Essential to coping with rotating secret keys is the ability to tolerate tokens signed with old secret keys for a transition period (for us the overlap period is 2 hours). So our RotatingKeyCSRFTokenSigner needs to always sign with the 'current' secret, but when verifying tokens, needs to try verifying the token against all applicable secret keys, to see if any of them validate it.
Want to make another preview release?
Click 'Run workflow' in the [GitHub UI](https://github.com/guardian/play-secret-rotation/actions/workflows/release.yml), specifying the fix-forgotten-CSRFTokenSigner branch, or use the [GitHub CLI](https://cli.github.com/) command:
gh workflow run release.yml --ref fix-forgotten-CSRFTokenSigner
Want to make a full release after this PR is merged?
Click 'Run workflow' in the [GitHub UI](https://github.com/guardian/play-secret-rotation/actions/workflows/release.yml), leaving the branch as the default, or use the [GitHub CLI](https://cli.github.com/) command:
gh workflow run release.yml
This fixes https://github.com/guardian/play-secret-rotation/issues/445 - although
play-secret-rotation
has always overridden Play'sRequestFactory
to handle rotating the Play Application Secret, we forgot to also override theCSRFTokenSigner
to teach it about rotating secrets - this PR fixes that.Essential to coping with rotating secret keys is the ability to tolerate tokens signed with old secret keys for a transition period (for us the overlap period is 2 hours). So our
RotatingKeyCSRFTokenSigner
needs to always sign with the 'current' secret, but when verifying tokens, needs to try verifying the token against all applicable secret keys, to see if any of them validate it.See also: