http4s-jwt-auth icon indicating copy to clipboard operation
http4s-jwt-auth copied to clipboard
verified publisher icon profunktor

JwtSecretKey takes a String

Open hunterpayne opened this issue 1 year ago • 6 comments

Strings in the JVM can be internalized. For this reason, it has long been the case that storing cryptographic material in a Java String is verboten (forbidden). Please change the signature of JwtSecretKey from taking a String to something more appropriate for cryptographic material.

java.security.PrivateKey would probably be the best choice but others like Array[Byte] or Array[Char] are probably good choices too.

hunterpayne avatar Jun 15 '24 23:06 hunterpayne

Thanks for opening this issue, I agree. Would you be interested in opening a pull request?

@gvolpe this is a breaking change, we would have to release 2.0.0. Is there something else we should change if a breaking release happens anyways?

froth avatar Jun 18 '24 10:06 froth

Which type should we choose or should I do something that allows all the referenced types?

hunterpayne avatar Jun 18 '24 13:06 hunterpayne

should I do something that allows all the referenced types?

This should be ideal if possible 👍🏽

this is a breaking change, we would have to release 2.0.0.

Indeed. I think the best way to go about it would be to deprecate the existing method that takes a String noticing it's unsafe and make the 2.0.0 release. It can then be removed in the following major release.

gvolpe avatar Jun 19 '24 07:06 gvolpe

Which branch should I make the changes on? master or 1.x?

hunterpayne avatar Jun 30 '24 09:06 hunterpayne

Master is pretty outdated I think. I would say base it on 1.0 for now and we will sort it out and maybe create a series/2.0 branch or so.

froth avatar Jul 01 '24 20:07 froth

https://github.com/profunktor/http4s-jwt-auth/pull/452

hunterpayne avatar Jul 03 '24 08:07 hunterpayne

fixed in #452 thanks!

froth avatar Jul 25 '24 08:07 froth