Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No static cookieSecret default #2882

Merged
merged 4 commits into from
May 4, 2020
Merged

No static cookieSecret default #2882

merged 4 commits into from
May 4, 2020

Conversation

Vultraz
Copy link
Contributor

@Vultraz Vultraz commented May 4, 2020

Resolves #2880 as @molomby proposed. Random secret generation taken from his code in WestpacGEL/GEL#379.

@changeset-bot
Copy link

changeset-bot bot commented May 4, 2020
edited

🦋 Changeset is good to go

Latest commit: 774efeb

We got this.

This PR includes changesets to release 24 packages
Name Type
@keystonejs/cypress-project-access-control Patch
@keystonejs/cypress-project-basic Patch
@keystonejs/cypress-project-client-validation Patch
@keystonejs/cypress-project-login Patch
@keystonejs/keystone Major
@keystonejs/session Major
@keystonejs/adapter-knex Patch
@keystonejs/adapter-mongoose Patch
@keystonejs/test-utils Patch
@keystonejs/demo-project-blog Patch
@keystonejs/demo-custom-fields Patch
@keystonejs/demo-project-meetup Patch
@keystonejs/demo-project-todo Patch
@keystonejs/cypress-project-social-login Patch
@keystonejs/benchmarks Patch
@keystonejs/example-projects-blank Patch
@keystonejs/example-projects-nuxt Patch
@keystonejs/example-projects-starter Patch
@keystonejs/example-projects-todo Patch
@keystonejs/app-admin-ui Patch
@keystonejs/app-graphql-playground Patch
@keystonejs/app-graphql Patch
@keystonejs/auth-passport Patch
@keystonejs/auth-password Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@Vultraz
Copy link
Contributor Author

Vultraz commented May 4, 2020

Additional idea: should we throw an error if a short secret is provided? Less than 10 length, maybe?

@molomby
Copy link
Member

molomby commented May 4, 2020

This looks great!

Should we throw an error if a short secret is provided?

You can still fit 160 bits of entropy in a 10 char string though (if you're trying hard enough), and that's not too bad. Maybe warning rather than error is better? We can shepherd people in the right direction but if they're explicitly setting the secret to a short string, it's not really our place to stop them.

Additionally, I'm tempted to suggest checking against a blacklist, like we do for the Password field. This tends to catch more silly stuff than pure length checks... might be overkill though.

For now I'd be happy either:

  • Merging as-is, or
  • Adding an additional warning on < 10 chars, regardless of environment

molomby
molomby approved these changes May 4, 2020
View reviewed changes
Copy link
Member

@molomby molomby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

@Vultraz
Copy link
Contributor Author

Vultraz commented May 4, 2020

Actually, I think I'll give a little more thought before adding any additional warnings. 🤔 It might be annoying to someone who wants to use a short secret to always get the warnings. Will handle separately.

@timleslie timleslie merged commit 0fbc5b9 into keystonejs:master May 4, 2020
@github-actions github-actions bot mentioned this pull request May 4, 2020
Merged
@Vultraz Vultraz deleted the non-static-cookiesecret branch May 5, 2020 00:50
@github-actions github-actions bot mentioned this pull request May 6, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@molomby molomby molomby approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Having a static default for cookieSecret is bad
3 participants
@Vultraz @molomby @timleslie