jwsSecret => sessionSecret

AlexErrant · Aug 9, 2023 · bb68612 · bb68612
1 parent fcbfad4
commit bb68612
Show file tree

Hide file tree

Showing 9 changed files with 26 additions and 23 deletions.
diff --git a/cwa/src/env.ts b/cwa/src/env.ts
@@ -1,10 +1,10 @@
 import { base64ToArray } from "shared-edge"
 
-let jwsSecret: null | Uint8Array = null
+let sessionSecret: null | Uint8Array = null
 
-export function getJwsSecret(jwsSecretString: string): Uint8Array {
-  if (jwsSecret === null) {
-    jwsSecret = base64ToArray(jwsSecretString)
+export function getSessionSecret(sessionSecretString: string): Uint8Array {
+  if (sessionSecret === null) {
+    sessionSecret = base64ToArray(sessionSecretString)
   }
-  return jwsSecret
+  return sessionSecret
 }
diff --git a/cwa/src/util.ts b/cwa/src/util.ts
@@ -1,7 +1,7 @@
 import { type Context } from "hono"
 import { jwtVerify, type JWTVerifyResult } from "jose"
 import { type Brand, csrfHeaderName, sessionCookieName } from "shared"
-import { getJwsSecret } from "./env"
+import { getSessionSecret } from "./env"
 import { type MediaTokenSecretBase64 } from "./privateToken"
 
 export type Result<TOk, TError> =
@@ -55,7 +55,7 @@ export type Env = {
   //
   // Example binding to R2. Learn more at https://developers.cloudflare.com/workers/runtime-apis/r2/
   mediaBucket: R2Bucket
-  jwsSecret: string
+  sessionSecret: string
   mediaTokenSecret: MediaTokenSecretBase64
   planetscaleDbUrl: string
   appOrigin: string
@@ -75,7 +75,10 @@ export async function getUserId(
   } else {
     let verifyResult: JWTVerifyResult
     try {
-      verifyResult = await jwtVerify(session, getJwsSecret(c.env.jwsSecret))
+      verifyResult = await jwtVerify(
+        session,
+        getSessionSecret(c.env.sessionSecret)
+      )
     } catch {
       return toError(
         c.text(`Failed to verify JWT in '${sessionCookieName}' cookie.`, 401)

diff --git a/design-decisions/example.pentive.secrets.sh b/design-decisions/example.pentive.secrets.sh
@@ -9,8 +9,8 @@ export productionPlanetscaleDbUrl=
 # this generates 32 bits of random data in base64, cuts off the new line character, and adds it to the clipboard
 export developmentMediaTokenSecret=
 export productionMediaTokenSecret=
-export developmentJwsSecret=
-export productionJwsSecret=
+export developmentSessionSecret=
+export productionSessionSecret=
 export developmentCsrfSecret=
 export productionCsrfSecret=
 export developmentOauthStateSecret=

diff --git a/hub/src/entry-server.tsx b/hub/src/entry-server.tsx
@@ -12,7 +12,7 @@ export default createHandler(
     /* eslint-disable solid/reactivity -- event.env and event.responseHeaders should never change at runtime */
     setKysely(event.env.planetscaleDbUrl)
     setSessionStorage({
-      jwsSecret: event.env.jwsSecret,
+      sessionSecret: event.env.sessionSecret,
       csrfSecret: event.env.csrfSecret,
       hubInfoSecret: event.env.hubInfoSecret,
       oauthStateSecret: event.env.oauthStateSecret,

diff --git a/hub/src/env.d.ts b/hub/src/env.d.ts
@@ -5,7 +5,7 @@ import { type Base64 } from "shared"
 
 export interface EnvVars {
   planetscaleDbUrl: string
-  jwsSecret: Base64
+  sessionSecret: Base64
   csrfSecret: Base64
   alphaKey: string
   discordId: string

diff --git a/hub/src/session.ts b/hub/src/session.ts
@@ -13,13 +13,13 @@ import { type Cookie, type CookieOptions } from "solid-start/session/cookies"
 import { createPlainCookie } from "~/createPlainCookie"
 
 export function setSessionStorage(x: {
-  jwsSecret: Base64
+  sessionSecret: Base64
   csrfSecret: Base64
   hubInfoSecret: Base64
   oauthStateSecret: Base64
   oauthCodeVerifierSecret: Base64
 }): void {
-  jwsSecret = base64ToArray(x.jwsSecret)
+  sessionSecret = base64ToArray(x.sessionSecret)
   csrfSecret = x.csrfSecret
   hubInfoSecret = base64ToArray(x.hubInfoSecret)
   const sessionCookieOpts: CookieOptions = {
@@ -137,7 +137,7 @@ let destroyOauthCodeVerifierCookie = null as Cookie
 // @ts-expect-error calls should throw null error if not setup
 let hubInfoCookie = null as Cookie
 // @ts-expect-error calls should throw null error if not setup
-let jwsSecret = null as Uint8Array
+let sessionSecret = null as Uint8Array
 // @ts-expect-error calls should throw null error if not setup
 let csrfSecret = null as string
 // @ts-expect-error calls should throw null error if not setup
@@ -186,7 +186,7 @@ export async function getSession(request: Request): Promise<Session | null> {
   )) as string
   let session: JWTVerifyResult | null = null
   try {
-    session = await jwtVerify(rawSession, jwsSecret)
+    session = await jwtVerify(rawSession, sessionSecret)
   } catch {}
   return session == null
     ? null
@@ -318,7 +318,7 @@ async function generateSession(userId: string, csrf: string): Promise<string> {
     // .setIssuer("urn:example:issuer")
     // .setAudience("urn:example:audience")
     // .setExpirationTime("2h")
-    .sign(jwsSecret)
+    .sign(sessionSecret)
 }
 
 let maybeCsrfKey: CryptoKey | null = null

diff --git a/lrpc/src/config.ts b/lrpc/src/config.ts
@@ -14,7 +14,7 @@ if (rawConfig.error !== undefined) {
 const envZ = z.object({
   /* eslint-disable @typescript-eslint/naming-convention */
   planetscaleDbUrl: z.string(),
-  jwsSecret: z.string(),
+  sessionSecret: z.string(),
   IS_OFFLINE: z.literal("true").or(z.undefined()),
   /* eslint-enable @typescript-eslint/naming-convention */
 })
@@ -33,4 +33,4 @@ export function base64ToArray(base64: string): Uint8Array {
   return bytes
 }
 
-export const jwsSecret = base64ToArray(config.jwsSecret)
+export const sessionSecret = base64ToArray(config.sessionSecret)
diff --git a/lrpc/src/core.ts b/lrpc/src/core.ts
@@ -1,5 +1,5 @@
 import { jwtVerify } from "jose"
-import { jwsSecret } from "./config.js"
+import { sessionSecret } from "./config.js"
 import { parse } from "cookie"
 import { csrfHeaderName, sessionCookieName } from "shared"
 import { type IncomingHttpHeaders } from "http"
@@ -12,7 +12,7 @@ export async function getUser(
     const sessionCookie = cookies[sessionCookieName]
     if (sessionCookie != null && csrfHeaderName in headers) {
       try {
-        const session = await jwtVerify(sessionCookie, jwsSecret)
+        const session = await jwtVerify(sessionCookie, sessionSecret)
         return session.payload.sub
       } catch {}
     }

diff --git a/mkenv.sh b/mkenv.sh
@@ -11,15 +11,15 @@ set -euo pipefail # https://stackoverflow.com/a/2871034
 source ../PentiveSecrets/secrets.sh
 
 # Uncomment if you wanna
-# echo $productionJwsSecret               | npx wrangler secret put jwsSecret               --name cwa
+# echo $productionSessionSecret           | npx wrangler secret put sessionSecret           --name cwa
 # echo $productionPlanetscaleDbUrl        | npx wrangler secret put planetscaleDbUrl        --name cwa
 # echo $productionMediaTokenSecret        | npx wrangler secret put mediaTokenSecret        --name cwa
 # echo $productionAppOrigin               | npx wrangler secret put appOrigin               --name cwa
 # echo $productionHubOrigin               | npx wrangler secret put hubOrigin               --name cwa
 # echo $productionPlanetscaleDbUrl        | npx wrangler secret put planetscaleDbUrl        --name api-ugc
 # echo $productionAppOrigin               | npx wrangler secret put appOrigin               --name api-ugc
 # echo $productionHubOrigin               | npx wrangler secret put hubOrigin               --name api-ugc
-# echo $productionJwsSecret               | npx wrangler secret put jwsSecret               --name hub
+# echo $productionSessionSecret           | npx wrangler secret put sessionSecret           --name hub
 # echo $productionAlphaKey                | npx wrangler secret put alphaKey                --name hub
 # echo $productionDiscordId               | npx wrangler secret put discordId               --name hub
 # echo $productionDiscordSecret           | npx wrangler secret put discordSecret           --name hub