New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make site secret available through public api #7824
Comments
Pointers to the plugins? Description of use cases? The point of keeping things private is so that we don't over commit to a poorly designed API |
I have a number of plugins that rely on it - usually for creating access tokens. |
same here; all kinds of tokens that needed to be unique per site, like:
There are ways around this, but that would mean to think of a way in every plugin. With the site secret there is an easy way to get a site specific random secret. |
We could do all those by exposing ElggCrypto::getHmac and ::areEqual in some way. It eliminates the risk of plugins doing something dumb with the key, and it nudges devs toward HMAC, which is the right tool for token (MAC) generation. areEqual() does timing-attack-proof string comparison; unlikely to be a vector because the Elgg boot is so noisy, but why not do the right thing. |
Basically I'd rather provide a "token service" that provides and validates them. |
Also adds simple tests for HMAC. Fixes Elgg#7824
PR #8057 |
What use case(s) require direct access to the site secret key? A key could be derived from the secret key via |
This also has getHmac() use a binary encoding of the site key instead of the Base64 or hex encodings. Fixes Elgg#7824
This also has getHmac() use a binary encoding of the site key instead of the Base64 or hex encodings. Fixes Elgg#7824
This also has getHmac() use a binary encoding of the site key instead of the Base64 or hex encodings. Fixes Elgg#7824
This also has getHmac() use a binary encoding of the site key instead of the Base64 or hex encodings. Fixes Elgg#7824
This also has getHmac() use a binary encoding of the site key instead of the Base64 or hex encodings, and improves the docs of the site secret component. Fixes Elgg#7824
HMAC uses a binary encoding of the site key instead of the Base64 or hex encodings, and improves the docs of the site secret component. Fixes Elgg#7824
Closing this as #8057 removed the need to access the site secret publically |
A few plugins need to use the site secret. Currently the function
get_site_secret
is access private. Is that on purpose? Do we need a new publicly availableelgg_get_site_secret
or a class function$site->getSecret()
The text was updated successfully, but these errors were encountered: