OpenShock · hhvrc · Nov 23, 2024 · Oct 18, 2024 · Oct 18, 2024 · Nov 6, 2024
diff --git a/API/Controller/Tokens/TokenController.cs b/API/Controller/Tokens/TokenController.cs
@@ -107,23 +107,25 @@ public async Task<IActionResult> DeleteToken([FromRoute] Guid tokenId)
     [ProducesResponseType<TokenCreatedResponse>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
     public async Task<TokenCreatedResponse> CreateToken([FromBody] CreateTokenRequest body)
     {
-        var token = new ApiToken
+        string token = CryptoUtils.RandomString(HardLimits.ApiKeyTokenLength);
+
+        var tokenDto = new ApiToken
         {
             UserId = CurrentUser.DbUser.Id,
-            Token = CryptoUtils.RandomString(HardLimits.ApiKeyTokenMaxLength),
+            TokenHash = HashingUtils.HashSha256(token),
             CreatedByIp = HttpContext.GetRemoteIP().ToString(),
             Permissions = body.Permissions.Distinct().ToList(),
             Id = Guid.NewGuid(),
             Name = body.Name,
             ValidUntil = body.ValidUntil?.ToUniversalTime()
         };
-        _db.ApiTokens.Add(token);
+        _db.ApiTokens.Add(tokenDto);
         await _db.SaveChangesAsync();
 
         return new TokenCreatedResponse
         {
-            Token = token.Token,
-            Id = token.Id
+            Token = token,
+            Id = tokenDto.Id
         };
     }
 
@@ -153,7 +155,7 @@ public async Task<IActionResult> EditToken([FromRoute] Guid tokenId, [FromBody]
 
     public class EditTokenRequest
     {
-        [StringLength(HardLimits.ApiKeyTokenMaxLength, MinimumLength = HardLimits.ApiKeyTokenMinLength, ErrorMessage = "API token length must be between {1} and {2}")]
+        [StringLength(HardLimits.ApiKeyNameMaxLength, MinimumLength = 1, ErrorMessage = "API token length must be between {1} and {2}")]
         public required string Name { get; set; }
 
         [MaxLength(HardLimits.ApiKeyMaxPermissions, ErrorMessage = "API token permissions must be between {1} and {2}")]

diff --git a/Common/Authentication/Handlers/LoginSessionAuthentication.cs b/Common/Authentication/Handlers/LoginSessionAuthentication.cs
@@ -65,7 +65,9 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
 
     private async Task<AuthenticateResult> TokenAuth(string token)
     {
-        var tokenDto = await _db.ApiTokens.Include(x => x.User).FirstOrDefaultAsync(x => x.Token == token &&
+        string tokenHash = HashingUtils.HashSha256(token);
+
+        var tokenDto = await _db.ApiTokens.Include(x => x.User).FirstOrDefaultAsync(x => x.TokenHash == tokenHash &&
             (x.ValidUntil == null || x.ValidUntil >= DateTime.UtcNow));
         if (tokenDto == null) return Fail(AuthResultError.TokenInvalid);
 

diff --git a/Common/Constants/HardLimits.cs b/Common/Constants/HardLimits.cs
@@ -20,8 +20,7 @@ public static class HardLimits
     public const int UserAgentMaxLength = 1024;
 
     public const int ApiKeyNameMaxLength = 64;
-    public const int ApiKeyTokenMinLength = 1;
-    public const int ApiKeyTokenMaxLength = 64;
+    public const int ApiKeyTokenLength = 64;
     public const int ApiKeyMaxPermissions = 256;
 
     public const int HubNameMinLength = 1;
@@ -34,9 +33,10 @@ public static class HardLimits
     public const int ShockerShareLinkNameMinLength = 1;
     public const int ShockerShareLinkNameMaxLength = 64;
 
+    public const int SemVerMaxLength = 64;
     public const int IpAddressMaxLength = 40;
+    public const int Sha256HashHexLength = 64;
 
-    public const int SemVerMaxLength = 64;
     public const int OtaUpdateMessageMaxLength = 128;
 
     public const int PasswordHashMaxLength = 100;