Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/add encryption #141

Closed

Conversation

mircohacker
Copy link

  • use nodes crypto library
  • encrypt the session after serialization
  • test the correct implementation
  • closes encrypt cookies #9

Copy link
Contributor

@dougwilson dougwilson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same IV should never be reused between messages. A static IV is a security vulnerability. This is classified as CWE-329

package.json Outdated Show resolved Hide resolved
README.md Outdated
@@ -81,6 +81,14 @@ change signature parameters like the algorithm of the signature.

A string which will be used as single key if `keys` is not provided.

##### encryptionKey

If set the cookie will be encrypted using this key.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this description is misleading, especially if folks are going to try and read the cookie in other programming languages. Looking at the code, the value here is not the encryption key, as it is fed into a hash function and that output is used as the key.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

better now?

README.md Outdated Show resolved Hide resolved
@mircohacker
Copy link
Author

are there any other changes i should adress? Currently I am trying to make travis happy...

@mircohacker mircohacker force-pushed the feature/add-encryption branch from fb5681d to a4305ce Compare July 29, 2020 16:38
@dougwilson
Copy link
Contributor

I will not be able to review further until I am out of work for the day, so it will be at least 6 hours before I can review again.

@mircohacker mircohacker requested a review from dougwilson July 29, 2020 17:23
@mircohacker
Copy link
Author

Take your time.

I tried to create compatibility with as many node versions as possible, but before node v4 there was another now deprecated buffer constructor. Even node 4 is EOL since 2018-04-30 so I figured this should be ok. If you have another opinion let me know then I would add the package https://www.npmjs.com/package/buffer-from for a ponyfill.

Is there a timeline for the next release? Currently, I am monkey patching this library to provide this functionality.

@dougwilson
Copy link
Contributor

Hi @mircohaug thanks for the update. I will try and review when I am off work tonight. I do not want to make any promises on a release date, but I can say that if this change requires dropping Node.js versions, the release date will certainly not be any time soon, as it is important that our Express middlewares from our organization supports the same Node.js versions as the current version of Express does, to provide a consistent experience across our project.

* use nodes crypto library
* encrypt the session after serialisation
* initialisation vectors are prepended to the encrypted session
* encryption key rotation is implemented
* add the current node version to ci configuration
* test the correct implementation
* closes expressjs#9
@mircohacker mircohacker force-pushed the feature/add-encryption branch from bf8ddad to ae47b79 Compare July 29, 2020 18:02
@mircohacker
Copy link
Author

OK, what a ride. The implementation now supports all the required node versions. 🎉

I was not aware, that express officially supports node versions this old.

I merged all the previous commits to a single on to declutter the commit history.

@mircohacker
Copy link
Author

@dougwilson any progres on this?

@dougwilson
Copy link
Contributor

Hi @mircohaug sorry, I am at work currently, so don't have much time, but I did take a bit of a look over it this weekend, and I didn't realize this module is using the cookies module, which provides the crypto for cookies like signing. It is probably more appropriate to add cookie encryption to that directly which would then expose it here than tack it onto this module.

There is a tracking issue for encryption at pillarjs/cookies#42

@mircohacker
Copy link
Author

This is already implemented on the keygrip develop branch which is used by cookies. How can I help to bring this branch into master?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

encrypt cookies
2 participants