9481825808

Committed 12 Jun 2024 11:33AM UTC coverage: 57.657% (+0.07%) from 57.589%

Build # 9481825808

Build Type

push

github

Committed by

web-flow

Commit Message

feat: encrypt sensitive columns (#1593)

Adds support for encrypting sensitive columns like the MFA secret and
password hash.

The goal with this encryption mechanism is to add yet another layer of
security on top of the database permissions provided by Postgres. In the
event that the database leaks or is accessed by malicious users or the
database permissions are incorrectly defined, the encryption key would
also be required to inspect this sensitive data.

Encryption is done using AES-GCM-256. Strings that are encrypted are
converted into a JSON string with this shape:

```json
{
  "key_id": "key identifier used for encryption",
  "alg": "aes-gcm-hkdf",
  "nonce": "GCM 12 byte nonce",
  "data": "Base64 standard encoding of the ciphertext"
}
```

As AES-GCM must not be used more than 2^32 times with a single symmetric
key, and this is not that much -- imagine serving 100m users -- then
this means that all users can only add 42 passwords or MFA verification
factors before running into this hard limit. To fix this, a symmetric
key is derived using
[HKDF](https://datatracker.ietf.org/doc/html/rfc5869) with SHA256 such
that the symmetric key is used together with the object ID (for
passwords - the user ID, for TOTP secrets - the factor ID). This way
there's a separate AES-GCM key per object, and additionally gives the
security property that a malicious actor with write permissions to the
database cannot swap passwords / TOTP secrets from Malice's account to
Target's account. They would need to also change the UUIDs of these
objects, which is likely to be hard.

To turn on encryption the following configs need to be added:

`GOTRUE_SECURITY_DB_ENCRYPTION_ENCRYPT=true` -- that turns on encryption
for new objects.
`GOTRUE_SECURITY_DB_ENCRYPTION_ENCRYPTION_KEY_ID=key-id` -- ID of the
encryption key, allowing to rotate keys easily.
`GOTRUE_SECURITY_DB_ENCRYPTION_ENCRYPTION_KEY=key` -- Base64 URL
encoding of a 256 bit ... (continued)

Run Details

148 of 219 new or added lines in 9 files covered. (67.58%)

8626 of 14961 relevant lines covered (57.66%)

54.29 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

63.43

/internal/api/admin.go

supabase / auth / 9481825808

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous