Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use a secure secret key for authentication & sessions #35

Open
haydenrou opened this issue Mar 5, 2024 · 2 comments
Open

Use a secure secret key for authentication & sessions #35

haydenrou opened this issue Mar 5, 2024 · 2 comments
Labels
enhancement New feature or request
Milestone
MVP

Comments

@haydenrou
Copy link
Contributor

  • Gather the SecretKey from OS env
  • Generate some sort of CSRF token via the openssl package?
  • Document this in the readme for local development
  • enable cookie.Secure in production environments
@haydenrou haydenrou added the enhancement New feature or request label Mar 5, 2024
@haydenrou
Copy link
Contributor Author

haydenrou commented Mar 5, 2024
edited

See #34 for the initial auth PR and #37 for the session PR

@haydenrou haydenrou mentioned this issue Mar 5, 2024
Open
@haydenrou haydenrou changed the title Use a secure secret key for authentication Use a secure secret key for authentication & sessions Mar 14, 2024
@haydenrou
Copy link
Contributor Author

From Session docs: https://pkg.go.dev/github.com/gorilla/sessions@v1.2.2#section-readme

// Note: Don't store your key in your source code. Pass it via an
// environmental variable, or flag (or both), and don't accidentally commit it
// alongside your code. Ensure your key is sufficiently random - i.e. use Go's
// crypto/rand or securecookie.GenerateRandomKey(32) and persist the result.

@haydenrou haydenrou added this to the MVP milestone May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
MVP
Development

No branches or pull requests
1 participant
@haydenrou