Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Autorotating secrets do not clear the secrets file #157

Closed
Akron opened this issue Dec 15, 2021 · 1 comment
Closed

Autorotating secrets do not clear the secrets file #157

Akron opened this issue Dec 15, 2021 · 1 comment

Comments

@Akron
Copy link
Member

Akron commented Dec 15, 2021

It seems the new auto secrets mechanism can create garbage secret files. When writing a new secrets file it may need to be unlinked before. The problem is in https://metacpan.org/dist/Mojolicious-Plugin-AutoSecrets/source/lib/Mojolicious/Plugin/AutoSecrets.pm - so it needs to be fixed there.
@Akron
Copy link
Member Author

Akron commented Jan 4, 2022

Although I think AutoSecrets is problematic in that regard, a way to mitigate the problem is to have secrets no longer than 22 characters (default length in Session::Token). The garbage can happen when secrets are longer than 22 and they are part of the secrets file when the automatic migration happen - that way after the first full round of rotation, the extra characters are not truncated. By fixing the migration, this error won't occur anymore for new migration. The fix for already migrated instances is to manually truncate the JSON secret file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Akron