gristlabs_grist-core/static
Leslie H 24ce54b586
Improve session ID security (#1059)
Follow-up of #994. This PR revises the session ID generation logic to improve security in the absence of a secure session secret. It also adds a section in the admin panel "security" section to nag system admins when GRIST_SESSION_SECRET is not set.

Following is an excerpt from internal conversation.

TL;DR: Grist's current implementation generates semi-secure session IDs and uses a publicly known default signing key to sign them when the environment variable GRIST_SESSION_SECRET is not set. This PR generates cryptographically secure session IDs to dismiss security concerns around an insecure signing key, and encourages system admins to configure their own signing key anyway.

> The session secret is required by expressjs/session to sign its session IDs. It's designed as an extra protection against session hijacking by randomly guessing session IDs and hitting a valid one. While it is easy to encourage users to set a distinct session secret, this is unnecessary if session IDs are generated in a cryptographically secure way. As of now Grist uses version 4 UUIDs as session IDs (see app/server/lib/gristSessions.ts - it uses shortUUID.generate which invokes uuid.v4 under the hood). These contain 122 bits of entropy, technically insufficient to be considered cryptographically secure. In practice, this is never considered a real vulnerability. To compare, RSA2048 is still very commonly used in web servers, yet it only has 112 bits of security (>=128 bits = "secure", rule of thumb in cryptography). But for peace of mind I propose using crypto.getRandomValues to generate real 128-bit random values. This should render session ID signing unnecessary and hence dismiss security concerns around an insecure signing key.
2024-06-25 15:43:25 -04:00
..
icons (core) Forms Improvements 2024-03-21 13:01:25 -04:00
img (core) In custom widgets show placeholder content until all columns are mapped 2024-02-23 13:33:23 +01:00
locales Improve session ID security (#1059) 2024-06-25 15:43:25 -04:00
ui-icons (core) Forms Improvements 2024-03-21 13:01:25 -04:00
apiconsole.html (core) Improve API Console and link from Document Settings. 2024-01-29 10:08:19 -05:00
app.html (core) Support GRIST_INCLUDE_CUSTOM_SCRIPT_URL for custom scripts, specifically for rapid prototyping support 2024-02-08 08:56:17 -05:00
custom-widget.html (core) Add Command API to Grist Plugin API 2023-09-27 13:25:18 -04:00
custom.css (core) Add config to include custom CSS 2022-05-12 11:13:52 -07:00
error.html (core) Support GRIST_INCLUDE_CUSTOM_SCRIPT_URL for custom scripts, specifically for rapid prototyping support 2024-02-08 08:56:17 -05:00
form.html (core) Refactor forms implementation 2024-02-22 08:44:25 -05:00
hljs.default.css (core) move client code to core 2020-10-02 13:24:21 -04:00
index.html Initial config with a few files that build on client and server side. 2020-05-20 00:50:46 -04:00
message.html (core) Google auth endpoint has not responded with auth code 2021-07-21 20:18:04 +02:00
mocha.css (core) bump mocha version to allow parallel tests; move more tests to core 2023-06-27 02:55:34 -04:00
mocha.js (core) bump mocha version to allow parallel tests; move more tests to core 2023-06-27 02:55:34 -04:00
swagger-ui-bundle.js (core) Improve API Console and link from Document Settings. 2024-01-29 10:08:19 -05:00
swagger-ui-dark.css (core) Add dark mode CSS for Swagger UI 2024-03-05 08:45:21 -05:00
swagger-ui.css (core) Improve API Console and link from Document Settings. 2024-01-29 10:08:19 -05:00
test.html (core) Update dependencies 2023-10-11 17:36:58 -04:00
testWebdriverJQuery.html (core) bump mocha version to allow parallel tests; move more tests to core 2023-06-27 02:55:34 -04:00