hmac Verify and Sign should allow key to be of type string
#245
Conversation
dillonstreator
force-pushed
the
friendlier-hmac-sign
branch
from
40c1f23
to
b96a661
Compare
dillonstreator
force-pushed
the
friendlier-hmac-sign
branch
from
b96a661
to
bda6436
Compare
dillonstreator
changed the title
Verify and Sign should allow key to be of type string
|
I would definitely prefer this over #157, but for me it is still a little bit unclear why the need for the |
@oxisto It's purely for being friendlier to the caller. Without a breaking change, the hmac I don't think anyone is questioning whether or not the underlying Callers that were passing string to If strings were an uncommon datatype for storing keys, this PR and #157 probably wouldn't exist and I would fully understand the hesitation to introduce this conversion into this package. |
Sorry for being so opinionated here - well after all that is was the Go community is based on ;) I get the caller friendliness aspect, I still don't get how you even end up with a key as a My fear is a little bit that this makes it even "easier" going into a (in my opinion) wrong road of having a human readable string as a key like Other opinions? @mfridman @Waterdrips @ripienaar |
|
BTW this (my) view seems to be shared by other JWT libraries as well. See https://github.com/lestrrat-go/jwx/blob/9348cb779184bd6b63a2a0422dfdaf787db9c3bc/jwk/jwk.go#L35-L44. Only |
|
I'm loading the signing key from the environment and it's being stored as a string. This seems like a fairly common pattern that I've seen. Ah I hadn't reviewed what other libraries are doing but this gives me better perspective.
I don't think that if this library allowed strings as input it would somehow suggest callers should be hardcoding keys in source and/or exposing them. []byte may not be as easily readable as a plain string but it can still be converted to a string so is the idea security by obscurity? keyBytes := []byte{99, 104, 97, 110, 103, 101, 109, 101}
keyStr := "changeme"I'd be worried if I saw someone doing either of these in source ^ Also I appreciate differing opinions and the learning opportunities they present :) |
No, quite the contrary. The issue with string-based keys is that you are effectively limiting yourself to "human readable" characters in the string, because as you mentioned in the scenario are using that key in an environment variable and you have a hard time entering/storing "non-ASCII" characters on the console, so your key is probably something like What you "should" do is only use base64 encoded version of the key in the environment (as a string) and use
Even better of course would be to avoid symmetric based JWTs altogether and use something like ECDSA-based JWTs with a JSON Web Key Set to verify for your clients. |
|
@oxisto this is very informative. Thank you for taking the time to explain. I wonder if users that lack this knowledge would resort to continuing to use string keys to begin with after running into this type error (as I did). Effectively this change would just make it easier for users to continuing following bad practices even though they're probably still following them regardless. Do you think there is value in having this reasoning documented on this repo? Maybe even a reference in code next to the Sign/Verify methods? IMO it would be great if even one other person was able to have these same learnings.. Either way, I feel a lot less strongly about this library supporting the callers ability to follow a bad practice. |
Documenting this reasoning in the functions is a good idea. Would you be open to try to do that? |
VerifyandSignaccepts aninterface{}for the key. It's unexpected thatstringis not a valid input.