starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[PR #2853] [MERGED] types: make pre auth key use bcrypt #2897

New Issue
Closed
opened 2025-12-29 04:19:33 +01:00 by adam · 0 comments
adam commented 2025-12-29 04:19:33 +01:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/juanfont/headscale/pull/2853
Author: @kradalby
Created: 11/1/2025
Status: Merged
Merged: 11/12/2025
Merged by: @kradalby

Base: mainHead: kradalby/preauthkey-bcrypt

📝 Commits (5)

  • da70504 types: make pre auth key use bcrypt
  • 72fcdc8 hscontrol/db: add hskey-api prefix format for API keys
  • 949b222 docs: update CHANGELOG for API key changes
  • c03c814 hscontrol: add hskey-reg keys for web auth registration tracking
  • e7a7dcc types: populate all fields in PreAuthKeyNew.Proto()

📊 Changes

21 files changed (+1439 additions, -214 deletions)

View changed files

📝 CHANGELOG.md (+13 -1)
📝 cmd/headscale/cli/preauthkeys.go (+1 -1)
📝 hscontrol/auth_test.go (+24 -12)
📝 hscontrol/db/api_key.go (+189 -17)
📝 hscontrol/db/api_key_test.go (+145 -0)
📝 hscontrol/db/db.go (+32 -0)
📝 hscontrol/db/ip_test.go (+0 -5)
📝 hscontrol/db/preauth_keys.go (+157 -25)
📝 hscontrol/db/preauth_keys_test.go (+411 -39)
📝 hscontrol/db/schema.sql (+3 -0)
📝 hscontrol/db/suite_test.go (+2 -0)
📝 hscontrol/db/users_test.go (+232 -94)
📝 hscontrol/grpcv1.go (+18 -0)
📝 hscontrol/state/state.go (+9 -2)
📝 hscontrol/types/api_key.go (+17 -2)
📝 hscontrol/types/preauth_key.go (+52 -3)
📝 hscontrol/types/types_clone.go (+3 -0)
📝 hscontrol/types/types_view.go (+12 -8)
📝 hscontrol/util/util.go (+17 -0)
📝 hscontrol/util/util_test.go (+96 -0)

...and 1 more files

📄 Description

this commit changes the underlying implementation of pre auth keys to the same as our API keys. This means that instead of having a key in the database, it will consist of a prefix and a bcrypt hash.

This improves the security of the keys as they can not be read back in the case of a database getting away.

Old keys still work, but all new keys are created in the new format.

All keys are prefixed with "hskey-auth" to indicate their purpose.

claude was used in this PR.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/juanfont/headscale/pull/2853 **Author:** [@kradalby](https://github.com/kradalby) **Created:** 11/1/2025 **Status:** ✅ Merged **Merged:** 11/12/2025 **Merged by:** [@kradalby](https://github.com/kradalby) **Base:** `main` ← **Head:** `kradalby/preauthkey-bcrypt` --- ### 📝 Commits (5) - [`da70504`](https://github.com/juanfont/headscale/commit/da705048a4da4c20c08f3508fd2af7435c0acad1) types: make pre auth key use bcrypt - [`72fcdc8`](https://github.com/juanfont/headscale/commit/72fcdc8e9495cc3c398c5a38ab2fea69bb0f666f) hscontrol/db: add hskey-api prefix format for API keys - [`949b222`](https://github.com/juanfont/headscale/commit/949b2227b1e90f71102dad445832443cadc65dc6) docs: update CHANGELOG for API key changes - [`c03c814`](https://github.com/juanfont/headscale/commit/c03c8149fd9b71e7d6496cfe9f2e0238cbab36c5) hscontrol: add hskey-reg keys for web auth registration tracking - [`e7a7dcc`](https://github.com/juanfont/headscale/commit/e7a7dcc4c5ed0331044e746b3c1fe5e5e42bd372) types: populate all fields in PreAuthKeyNew.Proto() ### 📊 Changes **21 files changed** (+1439 additions, -214 deletions) <details> <summary>View changed files</summary> 📝 `CHANGELOG.md` (+13 -1) 📝 `cmd/headscale/cli/preauthkeys.go` (+1 -1) 📝 `hscontrol/auth_test.go` (+24 -12) 📝 `hscontrol/db/api_key.go` (+189 -17) 📝 `hscontrol/db/api_key_test.go` (+145 -0) 📝 `hscontrol/db/db.go` (+32 -0) 📝 `hscontrol/db/ip_test.go` (+0 -5) 📝 `hscontrol/db/preauth_keys.go` (+157 -25) 📝 `hscontrol/db/preauth_keys_test.go` (+411 -39) 📝 `hscontrol/db/schema.sql` (+3 -0) 📝 `hscontrol/db/suite_test.go` (+2 -0) 📝 `hscontrol/db/users_test.go` (+232 -94) 📝 `hscontrol/grpcv1.go` (+18 -0) 📝 `hscontrol/state/state.go` (+9 -2) 📝 `hscontrol/types/api_key.go` (+17 -2) 📝 `hscontrol/types/preauth_key.go` (+52 -3) 📝 `hscontrol/types/types_clone.go` (+3 -0) 📝 `hscontrol/types/types_view.go` (+12 -8) 📝 `hscontrol/util/util.go` (+17 -0) 📝 `hscontrol/util/util_test.go` (+96 -0) _...and 1 more files_ </details> ### 📄 Description this commit changes the underlying implementation of pre auth keys to the same as our API keys. This means that instead of having a key in the database, it will consist of a prefix and a bcrypt hash. This improves the security of the keys as they can not be read back in the case of a database getting away. Old keys still work, but all new keys are created in the new format. All keys are prefixed with "hskey-auth" to indicate their purpose. claude was used in this PR. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
adam added the pull-request label 2025-12-29 04:19:33 +01:00
adam closed this issue 2025-12-29 04:19:33 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#2897
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?