use conform hkdf

auth0 · Jan 3, 2020 · dc2be1a · dc2be1a
1 parent b6cd035
commit dc2be1a
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/lib/session.js b/lib/session.js
@@ -1,11 +1,11 @@
-const { createHmac } = require('crypto');
 const { strict: assert } = require('assert');
 
 const { JWK, JWKS, JWE } = require('jose');
 const onHeaders = require('on-headers');
 const cookie = require('cookie');
+const hkdf = require('futoin-hkdf');
 
-const deriveKey = (secret) => createHmac('sha256', secret).update('encryption').digest();
+const deriveKey = (secret) => hkdf(secret, 32, { info: 'JWE CEK', hash: 'SHA-256' });
 const epoch = () => Date.now() / 1000 | 0;
 
 module.exports = ({ cookieName, propertyName, secret, duration, ephemeral, cookieOptions = {} }) => {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -16,6 +16,7 @@
     "clone": "^2.1.2",
     "cookie": "^0.4.0",
     "cookie-parser": "^1.4.4",
+    "futoin-hkdf": "^1.2.1",
     "http-errors": "^1.7.3",
     "jose": "^1.17.2",
     "on-headers": "^1.0.2",