tangled.org / core
Monorepo for Tangled tangled.org
fork atom

Knot server keep stale auth keys #392

open opened by sullen.net

I've noticed that even after deleting some keys from the Tangled.org > Settings > Keys webpage. The self-hosted Knot is still holding onto the stale keys in its database.

e.g.,

knot keys

Is returning keys that are no longer present in the PDS repo.

sullen.net (author)

Is this issue that we don't check the operation type here at all https://tangled.org/tangled.org/core/blob/master/knotserver/ingester.go#L26-46

Looks like DB's RemovePublicKey isn't being used https://tangled.org/tangled.org/core/blob/master/knotserver/db/pubkeys.go#L42

I guess the AppView is only deleting keys from y'alls servers' dbs? https://tangled.org/tangled.org/core/blob/master/appview/settings/settings.go#L504

sullen.net (author)

It's a bit of a security issue for existing self-hosters.

If they do not clear these out manually from their db they may forever retain stale keys that they thought deleted.

Perhaps there should be some comms to notify folks to refresh their key db once a fix is in place.

sign up or login to add to the discussion
Labels

None yet.

area

None yet.

assignee

None yet.

Participants 1
AT URI
at://did:plc:caispohjzhstrfdsused6ip3/sh.tangled.repo.issue/3mdfojepoxc22