supabase / auth / 9481825808
69%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 124
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 57.657% (+0.07%) from 57.589%
9481825808

push

github

web-flow 
feat: encrypt sensitive columns (#1593)

Adds support for encrypting sensitive columns like the MFA secret and
password hash.

The goal with this encryption mechanism is to add yet another layer of
security on top of the database permissions provided by Postgres. In the
event that the database leaks or is accessed by malicious users or the
database permissions are incorrectly defined, the encryption key would
also be required to inspect this sensitive data.

Encryption is done using AES-GCM-256. Strings that are encrypted are
converted into a JSON string with this shape:

```json
{
  "key_id": "key identifier used for encryption",
  "alg": "aes-gcm-hkdf",
  "nonce": "GCM 12 byte nonce",
  "data": "Base64 standard encoding of the ciphertext"
}
```

As AES-GCM must not be used more than 2^32 times with a single symmetric
key, and this is not that much -- imagine serving 100m users -- then
this means that all users can only add 42 passwords or MFA verification
factors before running into this hard limit. To fix this, a symmetric
key is derived using
[HKDF](https://datatracker.ietf.org/doc/html/rfc5869) with SHA256 such
that the symmetric key is used together with the object ID (for
passwords - the user ID, for TOTP secrets - the factor ID). This way
there's a separate AES-GCM key per object, and additionally gives the
security property that a malicious actor with write permissions to the
database cannot swap passwords / TOTP secrets from Malice's account to
Target's account. They would need to also change the UUIDs of these
objects, which is likely to be hard.

To turn on encryption the following configs need to be added:

`GOTRUE_SECURITY_DB_ENCRYPTION_ENCRYPT=true` -- that turns on encryption
for new objects.
`GOTRUE_SECURITY_DB_ENCRYPTION_ENCRYPTION_KEY_ID=key-id` -- ID of the
encryption key, allowing to rotate keys easily.
`GOTRUE_SECURITY_DB_ENCRYPTION_ENCRYPTION_KEY=key` -- Base64 URL
encoding of a 256 bit ... (continued)

148 of 219 new or added lines in 9 files covered. (67.58%)

8626 of 14961 relevant lines covered (57.66%)

54.29 hits per line

New Missed Lines in Diff

Lines Coverage File
1
63.43
 0.08% internal/api/admin.go
2
64.91
 0.5% internal/api/user.go
4
78.57
 -0.41% internal/models/factor.go
4
75.13
 -0.09% internal/models/user.go
6
73.0
 -0.86% internal/api/token.go
12
69.53
 -1.61% internal/api/mfa.go
16
72.9
 -2.04% internal/conf/configuration.go
26
64.0
 10.34% internal/crypto/crypto.go
Jobs
ID Job ID Ran Files Coverage
1 9481825808.1 124
57.66
 GitHub Action Run
Source Files on build 9481825808