Whoops, actually include createdAt in auth tokens
Right, I had that idea while writing the comment, then forgot to actually do it lmao This is important for session expiration: we don't want you to be able to hold onto an old cookie for an account that you should be locked out of. Updating the `createdAt` value requires a new signature, so the client can't forge when this token was created, so we can be confident in our ability to expire them.
This commit is contained in:
parent
c478e6d88c
commit
28060d4d16
1 changed files with 4 additions and 1 deletions
|
|
@ -72,7 +72,10 @@ export async function getAuthToken({ username, password }, db) {
|
||||||
`.env file.`
|
`.env file.`
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
const unsignedAuthToken = { userId: impressId };
|
const unsignedAuthToken = {
|
||||||
|
userId: impressId,
|
||||||
|
createdAt: new Date().toISOString(),
|
||||||
|
};
|
||||||
const authTokenHmac = createHmac(
|
const authTokenHmac = createHmac(
|
||||||
"sha256",
|
"sha256",
|
||||||
process.env["DTI_AUTH_TOKEN_SECRET"]
|
process.env["DTI_AUTH_TOKEN_SECRET"]
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue