opensource/filestash
1
0
Fork 0
mirror of https://github.com/mickael-kerjean/filestash.git synced 2025-10-31 10:07:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

improve (crypto): derivate secret_key for each usage to reduce attack surface in the worst case scenario

Browse Source
This commit is contained in:
Mickael KERJEAN
2019-01-18 13:48:04 +11:00
parent 7af12753ca
commit ec6eb0e8fa
10 changed files with 53 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
server/middleware/session.go
View File

@ -30,7 +30,7 @@ func AdminOnly(fn func(App, http.ResponseWriter, *http.Request)) func(ctx App, r
return
}
str, err := DecryptString(SECRET_KEY, c.Value);
str, err := DecryptString(SECRET_KEY_DERIVATE_FOR_ADMIN, c.Value);
if err != nil {
SendErrorResult(res, ErrPermissionDenied)
return
@ -195,7 +195,7 @@ func _extractSession(req *http.Request, ctx *App) (map[string]string, error) {
var session map[string]string = make(map[string]string)
if ctx.Share.Id != "" {
str, err = DecryptString(SECRET_KEY, ctx.Share.Auth)
str, err = DecryptString(SECRET_KEY_DERIVATE_FOR_USER, ctx.Share.Auth)
if err != nil {
// This typically happen when changing the secret key
return session, nil
@ -223,7 +223,7 @@ func _extractSession(req *http.Request, ctx *App) (map[string]string, error) {
return session, nil
}
str = cookie.Value
str, err = DecryptString(SECRET_KEY, str)
str, err = DecryptString(SECRET_KEY_DERIVATE_FOR_USER, str)
if err != nil {
// This typically happen when changing the secret key
return session, nil