mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-27 10:56:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

express-session: Implement and enable key rotation (#5362) by @rhansen

Browse source 
* SecretRotator: New class to coordinate key rotation

* express-session: Enable key rotation

* Added new entry in docker.adoc

* Move to own package.Removed fallback as Node 16 is now lowest node version.

* Updated package-lock.json

---------

Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
This commit is contained in:
Richard Hansen 2023-07-03 16:58:49 -04:00 committed by GitHub
parent 675c0130b9
commit 2bb431e7e5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 915 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

19
settings.json.docker
View file

@ -363,6 +363,23 @@
* Settings controlling the session cookie issued by Etherpad.
*/
"cookie": {
/*
* How often (in milliseconds) the key used to sign the express_sid cookie
* should be rotated. Long rotation intervals reduce signature verification
* overhead (because there are fewer historical keys to check) and database
* load (fewer historical keys to store, and less frequent queries to
* get/update the keys). Short rotation intervals are slightly more secure.
*
* Multiple Etherpad processes sharing the same database (table) is
* supported as long as the clock sync error is significantly less than this
* value.
*
* Key rotation can be disabled (not recommended) by setting this to 0 or
* null, or by disabling session expiration (see sessionLifetime).
*/
// 86400000 = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
"keyRotationInterval": "${COOKIE_KEY_ROTATION_INTERVAL:86400000}",
/*
* Value of the SameSite cookie property. "Lax" is recommended unless
* Etherpad will be embedded in an iframe from another site, in which case
@ -392,6 +409,8 @@
* indefinitely without consulting authentication or authorization
* hooks, so once a user has accessed a pad, the user can continue to
* use the pad until the user leaves for longer than sessionLifetime.
* - More historical keys (sessionLifetime / keyRotationInterval) must be
* checked when verifying signatures.
*
* Session lifetime can be set to infinity (not recommended) by setting this
* to null or 0. Note that if the session does not expire, most browsers