From 9e9d12d32d274dcec544285ef1f561025f200851 Mon Sep 17 00:00:00 2001 From: james-prysm Date: Fri, 29 Mar 2024 14:02:23 +0000 Subject: [PATCH] deploy: f99e41560b0db7cb922baa3be52735d611280f8b --- keymanager-oapi.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/keymanager-oapi.yaml b/keymanager-oapi.yaml index c6cbe67..f520fc9 100644 --- a/keymanager-oapi.yaml +++ b/keymanager-oapi.yaml @@ -11,9 +11,12 @@ info: All requests by default send and receive JSON, and as such should have either or both of the "Content-Type: application/json" and "Accept: application/json" headers. - All sensitive routes are to be authenticated with a token. This token should be provided by the user via a secure channel: - - Log the token to stdout when running the binary with the key manager API enabled - - Read the token from a file available to the binary + All sensitive routes MUST be authenticated with a token. + + The key manager binary SHOULD accept a configuration parameter: `token-file`, which designates a file containing the hex-encoded token + of at least 256 bits. If such a parameter is not given, the client SHOULD generate such a token and write it to a file, to be reused + across multiple restarts of the binary. If such a parameter is given, but the file or token cannot be read, the client SHOULD treat this + as an error: either abort the startup, or show the error and continue without exposing the key manager routes. version: v1.0.0 contact: name: Ethereum Github @@ -1760,7 +1763,7 @@ components: bearerAuth: type: http scheme: bearer - bearerFormat: 'URL safe token, optionally JWT' + bearerFormat: 'URL safe, opaque token' schemas: Pubkey: type: string