From eb0db8839f2503b131ba32175c109a8006ff8056 Mon Sep 17 00:00:00 2001 From: Nico Flaig Date: Fri, 8 Mar 2024 16:10:32 +0100 Subject: [PATCH 1/3] Clarify authentication and token management --- keymanager-oapi.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/keymanager-oapi.yaml b/keymanager-oapi.yaml index 5bd9905..79c81b2 100644 --- a/keymanager-oapi.yaml +++ b/keymanager-oapi.yaml @@ -13,8 +13,10 @@ info: and "Accept: application/json" headers. All sensitive routes are to be authenticated with a token. This token should be provided by the user via a secure channel: - - Log the token to stdout when running the binary with the key manager API enabled - - Read the token from a file available to the binary + - Log the token file path to stdout when running the binary with the key manager API enabled + - Read the token from a file available to the binary, the path to the token file should be configurable + - If the token file does not exist or is empty, generate a new token and write it to the file + - The token should remain the same across multiple restarts of the binary version: "v1.0.0" contact: name: Ethereum Github @@ -63,7 +65,7 @@ components: bearerAuth: type: http scheme: bearer - bearerFormat: URL safe token, optionally JWT + bearerFormat: URL safe, opaque token schemas: Pubkey: From 2dc07ed16dadb0f280fbe6d046a4122a6414d0ad Mon Sep 17 00:00:00 2001 From: Nico Flaig Date: Thu, 28 Mar 2024 12:11:42 +0000 Subject: [PATCH 2/3] Update description to more closely follow jwt-secret spec --- keymanager-oapi.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/keymanager-oapi.yaml b/keymanager-oapi.yaml index 79c81b2..a5708e5 100644 --- a/keymanager-oapi.yaml +++ b/keymanager-oapi.yaml @@ -12,11 +12,12 @@ info: All requests by default send and receive JSON, and as such should have either or both of the "Content-Type: application/json" and "Accept: application/json" headers. - All sensitive routes are to be authenticated with a token. This token should be provided by the user via a secure channel: - - Log the token file path to stdout when running the binary with the key manager API enabled - - Read the token from a file available to the binary, the path to the token file should be configurable - - If the token file does not exist or is empty, generate a new token and write it to the file - - The token should remain the same across multiple restarts of the binary + All sensitive routes MUST be authenticated with a token. + + The keymanager binary SHOULD accept a configuration parameter: `token-file`, which designates a file containing the hex-encoded token + of at least 256 bits. If such a parameter is not given, the client SHOULD generate such a token and write it to a file, to be reused + across multiple restarts of the binary. If such a parameter is given, but the file or token cannot be read, the client SHOULD treat this + as an error: either abort the startup, or show the error and continue without exposing the keymanager routes. version: "v1.0.0" contact: name: Ethereum Github From bad1ade28c329ee341ed45b85363e4e47a0c4e28 Mon Sep 17 00:00:00 2001 From: Nico Flaig Date: Thu, 28 Mar 2024 13:20:43 +0000 Subject: [PATCH 3/3] Consistent spelling of key manager --- keymanager-oapi.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/keymanager-oapi.yaml b/keymanager-oapi.yaml index a5708e5..f868e5a 100644 --- a/keymanager-oapi.yaml +++ b/keymanager-oapi.yaml @@ -14,10 +14,10 @@ info: All sensitive routes MUST be authenticated with a token. - The keymanager binary SHOULD accept a configuration parameter: `token-file`, which designates a file containing the hex-encoded token + The key manager binary SHOULD accept a configuration parameter: `token-file`, which designates a file containing the hex-encoded token of at least 256 bits. If such a parameter is not given, the client SHOULD generate such a token and write it to a file, to be reused across multiple restarts of the binary. If such a parameter is given, but the file or token cannot be read, the client SHOULD treat this - as an error: either abort the startup, or show the error and continue without exposing the keymanager routes. + as an error: either abort the startup, or show the error and continue without exposing the key manager routes. version: "v1.0.0" contact: name: Ethereum Github