graphql-engine

mirror of https://github.com/hasura/graphql-engine.git synced 2024-12-17 12:31:52 +03:00

History

Brandon Simmons d747bc1148 Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736	2020-06-08 13:09:25 -04:00
..
Config.hs	Tighten up handling of admin secret, more docs	2020-06-08 13:09:25 -04:00

Brandon Simmons d747bc1148 Tighten up handling of admin secret, more docs

Store the admin secret only as a hash to prevent leaking the secret
inadvertently, and to prevent timing attacks on the secret.

NOTE: best practice for stored user passwords is a function with a
tunable cost like bcrypt, but our threat model is quite different (even
if we thought we could reasonably protect the secret from an attacker
who could read arbitrary regions of memory), and bcrypt is far too slow
(by design) to perform on each request. We'd have to rely on our
(technically savvy) users to choose high entropy passwords in any case.

Referencing #4736

2020-06-08 13:09:25 -04:00

Config.hs

Tighten up handling of admin secret, more docs

2020-06-08 13:09:25 -04:00