Discrepancy in documentation of password rotation.

[chrisroode]

Hello, I am working on getting iron session working with password rotation. I noticed that the specification for how to define passwords in the sessionOptions conflicts with itself from the API to the example usage. It seems like the example is correct while the API reference is incorrect.

Additionally, the documentation seems to lack specifics about how password rotation works. Specifically, I am unsure how to rename the id's of my passwords as time goes on. I am having to resort to trial and error to see if it is working.

[chrisroode]

After a little thinking today. I'd be willing to contribute a solution to this. I was able to get ironSession working, and I think the only thing that needs an update is the documentation. What are your thoughts?

(I'm writing this because your contributing guide mentions discussing an issue before forking and working.

[vvo]

@chrisroode go for it yep 👍 if you made it work and figured out let's update the doc

[vvo]

I believe the id should always go up, you cannot reuse the ids

[chrisroode]

Yeah, that's what I noticed. I'm making the following assumptions, and would love to run them by you just in case I'm inaccurate: 1) The passwords is an object with number keys, and the value is a password string. 2) The program doesn't have any problem with missing lower numbers in the password object. 3) When saving a cookie, iron-session uses the highest number key.

So my workaround is to record two passwords (new and old) and also a count for what password iteration the program is on. I construct an object in the following way:

let password = {};
password[count] = old;
password[count+1] = new;

and the incrementing script performs the following logic.

old = new;
new = generatePasswordFunction();
count += 1;

That seems to be working, and it has a theoretical limit of Number.MAX_SAFE_INTEGER, which won't be hit any time in the next universe with weekly password updates. Even if it did, the consequence for resetting back to 1 is forcing another login by all users.

[chrisroode]

Okay, I made a pull request. I did not run tests since i only changed the .md file. Let me know if you need anything else!

[vvo]

Merged your PR, thanks a lot!