diff options
author | zeripath <art27@cantab.net> | 2021-08-17 19:30:42 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-08-17 14:30:42 -0400 |
commit | e0853d4a21bd1c718f23a3cac6148f5063e4e810 (patch) | |
tree | 62fed8fe5f9356ee82dc7ad1ea2429b84da0540d /custom | |
parent | 274aeb3a9e13da47a925eabe0e43ed0b1424d02a (diff) | |
download | gitea-e0853d4a21bd1c718f23a3cac6148f5063e4e810.tar.gz gitea-e0853d4a21bd1c718f23a3cac6148f5063e4e810.zip |
Add API Token Cache (#16547)
One of the issues holding back performance of the API is the problem of hashing.
Whilst banning BASIC authentication with passwords will help, the API Token scheme
still requires a PBKDF2 hash - which means that heavy API use (using Tokens) can
still cause enormous numbers of hash computations.
A slight solution to this whilst we consider moving to using JWT based tokens and/or
a session orientated solution is to simply cache the successful tokens. This has some
security issues but this should be balanced by the security issues of load from
hashing.
Related #14668
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'custom')
-rw-r--r-- | custom/conf/app.example.ini | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 44516b5e64..95dd8073a4 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -378,6 +378,10 @@ INTERNAL_TOKEN= ;; ;; Validate against https://haveibeenpwned.com/Passwords to see if a password has been exposed ;PASSWORD_CHECK_PWN = false +;; +;; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations. +;; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security. +;SUCCESSFUL_TOKENS_CACHE_SIZE = 20 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; |