Page MenuHomePhabricator

[keyserver] Update existing cookie password hashes to sha256
ClosedPublic

Authored by ashoat on Oct 22 2023, 3:30 PM.
Tags
None
Referenced Files
F3574615: D9564.id32306.diff
Sat, Dec 28, 5:48 PM
F3570157: D9564.diff
Sat, Dec 28, 4:08 AM
Unknown Object (File)
Nov 8 2024, 10:04 PM
Unknown Object (File)
Nov 8 2024, 10:04 PM
Unknown Object (File)
Nov 8 2024, 10:01 PM
Unknown Object (File)
Nov 5 2024, 2:13 AM
Unknown Object (File)
Oct 4 2024, 11:26 PM
Unknown Object (File)
Sep 27 2024, 10:51 AM
Subscribers

Details

Summary

We are already using sha256 hashes for new log-ins on master. This diff makes us convert existing log-ins (existing row in the MariaDB cookies table) to sha256 hashes.

We can't recalculate the hash without the "cookie password", so we'll do this when the user sends a request in updateCookie.

It's safe to call Viewer.cookieHash and Viewer.cookiePassword in updateCookie, since updateCookie is only called for real, authenticated requests (HTML website, JSON responder, or WebSocket). updateCookie does not appear to be called with a bot or script viewer anywhere in the codebase.

The cookie itself (the one we send to the client) doesn't need to change, since it doesn't include the hash.

Test Plan

Was tested in combination with preceding diff:

  1. Log out on the web app
  2. Check out a version of master with 397b4542fa7b38d8468038d74f3de84969f9dc36 and 12d02949bb4bb44a129163def1a7a056a7791b74 reverted
  3. Log back in on the web app
  4. Confirm that I have a bcrypt hash by running SELECT * FROM cookies ORDER BY last_used DESC LIMIT 1 in MariaDB console
  5. Close web app tab, kill keyserver, and check out master + D9563 + this diff
  6. Open web app tab again
  7. Confirm that I have a sha256 hash by rerunning query from step 4
  8. Confirm that the cookie ID is the same between steps 4 and 7

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ashoat edited the test plan for this revision. (Show Details)
ashoat added inline comments.
keyserver/src/session/cookies.js
740 ↗(On Diff #32304)

It's safe to call Viewer.cookieHash and Viewer.cookiePassword in updateCookie, since updateCookie is only called for real, authenticated requests (HTML website, JSON responder, or WebSocket). updateCookie does not appear to be called with a bot or script viewer anywhere in the codebase.

This revision is now accepted and ready to land.Oct 22 2023, 4:01 PM