Stop accepting legacy SHA1 signed cookies

2025-06-15 00:15:00 +02:00 · 2020-05-24 11:02:08 -07:00
parent 55a941b76e
commit 56f199a24f
3 changed files with 7 additions and 14 deletions
--- a/pkg/encryption/utils_test.go
+++ b/pkg/encryption/utils_test.go
@ -94,8 +94,8 @@ func TestSignAndValidate(t *testing.T) {
 	assert.NoError(t, err)

 	assert.True(t, checkSignature(sha256sig, seed, key, value, epoch))
-	// This should be switched to False after fully deprecating SHA1
-	assert.True(t, checkSignature(sha1sig, seed, key, value, epoch))
+	// We don't validate legacy SHA1 signatures anymore
+	assert.False(t, checkSignature(sha1sig, seed, key, value, epoch))

 	assert.False(t, checkSignature(sha256sig, seed, key, "tampered", epoch))
 	assert.False(t, checkSignature(sha1sig, seed, key, "tampered", epoch))