Show anonymized (AAAA****ZZZZ) API key in remote server view (#10731)#10738
Open
lekanjava wants to merge 2 commits into
Open
Show anonymized (AAAA****ZZZZ) API key in remote server view (#10731)#10738lekanjava wants to merge 2 commits into
lekanjava wants to merge 2 commits into
Conversation
When MISP.use_uuids_in_urls is set to true, the UI sends UUIDs instead of numeric IDs in URL paths. The GET branches of delete() and restSearchExport() only checked is_numeric($id) before falling through to _jsonDecode($id), which fails on UUID strings with: 'Invalid JSON input. Make sure that the JSON input is a correctly formatted JSON string.' Add Validation::uuid() check alongside is_numeric() — consistent with the pattern already used in the POST branches of both methods. Fixes MISP#10631
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Show anonymized (AAAA****ZZZZ) API key in remote server view (#10731)
What does it do?
It implements a feature to display an anonymized version of the API key used for remote server connections in both the /servers/index table view and the "Sync user" view button results.
Debugging remote server connections often requires verifying that the correct API key is being used. Previously, this required direct SQL access to the database. This change allows Site Administrators to see the masked key (format: AAAA****ZZZZ) directly in the UI, simplifying the debugging process while maintaining security.
Key Implementation Details:
Model Logic: Added Server::anonymizeAuthkey() which handles both plain and encrypted keys.
Access Control: The anonymized key is only fetched and displayed if the user is a Site Administrator. It is unset for all other users to ensure no leakage via UI or REST API.
API Support: Added the masked authkey field to the Server index API response (restricted to site admins).
Fixes #10731
Questions
Does it require a DB change? No
Are you using it in production? No (Development/Testing)
Does it require a change in the API (PyMISP for example)? Yes (Added masked authkey field to server index response for site admins)