search

heroku / identity

[DEPRECATED] Login and OAuth management service for Heroku
https://id.heroku.com/
MIT License
246 stars 20 forks source link

Write encrypted user info to the cookie of Heroku root domain #206

Closed owenthereal closed 8 years ago

owenthereal commented 8 years ago

This is to enable marketing header to have user info.

Related PR: https://github.com/heroku/api/pull/5386 & https://github.com/heroku/identity/pull/205 (good to have)

/cc @heroku/api @maxbeizer @flacoste

owenthereal commented 8 years ago

@dmcinnes Would appreciate a 3rd eye on this.

dmcinnes commented 8 years ago

Looks great! I might be missing something, though I thought this was going to use public/private key encryption? Eventually it would be nice to merge the original FernetCookieCoder with the new CookieCoder like in #207, but that can wait.

owenthereal commented 8 years ago

@dmcinnes:

I might be missing something, though I thought this was going to use public/private key encryption?

I changed my mind after more thinking. The original intention of using public/private key is to avoid sharing the same key. But if the public key is leaked, the user info is leaked. So it makes no difference of using the same key vs. a key pair. Besides, RSA takes longer to encrypt/decrypt than HMAC.

Eventually it would be nice to merge the original FernetCookieCoder with the new CookieCoder like in #207, but that can wait.

+1 to that!

dmcinnes commented 8 years ago

@jingweno gotcha! makes sense.