Add suffix for oauth cookies #2664
Conversation
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #2664 +/- ##
==========================================
+ Coverage 63.36% 63.37% +0.01%
==========================================
Files 119 119
Lines 19098 19112 +14
==========================================
+ Hits 12102 12113 +11
- Misses 6196 6198 +2
- Partials 800 801 +1 ☔ View full report in Codecov by Sentry. |
zhaohuabing
force-pushed
the
oauth-cookie-names
branch
from
6bc9aec to
b295fb2
Compare
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
zhaohuabing
force-pushed
the
oauth-cookie-names
branch
from
1d8ad00 to
ac86fbc
Compare
zhaohuabing
force-pushed
the
oauth-cookie-names
branch
4 times, most recently
from
e83b3bf to
0496bbd
Compare
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
zhaohuabing
force-pushed
the
oauth-cookie-names
branch
from
0496bbd to
822d5dd
Compare
| @@ -494,6 +495,12 @@ func (t *Translator) buildOIDC( | |||
| logoutPath = *oidc.LogoutPath | |||
| } | |||
|
|
|||
| h := fnv.New32a() | |||
There was a problem hiding this comment.
can we reuse
gateway/internal/provider/utils/utils.go
Line 39 in 4c79ef9
There was a problem hiding this comment.
HashString uses SHA256, which is theoretically slower than FNV-32, and generates a 256-bit result.
I don't think it matters that much for this purpose that the hash being used is slower, or crypto-secure, but using the full 256 bits in the cookie suffix would result in 64 characters instead of the current 8. I think that would be a little long for a cookie name.
Using only 32 bit from the result would theoretically be OK for this purpose, but I would prefer to use the FNV-32 hash function here so that the entire hash result would still be used.
There was a problem hiding this comment.
It's just 5 lines and I don't like importing provider/utils package in gateway :-)
WDYT?
There was a problem hiding this comment.
move it into a more common package, e.g. internal/util
There was a problem hiding this comment.
non blocking comment - less code, lesser bugs, lesser vulnerabilities, if this hash function is better, lets replace it with the one in provider/utils, as @zirain suggests, if provider/utils is the wrong home, lets move it to utils
There was a problem hiding this comment.
Will do in a follow-up PR because changing the location of the provider/utils impacts many places.
This PR adds a suffix for oauth cookies to prevent multiple oauth filters from overwriting each other's cookies.
The suffix is the hashed UID of the
SecurityPolicythat contains the OIDC configuration.For example: