fix: decrypt session before setting cookies in auth flows#300
fix: decrypt session before setting cookies in auth flows#300
Conversation
|
this PR still makes me nervous. anything auth related does. please run through it once again. |
|
Fix merge conflicts so I can try it out properly please :) I can also recommend splitting the Session problem and API key as they are separate. And yes, this HAS to work with old sessions AND hashed ones. Same for old apikeys AND hashed apikeys. Etc. |
|
@yashsinghcodes ping |
There was a problem hiding this comment.
shouldn't we still handle this? In case somehow the Encryption fails we will have a log on it for debugging.
There was a problem hiding this comment.
why can't i see what line you have commented on. can you point out the code block for me?
0x0elliot
force-pushed
the
0x0elliot/encrypt-apikey-session
branch
2 times, most recently
from
a15e403 to
be2365f
Compare
Done @frikky |
@yashsinghcodes I want your go-ahead before I spend time on this again. Review both apikeys and sessions, for new users AND existing ones, as to see if absolutely anything breaks. |
@yashsinghcodes bump :)) |
|
The code looks good to me. @0x0elliot, let’s test it in the test environment before deployment using the older shuffle-shared for existing registrations and the new one for new registrations as well as existing ones. We need to cover edge cases and complete all tests before it goes live. |
|
@yashsinghcodes we can always do what i did with SSO: deploy is in aus, and just use it for a bit with a fork like this: https://github.com/0x0elliot/shuffle-shared |
|
Yes, can we move forward with the deployment? |
|
Let's time this after SSO fix so that we take care of one set of bugs sent our way first. |
3 participants
this was stupid on my part. i never tested login itself, i was too concerned about existing users not getting locked out. testing properly this time (the attached session is an invalid one)
Checklist to test for myself: