API token can be read from a log file by any user

## Description

A validator client uses two API keys: ".secp-sk" (secret key) and "api-token.txt" (the corresponding public key).
The spec suggests that an API token can be obtained (read) from a file or from logs.

The second method is highly insecure by design and considered as a very bad practice in web application security (e.g., [OWASP Logging](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)).

Moreover, an API token can be read from the log file by any user on the host because the file permissions for the logs are 644.

```
lighthouse --logfile log1 beacon --http --http-address 0.0.0.0 &
lighthouse --logfile log2 vc --http &
ls -laF log1 log2
```

## Version

Lighthouse/v1.4.0-3b600ac

## Expected Behaviour

At least, log files permissions should be 600.
We also recommend do not use logs to deliver API tokens.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

API token can be read from a log file by any user #2438

Description

Version

Expected Behaviour

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

API token can be read from a log file by any user #2438

Description

Description

Version

Expected Behaviour

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions