ac1ebba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=AA=20H=C3=A0n=20Minh=20Khang?= Date: Thu, 22 Sep 2022 11:37:33 -0400 Subject: [PATCH] Obscuring api key when called from webapp (#59) * obscuring api key when called from webapp * changes suggested and fix wellsaid apikey return * hope this works? * Apikey obscure unobscure Aws Apikey * handle edge case for short key strings Co-authored-by: kitajchuk --- lib/routes/api/speech-credentials.js | 40 +++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/lib/routes/api/speech-credentials.js b/lib/routes/api/speech-credentials.js index 53990f8..86c7e59 100644 --- a/lib/routes/api/speech-credentials.js +++ b/lib/routes/api/speech-credentials.js @@ -15,6 +15,16 @@ const { testWellSaidTts } = require('../../utils/speech-utils'); +const obscureKey = (key) => { + const key_spoiler_length = 6; + const key_spoiler_char = 'X'; + + if (key.length <= key_spoiler_length) { + return key; + } + + return `${key.slice(0, key_spoiler_length)}${key_spoiler_char.repeat(key.length - key_spoiler_length)}`; +}; const encryptCredential = (obj) => { const { @@ -110,24 +120,30 @@ router.get('/', async(req, res) => { res.status(200).json(creds.map((c) => { const {credential, ...obj} = c; if ('google' === obj.vendor) { - obj.service_key = JSON.parse(decrypt(credential)); + const o = JSON.parse(decrypt(credential)); + const key_header = '-----BEGIN PRIVATE KEY-----\n'; + const obscured = { + ...o, + private_key: `${key_header}${obscureKey(o.private_key.slice(key_header.length, o.private_key.length))}` + }; + obj.service_key = obscured; } else if ('aws' === obj.vendor) { const o = JSON.parse(decrypt(credential)); obj.access_key_id = o.access_key_id; - obj.secret_access_key = o.secret_access_key; + obj.secret_access_key = obscureKey(o.secret_access_key); obj.aws_region = o.aws_region; logger.info({obj, o}, 'retrieving aws speech credential'); } else if ('microsoft' === obj.vendor) { const o = JSON.parse(decrypt(credential)); - obj.api_key = o.api_key; + obj.api_key = obscureKey(o.api_key); obj.region = o.region; logger.info({obj, o}, 'retrieving azure speech credential'); } else if ('wellsaid' === obj.vendor) { const o = JSON.parse(decrypt(credential)); - obj.api_key = o.api_key; + obj.api_key = obscureKey(o.api_key); } return obj; })); @@ -147,19 +163,29 @@ router.get('/:sid', async(req, res) => { if (0 === cred.length) return res.sendStatus(404); const {credential, ...obj} = cred[0]; if ('google' === obj.vendor) { - obj.service_key = decrypt(credential); + const o = JSON.parse(decrypt(credential)); + const key_header = '-----BEGIN PRIVATE KEY-----\n'; + const obscured = { + ...o, + private_key: `${key_header}${obscureKey(o.private_key.slice(key_header.length, o.private_key.length))}` + }; + obj.service_key = JSON.stringify(obscured); } else if ('aws' === obj.vendor) { const o = JSON.parse(decrypt(credential)); obj.access_key_id = o.access_key_id; - obj.secret_access_key = o.secret_access_key; + obj.secret_access_key = obscureKey(o.secret_access_key); obj.aws_region = o.aws_region; } else if ('microsoft' === obj.vendor) { const o = JSON.parse(decrypt(credential)); - obj.api_key = o.api_key; + obj.api_key = obscureKey(o.api_key); obj.region = o.region; } + else if ('wellsaid' === obj.vendor) { + const o = JSON.parse(decrypt(credential)); + obj.api_key = obscureKey(o.api_key); + } res.status(200).json(obj); } catch (err) { sysError(logger, res, err);