node-webtokens expects a base64 encoded string for its secret during encryption; our fallback is indeed base64 encoded, but if the user specifies the ARC_APP_SECRET env var, it is passed directly as a string.
This string is parsed by node-webtokens as base64, and unfortunately Buffer.from(stringThatIsntBase64, 'base64') does NOT blow up. So the encryption key is a bizarrely parsed string. Fixing this, which is as simple as Buffer.from(ARC_APP_SECRET).toString('base64'), would invalidate any outstanding Arc Functions-created JWE cookies, as it would effectively be a secret change.
Now, in theory this is fine and we we don't have to fix it right now. However, I've also been working on bringing Arc Functions Python (and hopefully eventually Ruby) up to feature parity with Node.js. My assumption is that projects may have heterogenous languages in its handlers.
To accomplish that would mean, in effect, either: a) fixing it here (which would effectively be a breaking change), or b) replicating that bug across multiple libraries (which I cannot guarantee is actually even possible, given how weird it is that JS is parsing a non-base64-encoded string as a base64-encoded string).
Will need to get together with @brianleroux to determine the appropriate course of action to move forward.
The line in question is this: https://github.com/architect/functions/blob/main/src/http/session/providers/jwe.js#L11
node-webtokensexpects a base64 encoded string for its secret during encryption; our fallback is indeed base64 encoded, but if the user specifies theARC_APP_SECRETenv var, it is passed directly as a string.This string is parsed by
node-webtokensas base64, and unfortunatelyBuffer.from(stringThatIsntBase64, 'base64')does NOT blow up. So the encryption key is a bizarrely parsed string. Fixing this, which is as simple asBuffer.from(ARC_APP_SECRET).toString('base64'), would invalidate any outstanding Arc Functions-created JWE cookies, as it would effectively be a secret change.Now, in theory this is fine and we we don't have to fix it right now. However, I've also been working on bringing Arc Functions Python (and hopefully eventually Ruby) up to feature parity with Node.js. My assumption is that projects may have heterogenous languages in its handlers.
To accomplish that would mean, in effect, either: a) fixing it here (which would effectively be a breaking change), or b) replicating that bug across multiple libraries (which I cannot guarantee is actually even possible, given how weird it is that JS is parsing a non-base64-encoded string as a base64-encoded string).
Will need to get together with @brianleroux to determine the appropriate course of action to move forward.