From e42841cd004a361ad16e5dd5269565b7a119803b Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Fri, 23 Jun 2023 13:54:36 +0200
Subject: [PATCH] Change api_key encoding to base64 to comply with bcrypt max
 size (#2302)

---
 pkg/apiserver/middlewares/v1/api_key.go | 10 ++++++----
 pkg/apiserver/middlewares/v1/jwt.go     |  2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/pkg/apiserver/middlewares/v1/api_key.go b/pkg/apiserver/middlewares/v1/api_key.go
index 503f4d43d..ce1bc8eee 100644
--- a/pkg/apiserver/middlewares/v1/api_key.go
+++ b/pkg/apiserver/middlewares/v1/api_key.go
@@ -3,7 +3,7 @@ package v1
 import (
 	"crypto/rand"
 	"crypto/sha512"
-	"encoding/hex"
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	"strings"
@@ -15,9 +15,11 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-var (
+const (
 	APIKeyHeader      = "X-Api-Key"
 	bouncerContextKey = "bouncer_info"
+	// max allowed by bcrypt 72 = 54 bytes in base64
+	dummyAPIKeySize   = 54
 )
 
 type APIKey struct {
@@ -31,7 +33,7 @@ func GenerateAPIKey(n int) (string, error) {
 	if _, err := rand.Read(bytes); err != nil {
 		return "", err
 	}
-	return hex.EncodeToString(bytes), nil
+	return base64.StdEncoding.EncodeToString(bytes), nil
 }
 
 func NewAPIKey(dbClient *database.Client) *APIKey {
@@ -82,7 +84,7 @@ func (a *APIKey) MiddlewareFunc() gin.HandlerFunc {
 			if err != nil && strings.Contains(err.Error(), "bouncer not found") {
 				//Because we have a valid cert, automatically create the bouncer in the database if it does not exist
 				//Set a random API key, but it will never be used
-				apiKey, err := GenerateAPIKey(64)
+				apiKey, err := GenerateAPIKey(dummyAPIKeySize)
 				if err != nil {
 					log.WithFields(log.Fields{
 						"ip": c.ClientIP(),
diff --git a/pkg/apiserver/middlewares/v1/jwt.go b/pkg/apiserver/middlewares/v1/jwt.go
index 9f69f332e..bbd33c544 100644
--- a/pkg/apiserver/middlewares/v1/jwt.go
+++ b/pkg/apiserver/middlewares/v1/jwt.go
@@ -81,7 +81,7 @@ func (j *JWT) Authenticator(c *gin.Context) (interface{}, error) {
 			//Machine was not found, let's create it
 			log.Printf("machine %s not found, create it", machineID)
 			//let's use an apikey as the password, doesn't matter in this case (generatePassword is only available in cscli)
-			pwd, err := GenerateAPIKey(64)
+			pwd, err := GenerateAPIKey(dummyAPIKeySize)
 			if err != nil {
 				log.WithFields(log.Fields{
 					"ip": c.ClientIP(),