From 28060d4d166ed76420d33c27dc32b4fe6d36116c Mon Sep 17 00:00:00 2001 From: Matchu Date: Wed, 17 Aug 2022 01:07:47 -0700 Subject: [PATCH] Whoops, actually include `createdAt` in auth tokens Right, I had that idea while writing the comment, then forgot to actually do it lmao This is important for session expiration: we don't want you to be able to hold onto an old cookie for an account that you should be locked out of. Updating the `createdAt` value requires a new signature, so the client can't forge when this token was created, so we can be confident in our ability to expire them. --- src/server/auth-by-db.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/server/auth-by-db.js b/src/server/auth-by-db.js index 9664110..294dc56 100644 --- a/src/server/auth-by-db.js +++ b/src/server/auth-by-db.js @@ -72,7 +72,10 @@ export async function getAuthToken({ username, password }, db) { `.env file.` ); } - const unsignedAuthToken = { userId: impressId }; + const unsignedAuthToken = { + userId: impressId, + createdAt: new Date().toISOString(), + }; const authTokenHmac = createHmac( "sha256", process.env["DTI_AUTH_TOKEN_SECRET"]