cookie-parser icon indicating copy to clipboard operation
cookie-parser copied to clipboard

Published 20 hours ago verified publisher icon expressjs

Add Secret Function Support

Open DavidTPate opened this issue 9 years ago • 5 comments

This PR is being done in conjunction with expressjs/session#214. Currently, in order to vary the secret value for the cookie parser instantiations I have to memoize them. I'd much rather be able to set the secret based upon the request. This adds that functionality and tests around it.

DavidTPate avatar Oct 16 '15 18:10 DavidTPate

Please describe the exact use-case of why a secret would be influenced by a request, and try to provide links to (at least similar) crypto patterns that this matches.

The tests need to reflect a real-world example in some way and constructing a server-only secret from user-controlled input is not acceptable, unfortunately.

dougwilson avatar Oct 17 '15 17:10 dougwilson

Hi @DavidTPate , and update on this?

dougwilson avatar Jan 11 '16 15:01 dougwilson

@dougwilson Sorry for the delay my workload has been crazy as of late.

I'm having some trouble coming up with a good real-world example without making too many assumptions about the system that someone has implemented so I kept it very straightforward and used user-controlled input in the tests.

What I'm wanting is the ability to vary my encryption key for a multi-tenant system so that one tenant is not able to resolve anything about another tenant's session id. You'll find similar implementations when dealing with multi-tenant systems that are authenticated to on a per-tenant basis instead of a global basis (think of Slack for a per-tenant basis and GitHub for a global basis).

One such example would be Securing Session Tokens, specifically:

Using DPAPI for cookie encryption is not a workable solution for an application that has multiple role instances because each role instance will use a different encryption key, and the Windows Azure load balancer could route a request to any instance.

As I mentioned I wanted to not make many assumptions about how someone was going to use this so I kept it quite straightforward. Do you think it would be appropriate to add some more to it where it has a function that looks up keys or something along those lines?

DavidTPate avatar Jan 22 '16 01:01 DavidTPate

Hi. We could use this. We have a key rotation system in place.

Currently we're working around the lack of ability to change cookie-parser keys by writing wrapper middleware that builds a cookie-parser, and tears it down and replaces it with a new one whenever our keys change.

Please provide any means to update the keys. This PR would be a fine implementation strategy toward that end. We don't need per-request key-providing but the implementation strategy still seems sane, and is definitely flexible.

rektide avatar Aug 17 '16 13:08 rektide

@dougwilson As I mentioned in my last comment awhile ago I didn't want to make too many assumptions about how someone has their system setup for an example with this. I could put together a pretty simple key rotation based on setInterval or something along those lines for an example. I'm just not sure of the usefulness there.

I'm open to any suggestions that people have for something that doesn't make too many assumptions about how one might use this.

DavidTPate avatar Aug 18 '16 16:08 DavidTPate