Page MenuHomePhabricator
Differential D9563

[keyserver] Add cookieHash to Viewer object
ClosedPublic
Actions

Authored by ashoat on Oct 22 2023, 3:29 PM.
Tags
None
Referenced Files
Unknown Object (File)
Nov 8 2024, 10:04 PM
Unknown Object (File)
Nov 8 2024, 10:04 PM
Unknown Object (File)
Nov 8 2024, 10:01 PM
Unknown Object (File)
Nov 5 2024, 2:13 AM
Unknown Object (File)
Oct 10 2024, 6:54 PM
Unknown Object (File)
Sep 27 2024, 10:51 AM
Unknown Object (File)
Sep 26 2024, 8:40 AM
Unknown Object (File)
Sep 24 2024, 12:41 AM
View All 47 Files
Subscribers
will

Details

Reviewers
atul
tomek
inka
Commits
rCOMMf8605b01bd87: [keyserver] Add cookieHash to Viewer object
Summary

In the next diff, I'll need to access the cookieHash inside updateCookie to check if it's a bcrypt or sha256 hash.

Test Plan

Was tested in combination with next diff:

  1. Log out on the web app
  2. Check out a version of master with 397b4542fa7b38d8468038d74f3de84969f9dc36 and 12d02949bb4bb44a129163def1a7a056a7791b74 reverted
  3. Log back in on the web app
  4. Confirm that I have a bcrypt hash by running SELECT * FROM cookies ORDER BY last_used DESC LIMIT 1 in MariaDB console
  5. Close web app tab, kill keyserver, and check out master + this diff + next diff
  6. Open web app tab again
  7. Confirm that I have a sha256 hash by rerunning query from step 4
  8. Confirm that the cookie ID is the same between steps 4 and 7

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ashoat created this revision.Oct 22 2023, 3:29 PM
Herald added a subscriber: will. · View Herald TranscriptOct 22 2023, 3:29 PM
ashoat added a child revision: D9564: [keyserver] Update existing cookie password hashes to sha256.Oct 22 2023, 3:30 PM
ashoat added inline comments.Oct 22 2023, 3:32 PM
keyserver/src/session/viewer.js
216–219 ↗(On Diff #32303)

This invariant may seem scary, but our usage in cookieHash in the next diff is addressed in that diff' description:

It's safe to call Viewer.cookieHash and Viewer.cookiePassword in updateCookie, since updateCookie is only called for real, authenticated requests (HTML website, JSON responder, or WebSocket). updateCookie does not appear to be called with a bot or script viewer anywhere in the codebase.

We have an equivalent invariants for cookiePassword already that will trigger in this scenario anyways, so I don't think this should be problematic.

ashoat edited the test plan for this revision. (Show Details)Oct 22 2023, 3:33 PM
ashoat mentioned this in D9564: [keyserver] Update existing cookie password hashes to sha256.
Harbormaster completed remote builds in B23422: Diff 32303.Oct 22 2023, 3:48 PM
ashoat requested review of this revision.Oct 22 2023, 3:48 PM
atul accepted this revision.Oct 22 2023, 4:00 PM
This revision is now accepted and ready to land.Oct 22 2023, 4:00 PM
Closed by commit rCOMMf8605b01bd87: [keyserver] Add cookieHash to Viewer object (authored by ashoat). · Explain WhyOct 22 2023, 4:07 PM
This revision was automatically updated to reflect the committed changes.
ashoat added a commit: rCOMMf8605b01bd87: [keyserver] Add cookieHash to Viewer object.
ashoat mentioned this in rCOMMd7d5043dc63a: [keyserver] Update existing cookie password hashes to sha256.

Revision Contents
Changeset List

PathSize
keyserver/
src/
session/
1 line
10 lines
1 line
11 lines

Diff 32305

View Options

keyserver/src/session/bots.js

Loading...
View Options

keyserver/src/session/cookies.js

Loading...
View Options

keyserver/src/session/scripts.js

Loading...
View Options

keyserver/src/session/viewer.js

Loading...