Add check for missing cookieKey, generate one if not specified #235
Conversation
|
Could we deterministically generate one, perhaps like we do the per-secret keys? Randomly generating one is going to lead to confusion and sadness as your cookies are only valid on the server that generated it. |
|
Yeah we could. What would we use as a stable value to deterministically generate one reliably on multiple servers? I guess the other consideration is that if you're going to configure more than one, maybe you will need to specify one manually. |
|
We have a master key that we derive keys per-secret -- we could derive a key for cookies too. |
| @@ -75,6 +87,14 @@ public ServiceModule(KeywhizConfig config, Environment environment) { | |||
| bind(KeywhizConfig.class).toInstance(config); | |||
| } | |||
|
|
|||
| private String generateCookieKey() { | |||
There was a problem hiding this comment.
This means the cookie key won't work across hosts, and it'll also get wiped on restart and everyone ends up being logged out?
|
We can derive off the master key. I'll submit an update. |
|
Whoops I completely forgot about this. I'll see if I can get this updated today. |
|
Abandoned PR |
Should fix #190 and #180 .
r: @mcpherrinm @csstaub @alokmenghrajani