Skip to content

fix: decrypt session before setting cookies in auth flows #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
0x0elliot wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: decrypt session before setting cookies in auth flows #300

0x0elliot wants to merge 3 commits into from
+251 −89

Conversation

@0x0elliot
Copy link
Member

@0x0elliot 0x0elliot commented Jan 15, 2026
edited
Loading

this was stupid on my part. i never tested login itself, i was too concerned about existing users not getting locked out. testing properly this time (the attached session is an invalid one)

Screenshot 2026-01-15 at 6 35 02 PM

Checklist to test for myself:

  • Login request
  • Registration flow
  • SSO flows
  • Existing logged in user flow
  • Make sure that GetUser and HandleApiAuthentication returns unencrypted user API and session tokens

@0x0elliot 0x0elliot marked this pull request as ready for review January 15, 2026 19:15
@0x0elliot
Copy link
Member Author

0x0elliot commented Jan 15, 2026

this PR still makes me nervous. anything auth related does. please run through it once again.

@frikky
Copy link
Member

frikky commented Jan 27, 2026

Fix merge conflicts so I can try it out properly please :)

I can also recommend splitting the Session problem and API key as they are separate.

And yes, this HAS to work with old sessions AND hashed ones. Same for old apikeys AND hashed apikeys.

Etc.

@frikky
Copy link
Member

frikky commented Jan 27, 2026

@yashsinghcodes ping

yashsinghcodes
yashsinghcodes reviewed Jan 29, 2026
View reviewed changes
shared.go
Copy link
Member

@yashsinghcodes yashsinghcodes Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't we still handle this? In case somehow the Encryption fails we will have a log on it for debugging.

Copy link
Member Author

@0x0elliot 0x0elliot Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why can't i see what line you have commented on. can you point out the code block for me?

@0x0elliot 0x0elliot force-pushed the 0x0elliot/encrypt-apikey-session branch 2 times, most recently from a15e403 to be2365f Compare January 29, 2026 14:31
@0x0elliot
Copy link
Member Author

0x0elliot commented Jan 29, 2026

Fix merge conflicts so I can try it out properly please :)

I can also recommend splitting the Session problem and API key as they are separate.

And yes, this HAS to work with old sessions AND hashed ones. Same for old apikeys AND hashed apikeys.

Etc.

Done @frikky

@frikky
Copy link
Member

frikky commented Jan 29, 2026

Fix merge conflicts so I can try it out properly please :)
I can also recommend splitting the Session problem and API key as they are separate.
And yes, this HAS to work with old sessions AND hashed ones. Same for old apikeys AND hashed apikeys.
Etc.

Done @frikky

@yashsinghcodes I want your go-ahead before I spend time on this again. Review both apikeys and sessions, for new users AND existing ones, as to see if absolutely anything breaks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yashsinghcodes yashsinghcodes yashsinghcodes left review comments

@frikky frikky Awaiting requested review from frikky

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@0x0elliot @frikky @yashsinghcodes