Merge pull request #38 from jcs224/cookie-encryption

encrypt cookie storage with iron-webcrypto

Author: Octo8080X

.github/workflows/deno.yml

@@ -20,7 +20,7 @@ jobs:
       DENO_ENV: testing
       BASE_URL: http://localhost:8000
       DENO_DIR: deno_dir
-      APP_KEY: not-secret-at-all
+      APP_KEY: password-at-least-32-characters-long
     steps:
       - name: Setup repo
         uses: actions/checkout@v3

README.md

@@ -23,12 +23,13 @@ import {
 
 ### Setup secret key
 
-Fresh Session currently uses [JSON Web Token](https://jwt.io/) under the hood to
-create and manage session in the cookies.
+Fresh Session currently uses
+[iron-webcrypto](https://github.com/brc-dd/iron-webcrypto) encrypted cookie
+contents.
 
-JWT requires a secret key to sign new tokens. Fresh Session uses the secret key
-from your [environment variable](https://deno.land/std/dotenv/load.ts)
-`APP_KEY`.
+iron-webcrypto requires a secret key to encrypt the session payload. Fresh
+Session uses the secret key from your
+[environment variable](https://deno.land/std/dotenv/load.ts) `APP_KEY`.
 
 If you don't know how to setup environment variable locally, I wrote
 [an article about .env file in Deno Fresh](https://xstevenyung.com/blog/read-.env-file-in-deno-fresh).
@@ -124,7 +125,7 @@ export const handler = [
 
 ## cookie session based on Redis
 
-In addition to JWT, values can be stored in Redis.
+In addition to storing session data in cookies, values can be stored in Redis.
 
 ```ts
 import { redisSession } from "fresh-session/mod.ts";

src/deps.ts

@@ -1,8 +1,16 @@
-export type { Plugin, MiddlewareHandlerContext, MiddlewareHandler} from "https://deno.land/x/fresh@1.5.4/server.ts";
+export type {
+  MiddlewareHandler,
+  MiddlewareHandlerContext,
+  Plugin,
+} from "https://deno.land/x/fresh@1.5.4/server.ts";
 export {
   type Cookie,
   deleteCookie,
   getCookies,
   setCookie,
 } from "https://deno.land/std@0.207.0/http/mod.ts";
-export { create, decode, verify } from "https://deno.land/x/djwt@v3.0.1/mod.ts";
+export {
+  defaults as ironDefaults,
+  seal,
+  unseal,
+} from "https://deno.land/x/iron@v1.0.0/mod.ts";

src/plugins/cookie_session_plugin.ts

@@ -1,13 +1,16 @@
 import type {
-  Plugin,
-  MiddlewareHandlerContext,
   MiddlewareHandler,
+  MiddlewareHandlerContext,
+  Plugin,
 } from "../deps.ts";
 import { cookieSession } from "../stores/cookie.ts";
 import { CookieOptions } from "../stores/cookie_option.ts";
 import { sessionModule } from "../stores/interface.ts";
 
-export function getCookieSessionHandler(session: sessionModule, excludePath: string[]): MiddlewareHandler {
+export function getCookieSessionHandler(
+  session: sessionModule,
+  excludePath: string[],
+): MiddlewareHandler {
   return function (req: Request, ctx: MiddlewareHandlerContext) {
     if (excludePath.includes(new URL(req.url).pathname)) {
       return ctx.next();
@@ -16,7 +19,11 @@ export function getCookieSessionHandler(session: sessionModule, excludePath: str
   };
 }
 
-export function getCookieSessionPlugin(path = "/", excludePath = [],  cookieOptions?: CookieOptions): Plugin {
+export function getCookieSessionPlugin(
+  path = "/",
+  excludePath = [],
+  cookieOptions?: CookieOptions,
+): Plugin {
   const session = cookieSession(cookieOptions);
   const handler = getCookieSessionHandler(session, excludePath);
 

src/plugins/kv_session_plugin.ts

@@ -1,13 +1,16 @@
 import type {
-  Plugin,
-  MiddlewareHandlerContext,
   MiddlewareHandler,
+  MiddlewareHandlerContext,
+  Plugin,
 } from "../deps.ts";
 import { kvSession } from "../stores/kv.ts";
 import { CookieOptions } from "../stores/cookie_option.ts";
 import { sessionModule } from "../stores/interface.ts";
 
-export function getKvSessionHandler(session: sessionModule, excludePath: string[]): MiddlewareHandler {
+export function getKvSessionHandler(
+  session: sessionModule,
+  excludePath: string[],
+): MiddlewareHandler {
   return function (req: Request, ctx: MiddlewareHandlerContext) {
     if (excludePath.includes(new URL(req.url).pathname)) {
       return ctx.next();
@@ -16,7 +19,12 @@ export function getKvSessionHandler(session: sessionModule, excludePath: string[
   };
 }
 
-export function getKvSessionPlugin(storePath: string|null, path = "/", excludePath = [], cookieOptions?: CookieOptions): Plugin {
+export function getKvSessionPlugin(
+  storePath: string | null,
+  path = "/",
+  excludePath = [],
+  cookieOptions?: CookieOptions,
+): Plugin {
   const session = kvSession(storePath, cookieOptions);
   const handler = getKvSessionHandler(session, excludePath);
 

src/plugins/redis_session_plugin.ts

@@ -1,13 +1,16 @@
 import type {
-  Plugin,
-  MiddlewareHandlerContext,
   MiddlewareHandler,
+  MiddlewareHandlerContext,
+  Plugin,
 } from "../deps.ts";
-import { Store, redisSession } from "../stores/redis.ts";
+import { redisSession, Store } from "../stores/redis.ts";
 import { CookieOptions } from "../stores/cookie_option.ts";
 import { sessionModule } from "../stores/interface.ts";
 
-export function getRedisSessionHandler(session: sessionModule, excludePath: string[]): MiddlewareHandler {
+export function getRedisSessionHandler(
+  session: sessionModule,
+  excludePath: string[],
+): MiddlewareHandler {
   return function (req: Request, ctx: MiddlewareHandlerContext) {
     if (excludePath.includes(new URL(req.url).pathname)) {
       return ctx.next();
@@ -16,7 +19,12 @@ export function getRedisSessionHandler(session: sessionModule, excludePath: stri
   };
 }
 
-export function getRedisSessionPlugin(store: Store, path = "/", excludePath = [],  cookieOptions?: CookieOptions): Plugin {
+export function getRedisSessionPlugin(
+  store: Store,
+  path = "/",
+  excludePath = [],
+  cookieOptions?: CookieOptions,
+): Plugin {
   const session = redisSession(store, cookieOptions);
   const handler = getRedisSessionHandler(session, excludePath);
 

src/stores/cookie.ts

@@ -1,33 +1,15 @@
 import {
-  create,
-  decode,
   getCookies,
+  ironDefaults,
   MiddlewareHandlerContext,
+  seal,
   setCookie,
-  verify,
+  unseal,
 } from "../deps.ts";
 import { type CookieOptions } from "./cookie_option.ts";
 import { Session } from "../session.ts";
 import type { WithSession } from "./interface.ts";
 
-export function key() {
-  const key = Deno.env.get("APP_KEY");
-
-  if (!key) {
-    console.warn(
-      "[FRESH SESSION] Warning: We didn't detect a env variable `APP_KEY`, if you are in production please fix this ASAP to avoid any security issue.",
-    );
-  }
-
-  return crypto.subtle.importKey(
-    "raw",
-    new TextEncoder().encode(key || "not-secret"),
-    { name: "HMAC", hash: "SHA-512" },
-    false,
-    ["sign", "verify"],
-  );
-}
-
 export function createCookieSessionStorage(cookieOptions?: CookieOptions) {
   let cookieOptionsParam = cookieOptions;
   if (!cookieOptionsParam) {
@@ -38,34 +20,43 @@ export function createCookieSessionStorage(cookieOptions?: CookieOptions) {
 }
 
 export class CookieSessionStorage {
-  #key: CryptoKey;
   #cookieOptions: CookieOptions;
 
-  constructor(key: CryptoKey, cookieOptions: CookieOptions) {
-    this.#key = key;
+  constructor(cookieOptions: CookieOptions) {
     this.#cookieOptions = cookieOptions;
   }
 
-  static async init(cookieOptions: CookieOptions) {
-    return new this(await key(), cookieOptions);
+  static init(cookieOptions: CookieOptions) {
+    return new this(cookieOptions);
   }
 
   create() {
     return new Session();
   }
 
   exists(sessionId: string) {
-    return verify(sessionId, this.#key)
+    return unseal(
+      globalThis.crypto,
+      sessionId,
+      Deno.env.get("APP_KEY") as string,
+      ironDefaults,
+    )
       .then(() => true)
       .catch((e) => {
-        console.warn("Invalid JWT token, creating new session...");
+        console.warn("Invalid session, creating new session...");
         return false;
       });
   }
 
-  get(sessionId: string) {
-    const [, payload] = decode(sessionId);
-    const { _flash = {}, ...data } = payload;
+  async get(sessionId: string) {
+    const decryptedData = await unseal(
+      globalThis.crypto,
+      sessionId,
+      Deno.env.get("APP_KEY") as string,
+      ironDefaults,
+    );
+
+    const { _flash = {}, ...data } = decryptedData;
     return new Session(data as object, _flash);
   }
 
@@ -74,13 +65,16 @@ export class CookieSessionStorage {
       this.keyRotate();
     }
 
+    const encryptedData = await seal(
+      globalThis.crypto,
+      { ...session.data, _flash: session.flashedData },
+      Deno.env.get("APP_KEY") as string,
+      ironDefaults,
+    );
+
     setCookie(response.headers, {
       name: "sessionId",
-      value: await create(
-        { alg: "HS512", typ: "JWT" },
-        { ...session.data, _flash: session.flashedData },
-        this.#key,
-      ),
+      value: encryptedData,
       path: "/",
       ...this.#cookieOptions,
     });

src/stores/interface.ts

@@ -4,4 +4,7 @@ export type WithSession = {
   session: Session;
 };
 
-export type sessionModule =(req: Request, ctx: MiddlewareHandlerContext) => Promise<Response>
+export type sessionModule = (
+  req: Request,
+  ctx: MiddlewareHandlerContext,
+) => Promise<Response>;

src/stores/kv.ts

@@ -129,7 +129,7 @@ function hasKeyPrefix(
 }
 
 export function kvSession(
-  storePath: string|null,
+  storePath: string | null,
   cookieWithRedisOptions?: CookieWithRedisOptions,
 ) {
   let setupKeyPrefix = "session_";

tests/fixture/dev.ts

@@ -1,6 +1,6 @@
 #!/usr/bin/env -S deno run -A --watch=static/,routes/
 
-Deno.env.set("APP_KEY", "not-secret");
+Deno.env.set("APP_KEY", "password-at-least-32-characters-long");
 
 import dev from "$fresh/dev.ts";