types: make pre auth key use bcrypt #2853
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
336a8e5 to
151a49e
Compare
151a49e to
d49ae71
Compare
d49ae71 to
5657d93
Compare
5657d93 to
7231e9f
Compare
8e745b7 to
26e52b7
Compare
this commit changes the underlying implementation of pre auth keys to the same as our API keys. This means that instead of having a key in the database, it will consist of a prefix and a bcrypt hash. This improves the security of the keys as they can not be read back in the case of a database getting away. Old keys still work, but all new keys are created in the new format. All keys are prefixed with "hskey-auth" to indicate their purpose. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
New API keys use hskey-api-{prefix}-{secret} format with bcrypt
hashing. Legacy keys without prefix continue to work.
Add registration keys (hskey-reg-{64-char-random}) for tracking web
authentication registration flows in logs. These vanity keys are not
stored in the database and do not use bcrypt - they exist purely for
observability and correlating log entries during the registration process.
PreAuthKeyNew.Proto() was only returning ID and Key fields, causing the gRPC CreatePreAuthKey response to omit Ephemeral, Reusable, and other fields. This broke integration tests expecting these values. Add all fields to PreAuthKeyNew struct and populate them in CreatePreAuthKey. Update Proto() method to include all fields with proper protobuf timestamp conversion.
26e52b7 to
e7a7dcc
Compare
nblock
approved these changes
Nov 12, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
this commit changes the underlying implementation of pre auth keys to the same as our API keys. This means that instead of having a key in the database, it will consist of a prefix and a bcrypt hash.
This improves the security of the keys as they can not be read back in the case of a database getting away.
Old keys still work, but all new keys are created in the new format.
All keys are prefixed with "hskey-auth" to indicate their purpose.
claude was used in this PR.