summaryrefslogtreecommitdiffstats
path: root/custom
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2021-08-17 19:30:42 +0100
committerGitHub <noreply@github.com>2021-08-17 14:30:42 -0400
commite0853d4a21bd1c718f23a3cac6148f5063e4e810 (patch)
tree62fed8fe5f9356ee82dc7ad1ea2429b84da0540d /custom
parent274aeb3a9e13da47a925eabe0e43ed0b1424d02a (diff)
downloadgitea-e0853d4a21bd1c718f23a3cac6148f5063e4e810.tar.gz
gitea-e0853d4a21bd1c718f23a3cac6148f5063e4e810.zip
Add API Token Cache (#16547)
One of the issues holding back performance of the API is the problem of hashing. Whilst banning BASIC authentication with passwords will help, the API Token scheme still requires a PBKDF2 hash - which means that heavy API use (using Tokens) can still cause enormous numbers of hash computations. A slight solution to this whilst we consider moving to using JWT based tokens and/or a session orientated solution is to simply cache the successful tokens. This has some security issues but this should be balanced by the security issues of load from hashing. Related #14668 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'custom')
-rw-r--r--custom/conf/app.example.ini4
1 files changed, 4 insertions, 0 deletions
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 44516b5e64..95dd8073a4 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -378,6 +378,10 @@ INTERNAL_TOKEN=
;;
;; Validate against https://haveibeenpwned.com/Passwords to see if a password has been exposed
;PASSWORD_CHECK_PWN = false
+;;
+;; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations.
+;; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security.
+;SUCCESSFUL_TOKENS_CACHE_SIZE = 20
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;