Encrypt and decrypt doesn't currently use unique hashing

heikkivihersalo / gutenberg-native-ai

A plugin that extends the Gutenberg editor with AI features designed to work natively with WordPress.

GNU General Public License v2.0

0 stars 0 forks source link

Encrypt and decrypt doesn't currently use unique hashing #18

Open heikkivihersalo opened 1 month ago

heikkivihersalo commented 1 month ago

Encrypt and decrypt doesn't currently use unique hashing. This can lead to security issues in production.

Setting following constants to wp-config can be set to address the problem but isn't the best user experience.

GOOGLESITEKIT_ENCRYPTION_KEY GOOGLESITEKIT_ENCRYPTION_SALT

Using WordPress default salts and hashes should be investigated.

heikkivihersalo commented 1 month ago

WordPress already has LOGGED_IN_KEY and LOGGED_IN_SALT defined by default. This isn't loaded by default but if GOOGLESITEKIT_... isn't defined, they will be loaded.

Solution could be just to improve documentation to mention to make sure that WordPress salts are setup correctly