Ensure NewCookieStore receives a good secret #1
Comments
|
There are warnings about security considerations for the implementation here: Because we do not use NewCookieStore directly in Authboss (it's an interface after all) we can't really document the security concerns of that particular implementation in our library. However the sample could use to do a better job of best practices such as this. I'll update the code to be a little more secure as well as make a note about it, as it is an example for people to follow it's best that we set a good example. Thanks for catching this. |
|
Please include in the README.md that they must change that value. I would also like to see in the code there something like: // TODO: MUST CHANGE THESE VALUES FOR SECURITY |
- Add a disclaimer warning people not to use this as a seed project. - Add even MORE documentation to warn people to change session & cookie store keys. - See #1 for reasoning.
|
@0xdabbad00 I think you misunderstand this repository. It is not intended to be used as a seed project at all, ever. Anyone that takes a second to look at the code should realize that copy-pasting from here is a dangerous endeavor from at least a dozen different perspectives. I've added a disclaimer to the README.md stating this fact, I will not tell people that they must change the value in that file because if they've copy-pasted from this sample then they've already gone way too far down the path of evil and are hurting themselves a lot. I've put additional documentation to make sure people realize the dangers of not changing the values. The TODO: is unnecessary because it is not something that needs to be done for this project, and as I've already mentioned it is not a seed project and starting a web project from this repository would be a huge disservice to the programmer using it. I hope we can consider this issue completely dealt with now. |
|
@aarondl I believe that as you are providing a library to help people with security, and you are providing an example of how to use that library, that you should take steps to avoid having people make mistakes with it and opening themselves up to security issues. Unfortunately, people will copy and paste whatever is available. I agree there is only so much "stupid proofing" you should try to do. My ideas may not be a good way of handling this, but I am concerned people will end up not using your library as intended as things are. However, thank you for adding that disclaimer and thank you for putting a library out there. |
|
@0xdabbad00 Don't get me wrong I'm quite glad that you found this issue and I think it's been dealt with accordingly. TODO doesn't belong in this project because it shows up in our documentation which is expressly contrary to the idea here that it should not be used as a seed project. And the README should be for documenting what this is and how to view it and explain that it should NEVER be used for anything ever, especially copy pasting. Not documenting how to use it better as a seed project (which is what your suggestion would have done). Hopefully you can see my goal here and how my documentation is directly supporting that. |
It is very important that NewCookieStore be given a random secret here: https://github.com/go-authboss/authboss-sample/blob/master/blog.go#L93
It should be high-lighted in the docs that is needed.
The text was updated successfully, but these errors were encountered: