feat: add optional token hashing

[gwossum]

Add optional token hashing with --use-hashed-tokens command line option.

[davidby-influx]

A variety of smaller issues. I will need to review this again to fully understand the larger changes.

[davidby-influx]

My usual add more context to error and log messages and a few more substantive questions and suggestions

[davidby-influx]

All changes pertain to comments, but important one is whether to delete or include a commented out code section

[devanbenz]

Just a few comments mostly about extra safety checks and some error messaging. I've been able to get about half way through the PR. Going to step away for a minute to take a little brain break and then finish up the rest of the PR for my first pass.

[devanbenz]

Adding a few more comments to storage_authorization.go I noticed that a bunch of my comments for the require.NoError(..) is similar to what david commented so my apologies for that :P

[devanbenz]

Adding in a few more comments

[devanbenz]

Going to pick back up my review next week for a second pass. Consider this first pass finished up.

Dismissing

[devanbenz]

Finished reading through this code, everything looks fine to me after that pass. Please let me know when you merge in main and require a second look over.

[gwossum]

Claude's analysis of potential information leakage in error messages:

  With the understanding that only system administrators have log access, there is essentially NO information leakage risk from error messages in this implementation.

  Why No Risk

  1. Administrators are trusted: System admins already have:
    - Direct database access
    - Ability to view/modify all authorizations
    - Access to configuration and secrets
    - Root/administrative system access
  2. Logs need debugging detail: For administrators, detailed error messages are beneficial, not risky:
    - They need to diagnose issues quickly
    - Token IDs and descriptions help identify problematic authorizations
    - Hash variant information aids in migration troubleshooting
  3. No sensitive data logged: Even for admins, the code correctly:
    - Never logs actual token values
    - Never logs hashed token values
    - Only logs operational metadata

  Current Error Messages Are Appropriate

  Examples like:
  - "error hashing token for token %d (%s): %w" - Helps admins identify which token failed
  - "found authorization without any token set during hashed token migration" - Alerts admins to data integrity issues
  - "hashing raw token failed (variant=%s): %w" - Helps debug algorithm configuration issues

  These provide exactly the right level of detail for administrative troubleshooting.

  Final Assessment

  Information leakage risk: NONE

  The error messages are appropriately designed for their audience (system administrators) and contain no sensitive information. The implementation correctly balances:
  - Detailed internal errors for admin debugging
  - Generic external errors for security
  - No logging of actual sensitive values

  No changes needed - the error handling is well-implemented for a production system.

[devanbenz]

Leaving two comments, still finishing up the review.

[davidby-influx]

A few remaining suggestions. What a huge amount of work!

[davidby-influx]

Just a general question: do we have context for all the startup errors?

• Opening the KV store
• NewAuthorizationHasher
• authorization.NewStore
• etc.

[gwossum]

It took a while, but I think there's good context for everything in authorization/authorization.goand authorization/storage_authorization.go

[devanbenz]

I tested everything locally and it all seems fine. I did notice, as outlined by your comment here: https://github.com/influxdata/influxdb/pull/25982/files#diff-05dfd885ddd66163be3e6ac7416f3b6326f186d236cba26153bd790bc93c880dR51, that starting up influxd without --use-hashed-tokens does lead to new tokens not being hashed. Do you think it would be beneficial to add some sort of warning log or info log upon token creation or startup if there are already hashed tokens? Just informing the user that influxd may not be running with token hashing enabled when it was previously enabled?

[gwossum]

I tested everything locally and it all seems fine. I did notice, as outlined by your comment here: https://github.com/influxdata/influxdb/pull/25982/files#diff-05dfd885ddd66163be3e6ac7416f3b6326f186d236cba26153bd790bc93c880dR51, that starting up influxd without --use-hashed-tokens does lead to new tokens not being hashed. Do you think it would be beneficial to add some sort of warning log or info log upon token creation or startup if there are already hashed tokens? Just informing the user that influxd may not be running with token hashing enabled when it was previously enabled?

During normal operation, there is no way to "downgrade" a hashed token, so there is no need to log about unhashing a token. On startup, the hashed token can not be unhashed because hashes are one-way. When a token is used, there is no attempt to store it as unhashed, even though this could be added. The only way to update a token is by sending a PATCH request to v2/authorizations, which does not allow changing the actual token value. Because of this, when an update is performed the at-rest storage of the token (hashed vs unhashed) can not be changed.

I think logging on startup that hashed tokens exist but hashed tokens are disabled is a good idea, though.

[philjb]

I'd be ok with using a helper for all the auth.Token != "" and auth.HashedToken != "" != "" checks.

if tokenUnset(auth.HashedToken) {

func tokenUnset(t string) bool {
    return t == ""
}

not essential, but the code makes assumptions about what the empty string means -- there's a comment about it so it is essentially a special type of token: an "unset one".

[philjb]

initial comments

[philjb]

worth while to mention "or restored from an independent backup" ? or something like that?

[gwossum]

I'd be ok with using a helper for all the auth.Token != "" and auth.HashedToken != "" != "" checks.

if tokenUnset(auth.HashedToken) {

func tokenUnset(t string) bool {
    return t == ""
}```

not essential, but the code makes assumptions about what the empty string means -- there's a comment about it so it is essentially a special _type_ of token: an "unset one". 

That's a good idea. I'll go ahead and implement it.

[philjb]

so terse it borders on inaccurate for everything this flag controls.

[gwossum]

How about enable storing hashed API tokens on disk (improves security, but prevents downgrades to < 2.8)?

[philjb]

LGTM