From 285af0870d9f7767792bab11026fecc4ce064d1e Mon Sep 17 00:00:00 2001 From: TheSaminator Date: Sat, 5 Mar 2022 14:19:10 -0500 Subject: [PATCH] Increase security of session cookies --- .../kotlin/starshipfights/auth/providers.kt | 1 + .../kotlin/starshipfights/server_conf.kt | 24 +++++++++---------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/src/jvmMain/kotlin/starshipfights/auth/providers.kt b/src/jvmMain/kotlin/starshipfights/auth/providers.kt index 67cac6c..b6c220b 100644 --- a/src/jvmMain/kotlin/starshipfights/auth/providers.kt +++ b/src/jvmMain/kotlin/starshipfights/auth/providers.kt @@ -62,6 +62,7 @@ interface AuthProvider { into.install(Sessions) { cookie>("sf_user_session") { serializer = UserSessionIdSerializer + transform(SessionTransportTransformerMessageAuthentication(hex(CurrentConfiguration.secretHashingKey))) cookie.path = "/" cookie.extensions["Secure"] = null diff --git a/src/jvmMain/kotlin/starshipfights/server_conf.kt b/src/jvmMain/kotlin/starshipfights/server_conf.kt index fcc4097..d96abf4 100644 --- a/src/jvmMain/kotlin/starshipfights/server_conf.kt +++ b/src/jvmMain/kotlin/starshipfights/server_conf.kt @@ -1,21 +1,26 @@ package starshipfights +import io.ktor.util.* import kotlinx.serialization.ExperimentalSerializationApi import kotlinx.serialization.Serializable import kotlinx.serialization.json.Json import starshipfights.data.ConnectionType import java.io.File +import java.security.SecureRandom @Serializable data class Configuration( - val isDevEnv: Boolean, + val isDevEnv: Boolean = true, - val host: String, - val port: Int, + val host: String = "127.0.0.1", + val port: Int = 8080, - val dbConn: ConnectionType, - val dbName: String, + val dbConn: ConnectionType = ConnectionType.Embedded(), + val dbName: String = "sf", + val secretHashingKey: String = hex( + ByteArray(16).also { SecureRandom.getInstanceStrong().nextBytes(it) } + ), val discordClient: DiscordLogin? = null ) @@ -30,14 +35,7 @@ data class DiscordLogin( val serverInvite: String, ) -private val DEFAULT_CONFIG = Configuration( - isDevEnv = true, - host = "127.0.0.1", - port = 8080, - dbConn = ConnectionType.Embedded(), - dbName = "sf", - discordClient = null -) +private val DEFAULT_CONFIG = Configuration() private var currentConfig: Configuration? = null -- 2.25.1