Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugfix: when there are multiple secrets, we should re-sign with latest #118

Closed
wants to merge 2 commits into from
Closed

Bugfix: when there are multiple secrets, we should re-sign with latest #118

wants to merge 2 commits into from

Conversation

rclmenezes
Copy link
Contributor

@rclmenezes rclmenezes commented Aug 12, 2022
edited
Loading

This PR is dependent on:
#120

Only the last commit is relevant for review for now.

Turns out, we were re-signing cookies with the new secret.

Checklist

@rclmenezes
Copy link
Contributor Author

Benchmark:

$ node benchmark/bench.js
╔══════════════╤═════════╤═══════════════╤═══════════╤═════════════════════════╗
║ Slower tests │ Samples │        Result │ Tolerance │ Difference with slowest ║
╟──────────────┼─────────┼───────────────┼───────────┼─────────────────────────╢
║ file         │      25 │  31.31 op/sec │ ±  7.37 % │                         ║
║ redis        │      25 │ 109.38 op/sec │ ± 19.05 % │ + 249.38 %              ║
╟──────────────┼─────────┼───────────────┼───────────┼─────────────────────────╢
║ Fastest test │ Samples │        Result │ Tolerance │ Difference with slowest ║
╟──────────────┼─────────┼───────────────┼───────────┼─────────────────────────╢
║ memory       │      25 │ 815.79 op/sec │ ± 39.26 % │ + 2505.77 %             ║
╚══════════════╧═════════╧═══════════════╧═══════════╧═════════════════════════╝

✨  Done in 28.74s.

@rclmenezes rclmenezes mentioned this pull request Aug 12, 2022
Closed
4 tasks
@rclmenezes rclmenezes force-pushed the bugfix-multiple-secrets branch from 0ee908b to aaf5a03 Compare August 12, 2022 15:58
rclmenezes
rclmenezes commented Aug 12, 2022
View reviewed changes
lib/session.js Outdated
@@ -71,7 +71,7 @@ module.exports = class Session {

[addDataToSession] (prevSession) {
for (const key in prevSession) {
if (!['expires', 'cookie'].includes(key)) {
if (!['expires', 'cookie', 'encryptedSessionId'].includes(key)) {
Copy link
Contributor Author

@rclmenezes rclmenezes Aug 12, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original PR had this change, which is why this bug came up

Anyway, no point in copying encryptedSessionId over if we're going to replace it immediately.

@rclmenezes rclmenezes marked this pull request as draft August 12, 2022 16:03
@rclmenezes rclmenezes force-pushed the bugfix-multiple-secrets branch from aaf5a03 to 8e5b8a0 Compare August 12, 2022 16:19
rclmenezes
rclmenezes commented Aug 12, 2022
View reviewed changes
lib/session.js
this[secretKey] = secret
this[addDataToSession](prevSession)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is extremely unreadable and buried. It caused me a lot of confusion earlier, so I decided to put in the function itself

test/base.test.js
Comment on lines -102 to -110
const plugin = fastifyPlugin(async (fastify, opts) => {
fastify.addHook('onRequest', (request, reply, done) => {
request.sessionStore.set(DEFAULT_SESSION_ID, {
expires: Date.now() + 1000,
sessionId: DEFAULT_SESSION_ID,
cookie: { secure: true, httpOnly: true, path: '/' }
}, done)
})
})
Copy link
Contributor Author

@rclmenezes rclmenezes Aug 12, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Slightly unrelated to the PR. This is unnecessary set-up for this test.

@rclmenezes rclmenezes force-pushed the bugfix-multiple-secrets branch from 8e5b8a0 to f5e9205 Compare August 13, 2022 21:00
@rclmenezes rclmenezes changed the title Bugfix multiple secrets Bugfix: when there are secrets, we should re-sign with latest Aug 13, 2022
@rclmenezes rclmenezes marked this pull request as ready for review August 13, 2022 21:02
mcollina
mcollina approved these changes Aug 14, 2022
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Uzlopak
Uzlopak requested changes Aug 14, 2022
View reviewed changes
Copy link
Contributor

@Uzlopak Uzlopak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please dont merge yet. i want to review this more.

@Uzlopak Uzlopak mentioned this pull request Aug 15, 2022
Merged
4 tasks
@Uzlopak
Copy link
Contributor

Uzlopak commented Aug 15, 2022

When #125 is merged, the cookie signing will be handled by @fastify/cookie, so we will not need to handled it in @fastify/session again...

@Uzlopak
Copy link
Contributor

Uzlopak commented Aug 15, 2022

Closing in favor of #125 and #127

@Uzlopak Uzlopak closed this Aug 15, 2022
@rclmenezes rclmenezes changed the title Bugfix: when there are secrets, we should re-sign with latest Bugfix: when there are multiple secrets, we should re-sign with latest Aug 24, 2022
@rclmenezes rclmenezes mentioned this pull request Aug 24, 2022
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Uzlopak Uzlopak Uzlopak requested changes

@mcollina mcollina mcollina approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rclmenezes @Uzlopak @mcollina