starred/healthchecks
1
0
Fork 0
mirror of https://github.com/healthchecks/healthchecks.git synced 2026-04-25 15:05:49 +03:00
Code Issues 56 Projects Releases 10 Packages Wiki Activity

[PR #1167] [MERGED] Store API keys in the database in hashed form #1085

New issue
Closed
opened 2026-02-26 00:30:51 +03:00 by kerem · 0 comments
kerem commented 2026-02-26 00:30:51 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/healthchecks/healthchecks/pull/1167
Author: @cuu508
Created: 5/30/2025
Status: Merged
Merged: 6/2/2025
Merged by: @cuu508

Base: masterHead: hashed_api_keys

📝 Commits (9)

  • 9a8366f Store API keys in the database in hashed form
  • cbe282d Fix mypy warnings
  • b6cfaa4 Add Project.set_ping_key()
  • f42fdaf Add tests
  • fe06619 Use "." as a delimiter between key[:8] and key hash
  • 5c435d3 Remove "Show Keys" button
  • 552a44c Fix "create key" and "revoke" click handlers to not add "#" to URL
  • 583e557 Update Prometheus docs
  • e6d96b0 Remove "show_keys" template variable

📊 Changes

14 files changed (+281 additions, -127 deletions)

View changed files

📝 hc/accounts/models.py (+51 -0)
📝 hc/accounts/tests/test_project.py (+21 -23)
📝 hc/accounts/views.py (+3 -18)
📝 hc/api/decorators.py (+47 -9)
hc/api/tests/test_auth.py (+71 -0)
📝 static/css/project.css (+4 -0)
static/img/docs/prometheus_api_keys.png (+0 -0)
static/img/docs/prometheus_endpoint.png (+0 -0)
📝 static/img/integrations/setup_prometheus_1.png (+0 -0)
📝 static/js/project.js (+25 -15)
📝 templates/accounts/project.html (+33 -42)
📝 templates/docs/configuring_prometheus.html-fragment (+8 -6)
📝 templates/docs/configuring_prometheus.md (+10 -6)
📝 templates/integrations/add_prometheus.html (+8 -8)

📄 Description

Currently API keys are stored in in plain text in the database.

The PR implements storing future API keys in a hashed form (the existing plain text API keys still work as before).

The format of the keys presented to the user:

  • Read-write keys: hcw_sO9zU1olGylct7RMyUAkDaPMFHgx (prefix hcw_ followed by 28 random characters)
  • Read-only keys: hcr_ZJz50yB761pJ0do1YOe56Iofng76 (prefix hcr_ followed by 28 random characters)

(32 characters total)

The format of the keys stored in the database:

[first 8 plain text characters of the API key].[64 characters of HMAC of the API key]

(73 characters total)

The value stored in the database includes first 8 plaintext characters of the key for the purpose of being able to efficiently look up a project by its API key –

Project.objects.filter(api_key__startswith=key_from_client[:8])

HMAC is calculated from the full API key as presented to the user using python's hmac module:

hmac.digest(SECRET_KEY.encode(), api_key.encode(), "sha256")

Since the API keys (excluding the first 8 characters) are now stored in a hashed form, we can only show them to the user right after they are generated. The user will no longer be able to see their API keys in the Project Settings page at a later time.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/healthchecks/healthchecks/pull/1167 **Author:** [@cuu508](https://github.com/cuu508) **Created:** 5/30/2025 **Status:** ✅ Merged **Merged:** 6/2/2025 **Merged by:** [@cuu508](https://github.com/cuu508) **Base:** `master` ← **Head:** `hashed_api_keys` --- ### 📝 Commits (9) - [`9a8366f`](https://github.com/healthchecks/healthchecks/commit/9a8366f0a3bb694b94b8591206538319d70c7fcd) Store API keys in the database in hashed form - [`cbe282d`](https://github.com/healthchecks/healthchecks/commit/cbe282dc4b664f8af36394563a4d06c91ae33e2b) Fix mypy warnings - [`b6cfaa4`](https://github.com/healthchecks/healthchecks/commit/b6cfaa47d4ba034b7a836bb9fab86b332aa06a89) Add Project.set_ping_key() - [`f42fdaf`](https://github.com/healthchecks/healthchecks/commit/f42fdaff813fca0b6063833fcdcc0287102011be) Add tests - [`fe06619`](https://github.com/healthchecks/healthchecks/commit/fe066193bcc2737671ff3bbddb04c29c6579735b) Use "." as a delimiter between key[:8] and key hash - [`5c435d3`](https://github.com/healthchecks/healthchecks/commit/5c435d3aa9a2deb215c3d7927d332c9cceab01ab) Remove "Show Keys" button - [`552a44c`](https://github.com/healthchecks/healthchecks/commit/552a44c367c6898d20f94e591be67391b3583e15) Fix "create key" and "revoke" click handlers to not add "#" to URL - [`583e557`](https://github.com/healthchecks/healthchecks/commit/583e557bead3119087c611cfb5ee8063eba14ba5) Update Prometheus docs - [`e6d96b0`](https://github.com/healthchecks/healthchecks/commit/e6d96b0389b95773170a29532508caa3880f322b) Remove "show_keys" template variable ### 📊 Changes **14 files changed** (+281 additions, -127 deletions) <details> <summary>View changed files</summary> 📝 `hc/accounts/models.py` (+51 -0) 📝 `hc/accounts/tests/test_project.py` (+21 -23) 📝 `hc/accounts/views.py` (+3 -18) 📝 `hc/api/decorators.py` (+47 -9) ➕ `hc/api/tests/test_auth.py` (+71 -0) 📝 `static/css/project.css` (+4 -0) ➕ `static/img/docs/prometheus_api_keys.png` (+0 -0) ➖ `static/img/docs/prometheus_endpoint.png` (+0 -0) 📝 `static/img/integrations/setup_prometheus_1.png` (+0 -0) 📝 `static/js/project.js` (+25 -15) 📝 `templates/accounts/project.html` (+33 -42) 📝 `templates/docs/configuring_prometheus.html-fragment` (+8 -6) 📝 `templates/docs/configuring_prometheus.md` (+10 -6) 📝 `templates/integrations/add_prometheus.html` (+8 -8) </details> ### 📄 Description Currently API keys are stored in in plain text in the database. The PR implements storing future API keys in a hashed form (the existing plain text API keys still work as before). The format of the keys presented to the user: * Read-write keys: `hcw_sO9zU1olGylct7RMyUAkDaPMFHgx` (prefix `hcw_` followed by 28 random characters) * Read-only keys: `hcr_ZJz50yB761pJ0do1YOe56Iofng76` (prefix `hcr_` followed by 28 random characters) (32 characters total) The format of the keys stored in the database: ``` [first 8 plain text characters of the API key].[64 characters of HMAC of the API key] ``` (73 characters total) The value stored in the database includes first 8 plaintext characters of the key for the purpose of being able to efficiently look up a project by its API key – ``` Project.objects.filter(api_key__startswith=key_from_client[:8]) ``` HMAC is calculated from the full API key as presented to the user using python's hmac module: ``` hmac.digest(SECRET_KEY.encode(), api_key.encode(), "sha256") ``` Since the API keys (excluding the first 8 characters) are now stored in a hashed form, we can only show them to the user right after they are generated. The user will no longer be able to see their API keys in the Project Settings page at a later time. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-02-26 00:30:51 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
py2
v4.1.1
v4.1
v4.0
v3.13
v3.12
v3.11.2
v3.11.1
v3.11
v3.10
v3.9
v3.8.2
v3.8.1
v3.8
v3.7
v3.6
v3.5.2
v3.5.1
v3.5
v3.4
v3.3
v3.2
v3.1
v3.0.1
v3.0
v2.10
v2.9.2
v2.9.1
v2.9
v2.8.1
v2.8
v2.7
v2.6.1
v2.6
v2.5
v2.4.1
v2.4
v2.3
v2.2.1
v2.2
v2.1
v2.0.1
v2.0
v1.25.0
v1.24.1
v1.24.0
v1.23.1
v1.23.0
v1.22.0
v1.21.0
v1.20.0
v1.19.0
v1.18.0
v1.17.0
v1.16.0
v1.15.0
v1.14.0
v1.13.0
v1.12.0
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.0
v1.5.0
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.4
v1.0.3
v1.0.2
1.0.2
v1.0.1
v1.0
Labels
Clear labels   
bug

   
bug

   
bug

   
feature

   
good-first-issue

   
new integration

   
pull-request

Mirrored from GitHub Pull Request

  
question
No labels
bug
bug
bug
feature
good-first-issue
new integration
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/healthchecks#1085
No description provided.