Closed terencehonles closed 10 months ago
The added commit should address https://github.com/simonrob/email-oauth2-proxy/pull/198#discussion_r1359926540, but I left it as a separate commit in case the change should be backed out from this PR.
One thing that may not be obvious is that you can actually set the token_iteration in the config to a value larger than what the script provides. As is, as long as the original iterations value is either Cryptographer.ITERATIONS
or Cryptographer.LEGACY_ITERATIONS
then they will be tried as fallbacks and the value in the config would be re-written since it would be the primary fernet.
This could support a previous or future iterations value by allowing the Cryptographer
to have a fallback_iterations/new_iterations passed to its constructor, and one could rotate the config manually but even that could be moved to its own function to allow a user to easily force higher values and move between them. This change seems a bit further out of scope of this original PR, but shows some future opportunities for improvement.
I edited a few comments and removed an unnecessary ValueError
check (if fallback is specified this doesn't happen). I think this is good to go?
This change moves the fernet creation to a helper method in order to make it easier to either encrypt or decrypt values in the config/cache file. The motivation for this change is to make it easier to debug issues or to re-use OAuth tokens obtained outside the proxy.