securecookie: v2

[elithrar]

Preface: we're thinking about what a gorilla/sessions v2 would look like. This naturally extends to securecookie, which provides a lot of the underlying implementation.

Key areas for improvement in v2:

• Simplify the error interfaces: multi-error and the error types are overly complex and lead to a lot of error-handling code downstream. Generalizing to user-error (and making it harder to provide bad keys and input!), authentication error (crypto) and data error (marshalling bugs) should be enough.
• Replace AES-CTR + HMAC-SHA-256 with XSalsa20Poly1305 (via nacl/secretbox). This is an AEAD construct that provides encryption+authentication together, securely.
• Make the key rotation interface better (variadic is confusing: move to an Option struct)
• Keep all of the great fuzzing tests.

[elithrar]

WIP branch here: https://github.com/gorilla/securecookie/tree/elithrar/v2

Next up:

• Consider whether we need to implicitly run user-provided keys through a KDF on init. This complicates the API as we would need to maintain state, which isn't how securecookie is used right now. The alternative is to make all examples use something like scrypt.GenerateFromPassword to guide inexperienced users down the right path to providing strong keys.
• Support multiple keys - replacing the existing Codec piece with Options.RotatedKeys and attempting to use provided keys on each signature verification failure. Needs good docs; cascading through multiple keys is slow. RotatedKeys should only be used for a short period of time.
• Set good defaults for expirations.

Future:

• Support the SameSite cookie attribute
• Update all existing tests

[mholt]

I was just gonna post and ask about SameSite attribute. Thanks for beating me to it! ;)

[elithrar]

Update: still a WIP. I'm waiting for Go's "dep" tool to land so I can version the library more cleanly.

[bbigras]

Any progress?

[elithrar]

dep hasn't landed in the Go toolchain yet, so nothing yet. There is an (old) WIP branch - https://github.com/gorilla/securecookie/tree/elithrar/v2 - but unlikely to commit significant time until dep lands. Is there a specific need that v2 would address for you?

…

On Thu, Oct 26, 2017 at 1:38 PM Bruno Bigras ***@***.***> wrote: Any progress? — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#43 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABIcPQQ3Ji3iDWbImBEs6eE1ZQ7xSkzks5swO3bgaJpZM4LwqsY> .

[bbigras]

dep hasn't landed in the Go toolchain yet

Oh sorry. I saw "dep is safe for production use" on https://github.com/golang/dep and I assumed it landed.

Is there a specific need that v2 would address for you?

I have been looking forward to use SameSite since support was added for it in Chrome. I'm not aware of the other changes.

[elithrar]

We can probably look to add SameSite to the current version (I'll also accept a PR!)

…

On Thu, Oct 26, 2017 at 2:38 PM Bruno Bigras ***@***.***> wrote: dep hasn't landed in the Go toolchain yet Oh sorry. I saw "dep is safe for production use" on https://github.com/golang/dep and I assumed it landed. Is there a specific need that v2 would address for you? I have been looking forward to use SameSite since support was added for it in Chrome. I'm not aware of the other changes. — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#43 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABIcAsW4WiOxPEBRi74W_0QbW3rrdKzks5swPvkgaJpZM4LwqsY> .