Key Rotation

[TLKG]

Do we support key rotation? That is

var cookie = require('cookie-signature');
var key = [keyForSetting, key1ForGetting, key2ForGetting, ...];

Also how to check if the cookie is tampered? Thank you

[natevw]

Do we support key rotation?

Support for key rotation is not designed into this library. The value returned by .sign() does not include any metadata regarding which secret was signed with, at least not obviously/intentionally.

how to check if the cookie is tampered?

unsign will return false if the cookie is tampered relative to the provided secret (key).

---

Putting these together, you could perhaps implement key rotation yourself: if the cookie cannot be unsigned with the keyForSetting you could try again with key1ForGetting etc. in your own loop. I do not know if this is a recommended practice or not; there certainly would be drawbacks to accepting cookies signed by not just new but also (potentially compromised? otherwise why were they rotated?) old keys.

[natevw]

[Closing this because I think I've answered all your questions but lmk if not…]

[TLKG]

Good answer, thank you and appreciate it!