Migrate cookie signing to SHA256 from SHA1 (#524)

Also, cleanup the code & make the specific hashing algorithm chosen a function variable. Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2025-12-01 22:51:45 +02:00 · 2020-05-05 18:41:48 -07:00
parent 07df29db37
commit 9d626265e8
3 changed files with 37 additions and 5 deletions
--- a/pkg/encryption/cipher_test.go
+++ b/pkg/encryption/cipher_test.go
@@ -1,12 +1,31 @@
 package encryption

 import (
+	"crypto/sha1"
+	"crypto/sha256"
 	"encoding/base64"
 	"testing"

 	"github.com/stretchr/testify/assert"
 )

+func TestSignAndValidate(t *testing.T) {
+	seed := "0123456789abcdef"
+	key := "cookie-name"
+	value := base64.URLEncoding.EncodeToString([]byte("I am soooo encoded"))
+	epoch := "123456789"
+
+	sha256sig := cookieSignature(sha256.New, seed, key, value, epoch)
+	sha1sig := cookieSignature(sha1.New, seed, key, value, epoch)
+
+	assert.True(t, checkSignature(sha256sig, seed, key, value, epoch))
+	// This should be switched to False after fully deprecating SHA1
+	assert.True(t, checkSignature(sha1sig, seed, key, value, epoch))
+
+	assert.False(t, checkSignature(sha256sig, seed, key, "tampered", epoch))
+	assert.False(t, checkSignature(sha1sig, seed, key, "tampered", epoch))
+}
+
 func TestEncodeAndDecodeAccessToken(t *testing.T) {
 	const secret = "0123456789abcdefghijklmnopqrstuv"
 	const token = "my access token"