buzzfeed
*: provide better feedback for invalid secrets
TL;DR
If an invalid COOKIE_SECRET value is given, sso should provide guidance for how to generate a valid one rather than a cryptic error message. Bonus points for providing a separate sso-gen-secret binary that will Just Work!
Let's make it as easy as possible for users to generate good, secure secrets!
A bit more context
The error message sso gives for an invalid COOKIE_SECRET value takes this general form (for abcd as the secret value):
{"error":"Invalid configuration:\n cookie_secret must be 32 or 64 bytes to create an AES cipher but is 4 bytes. note: cookie secret was base64 decoded from \"abcd\"","level":"error","msg":"error validating opts","service":"sso-authenticator","time":"2018-08-25 00:15:04.82512"}
But we still get an error message if we try a 32 byte secret (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx):
{"error":"Invalid configuration:\n cookie_secret must be 32 or 64 bytes to create an AES cipher but is 24 bytes. note: cookie secret was base64 decoded from \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"","level":"error","msg":"error validating opts","service":"sso-authenticator","time":"2018-08-25 00:17:33.82512"}
Having dug into this a bit, I know that sso is trying to base64-decode the given secret value (that's why it reports a length of 24 bytes above), but, as I'll illustrate in a follow-up issue, it can be difficult to generate a valid secret even with this knowledge.
Working example
Here's one way that works, assuming python is available (note the use of urlsafe_b64encode, which seems to agree with the golang decoder used in sso):
python -c 'import base64, os, sys; sys.stdout.write(base64.urlsafe_b64encode(os.urandom(32)))'
