Wrap sha256 in HMAC instead of directly use sha256

2025-07-03 11:57:07 +02:00 · 2022-06-08 14:04:45 +02:00 · 2022-06-08 14:04:45 +02:00 · 987a7f8926
commit 987a7f8926
parent 0928f3d41c
3 changed files with 25 additions and 4 deletions
--- a/meilisearch-auth/Cargo.toml
+++ b/meilisearch-auth/Cargo.toml
@ -6,6 +6,7 @@ edition = "2021"
 [dependencies]
 base64 = "0.13.0"
 enum-iterator = "0.7.0"
+hmac = "0.12.1"
 meilisearch-error = { path = "../meilisearch-error" }
 milli = { git = "https://github.com/meilisearch/milli.git", tag = "v0.28.0" }
 rand = "0.8.4"
--- a/meilisearch-auth/src/store.rs
+++ b/meilisearch-auth/src/store.rs
@ -8,9 +8,10 @@ use std::str;
 use std::sync::Arc;

 use enum_iterator::IntoEnumIterator;
+use hmac::{Hmac, Mac};
 use milli::heed::types::{ByteSlice, DecodeIgnore, SerdeJson};
 use milli::heed::{Database, Env, EnvOpenOptions, RwTxn};
-use sha2::{Digest, Sha256};
+use sha2::Sha256;
 use time::OffsetDateTime;
 use uuid::Uuid;

@ -242,9 +243,11 @@ impl<'a> milli::heed::BytesEncode<'a> for KeyIdActionCodec {
 }

 pub fn generate_key_as_base64(uid: &[u8], master_key: &[u8]) -> String {
-    let key = [uid, master_key].concat();
-    let sha = Sha256::digest(&key);
-    base64::encode_config(sha, base64::URL_SAFE_NO_PAD)
+    let mut mac = Hmac::<Sha256>::new_from_slice(master_key).unwrap();
+    mac.update(uid);
+
+    let result = mac.finalize();
+    base64::encode_config(result.into_bytes(), base64::URL_SAFE_NO_PAD)
 }

 /// Divides one slice into two at an index, returns `None` if mid is out of bounds.