search

renderorange / pasteburn

Sharable, encrypted, ephemeral pastebin.
https://pasteburn.io
MIT License
2 stars 1 forks source link

update expire time for crypt-storage-encode and session cookie #5

Closed renderorange closed 1 year ago

renderorange commented 1 year ago

https://github.com/renderorange/pasteburn/blob/master/lib/Pasteburn/Crypt/Storage.pm#L27

since expire time is a configurable option, it should be passed into the encode method as an argument. as is, expire time is hard coded to 7 days, regardless of the config set by the admin.

renderorange commented 1 year ago

this needs more research. crypt-storage-encode is used to encode the secret data to be stored into the database, not into the session. additionally, the session stored into the cookie for the user is set in the config.yml setting, default_duration: 604800. this value isn't tied to the value in the project config.

there are a couple things to do for this. first is to set the cookie default_duration to match the project config, rather than hard code it to 60480. second is to remove the encode method arg to set the duration of the data being stored in the database. according to documentation, an unset value doesn't set an expiration time on the data itself.

renderorange commented 1 year ago

commit dff0924 removes default_duration and expires age settings so the secret expiration will only be controlled by the created_at field.

renderorange commented 1 year ago

since removing expire times from the configs, the question now is, should a no expiration setting be allowed in the project configuration? if, say, someone wants to run this project on their own private network, and wants to set no expiration to secrets, should they be allowed?

I think yes.

renderorange commented 1 year ago

or they could just not run the cronjob to delete expired secrets. going with that, and will update the documentation.