Add Secret Function Support #21
Conversation
…e request object to create a dynamic secret.
|
Please describe the exact use-case of why a secret would be influenced by a request, and try to provide links to (at least similar) crypto patterns that this matches. The tests need to reflect a real-world example in some way and constructing a server-only secret from user-controlled input is not acceptable, unfortunately. |
|
Hi @DavidTPate , and update on this? |
|
@dougwilson Sorry for the delay my workload has been crazy as of late. I'm having some trouble coming up with a good real-world example without making too many assumptions about the system that someone has implemented so I kept it very straightforward and used user-controlled input in the tests. What I'm wanting is the ability to vary my encryption key for a multi-tenant system so that one tenant is not able to resolve anything about another tenant's session id. You'll find similar implementations when dealing with multi-tenant systems that are authenticated to on a per-tenant basis instead of a global basis (think of Slack for a per-tenant basis and GitHub for a global basis). One such example would be Securing Session Tokens, specifically:
As I mentioned I wanted to not make many assumptions about how someone was going to use this so I kept it quite straightforward. Do you think it would be appropriate to add some more to it where it has a function that looks up keys or something along those lines? |
|
Hi. We could use this. We have a key rotation system in place. Currently we're working around the lack of ability to change cookie-parser keys by writing wrapper middleware that builds a cookie-parser, and tears it down and replaces it with a new one whenever our keys change. Please provide any means to update the keys. This PR would be a fine implementation strategy toward that end. We don't need per-request key-providing but the implementation strategy still seems sane, and is definitely flexible. |
|
@dougwilson As I mentioned in my last comment awhile ago I didn't want to make too many assumptions about how someone has their system setup for an example with this. I could put together a pretty simple key rotation based on I'm open to any suggestions that people have for something that doesn't make too many assumptions about how one might use this. |
…val`. While not the best or most complete example it shows one such method of using this functionality.
This PR is being done in conjunction with expressjs/session#214. Currently, in order to vary the secret value for the cookie parser instantiations I have to memoize them. I'd much rather be able to set the secret based upon the request. This adds that functionality and tests around it.