From: TheSaminator <TheSaminator@users.noreply.github.com>
Date: Sat, 5 Mar 2022 19:19:10 +0000 (-0500)
Subject: Increase security of session cookies
X-Git-Url: https://gitweb.starshipfights.net/?a=commitdiff_plain;h=285af0870d9f7767792bab11026fecc4ce064d1e;p=starship-fights

Increase security of session cookies
---

diff --git a/src/jvmMain/kotlin/starshipfights/auth/providers.kt b/src/jvmMain/kotlin/starshipfights/auth/providers.kt
index 67cac6c..b6c220b 100644
--- a/src/jvmMain/kotlin/starshipfights/auth/providers.kt
+++ b/src/jvmMain/kotlin/starshipfights/auth/providers.kt
@@ -62,6 +62,7 @@ interface AuthProvider {
 			into.install(Sessions) {
 				cookie<Id<UserSession>>("sf_user_session") {
 					serializer = UserSessionIdSerializer
+					transform(SessionTransportTransformerMessageAuthentication(hex(CurrentConfiguration.secretHashingKey)))
 					
 					cookie.path = "/"
 					cookie.extensions["Secure"] = null
diff --git a/src/jvmMain/kotlin/starshipfights/server_conf.kt b/src/jvmMain/kotlin/starshipfights/server_conf.kt
index fcc4097..d96abf4 100644
--- a/src/jvmMain/kotlin/starshipfights/server_conf.kt
+++ b/src/jvmMain/kotlin/starshipfights/server_conf.kt
@@ -1,21 +1,26 @@
 package starshipfights
 
+import io.ktor.util.*
 import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.Serializable
 import kotlinx.serialization.json.Json
 import starshipfights.data.ConnectionType
 import java.io.File
+import java.security.SecureRandom
 
 @Serializable
 data class Configuration(
-	val isDevEnv: Boolean,
+	val isDevEnv: Boolean = true,
 	
-	val host: String,
-	val port: Int,
+	val host: String = "127.0.0.1",
+	val port: Int = 8080,
 	
-	val dbConn: ConnectionType,
-	val dbName: String,
+	val dbConn: ConnectionType = ConnectionType.Embedded(),
+	val dbName: String = "sf",
 	
+	val secretHashingKey: String = hex(
+		ByteArray(16).also { SecureRandom.getInstanceStrong().nextBytes(it) }
+	),
 	val discordClient: DiscordLogin? = null
 )
 
@@ -30,14 +35,7 @@ data class DiscordLogin(
 	val serverInvite: String,
 )
 
-private val DEFAULT_CONFIG = Configuration(
-	isDevEnv = true,
-	host = "127.0.0.1",
-	port = 8080,
-	dbConn = ConnectionType.Embedded(),
-	dbName = "sf",
-	discordClient = null
-)
+private val DEFAULT_CONFIG = Configuration()
 
 private var currentConfig: Configuration? = null