Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discrepancy in documentation of password rotation. #707

Open
chrisroode opened this issue Feb 12, 2024 · 5 comments
Open

Discrepancy in documentation of password rotation. #707

chrisroode opened this issue Feb 12, 2024 · 5 comments

Comments

@chrisroode
Copy link

Hello, I am working on getting iron session working with password rotation. I noticed that the specification for how to define passwords in the sessionOptions conflicts with itself from the API to the example usage. It seems like the example is correct while the API reference is incorrect.

image

image

Additionally, the documentation seems to lack specifics about how password rotation works. Specifically, I am unsure how to rename the id's of my passwords as time goes on. I am having to resort to trial and error to see if it is working.
@chrisroode
Copy link
Author

After a little thinking today. I'd be willing to contribute a solution to this. I was able to get ironSession working, and I think the only thing that needs an update is the documentation. What are your thoughts?

(I'm writing this because your contributing guide mentions discussing an issue before forking and working.

@vvo
Copy link
Owner

vvo commented Feb 13, 2024

@chrisroode go for it yep 👍 if you made it work and figured out let's update the doc

@vvo
Copy link
Owner

vvo commented Feb 13, 2024

I believe the id should always go up, you cannot reuse the ids

@chrisroode
Copy link
Author

Yeah, that's what I noticed. I'm making the following assumptions, and would love to run them by you just in case I'm inaccurate:

  1. The passwords is an object with number keys, and the value is a password string.
  2. The program doesn't have any problem with missing lower numbers in the password object.
  3. When saving a cookie, iron-session uses the highest number key.

So my workaround is to record two passwords (new and old) and also a count for what password iteration the program is on. I construct an object in the following way:

let password = {};
password[count] = old;
password[count+1] = new;

and the incrementing script performs the following logic.

old = new;
new = generatePasswordFunction();
count += 1;

That seems to be working, and it has a theoretical limit of Number.MAX_SAFE_INTEGER, which won't be hit any time in the next universe with weekly password updates. Even if it did, the consequence for resetting back to 1 is forcing another login by all users.

@chrisroode
Copy link
Author

Okay, I made a pull request. I did not run tests since i only changed the .md file. Let me know if you need anything else!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vvo @chrisroode