Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2024-10-18 13:22:02 +00:00
Code Issues Projects Releases Wiki Activity
a8431c69a7
gristlabs_grist-core/app/common
History
Leslie H 24ce54b586
Improve session ID security (#1059) 
Follow-up of #994. This PR revises the session ID generation logic to improve security in the absence of a secure session secret. It also adds a section in the admin panel "security" section to nag system admins when GRIST_SESSION_SECRET is not set.

Following is an excerpt from internal conversation.

TL;DR: Grist's current implementation generates semi-secure session IDs and uses a publicly known default signing key to sign them when the environment variable GRIST_SESSION_SECRET is not set. This PR generates cryptographically secure session IDs to dismiss security concerns around an insecure signing key, and encourages system admins to configure their own signing key anyway.

> The session secret is required by expressjs/session to sign its session IDs. It's designed as an extra protection against session hijacking by randomly guessing session IDs and hitting a valid one. While it is easy to encourage users to set a distinct session secret, this is unnecessary if session IDs are generated in a cryptographically secure way. As of now Grist uses version 4 UUIDs as session IDs (see app/server/lib/gristSessions.ts - it uses shortUUID.generate which invokes uuid.v4 under the hood). These contain 122 bits of entropy, technically insufficient to be considered cryptographically secure. In practice, this is never considered a real vulnerability. To compare, RSA2048 is still very commonly used in web servers, yet it only has 112 bits of security (>=128 bits = "secure", rule of thumb in cryptography). But for peace of mind I propose using crypto.getRandomValues to generate real 128-bit random values. This should render session ID signing unnecessary and hence dismiss security concerns around an insecure signing key.
2024-06-25 15:43:25 -04:00
..
themes (core) Polish forms 2024-01-24 02:18:03 -08:00
ACLPermissions.ts (core) Trim unapplicable permissions bits for column rules, both at parse time, and in UI 2024-03-06 09:46:33 -05:00
ACLRuleCollection.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
ACLRulesReader.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
ActionBundle.ts REQUEST now supports POST (#588) 2023-07-30 15:13:43 -04:00
ActionDispatcher.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
ActionGroup.ts (core) Add attachment and data size usage 2022-05-04 13:46:55 -07:00
ActionRouter.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
ActionSummarizer.ts (core) Adds a UI panel for managing webhooks 2023-05-08 18:25:27 -04:00
ActionSummary.ts Correct spelling mistakes 2022-02-19 09:46:49 +00:00
ActiveDocAPI.ts (core) Adding UI for timing API 2024-05-22 14:56:53 +02:00
AlternateActions.ts (core) Adds a UI panel for managing webhooks 2023-05-08 18:25:27 -04:00
ApiError.ts (core) Refactor forms implementation 2024-02-22 08:44:25 -05:00
arrayToString.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
AssistancePrompts.ts (core) Add AI assistant usage banners 2023-08-30 16:00:04 -04:00
AsyncCreate.ts (core) add a python3 button 2021-09-16 10:06:04 -04:00
AsyncFlow.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
asyncIterators.ts (core) Add AzureExternalStorage 2022-05-09 21:44:57 +02:00
AttachmentColumns.ts (core) control the distribution of attachment metadata 2022-12-22 09:10:30 -05:00
BaseAPI.ts reconcile boot and admin pages further (#963) 2024-05-23 16:40:31 -04:00
BasketClientAPI.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
BigInt.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
BillingAPI.ts (core) Customizable stripe plans. 2024-05-19 09:09:19 +02:00
BinaryIndexedTree.js Correct spelling mistakes 2022-02-19 09:46:49 +00:00
BootProbe.ts Improve session ID security (#1059) 2024-06-25 15:43:25 -04:00
BrowserSettings.ts (core) Simple localization support and currency selector. 2021-08-26 13:36:49 -07:00
CircularArray.js (core) Moving client and common tests to core 2022-08-23 19:20:10 +02:00
ColumnFilterFunc.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
ColumnGetters.ts (core) Filter rows based on linked widgets when exporting view 2023-07-26 21:49:52 +02:00
CommTypes.ts (core) Adding UI for timing API 2024-05-22 14:56:53 +02:00
csvFormat.ts (core) Add our very own implementation of tokenfield (aka pillbox, tag list) 2021-05-03 17:16:24 -04:00
CustomWidget.ts allow bundled widgets to be hidden from dropdown, and nested (#714) 2023-10-30 21:13:21 -04:00
declarations.d.ts (core) Guess date format during type conversion 2022-02-21 22:39:47 +02:00
delay.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
DisposableWithEvents.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
DocActions.ts (core) use visibility information when sharing referenced columns with forms 2024-04-22 13:54:44 -04:00
DocData.ts (core) Adds a UI panel for managing webhooks 2023-05-08 18:25:27 -04:00
DocDataCache.ts (core) Adds a UI panel for managing webhooks 2023-05-08 18:25:27 -04:00
DocLimits.ts (core) Keep track of row counts per table 2022-08-03 08:13:33 -07:00
DocListAPI.ts (core) Support user variable in dropdown conditions 2024-06-04 06:56:55 -07:00
DocSnapshot.ts (core) Add AzureExternalStorage 2022-05-09 21:44:57 +02:00
DocumentSettings.ts (core) add a python3 button 2021-09-16 10:06:04 -04:00
DocUsage.ts (core) Keep track of row counts per table 2022-08-03 08:13:33 -07:00
DropdownCondition.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
emails.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
EncActionBundle.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
ErrorWithCode.ts (core) give more detailed reasons for access denied when memos are present 2021-02-15 17:02:24 -05:00
Features-ti.ts (core) Customizable stripe plans. 2024-05-19 09:09:19 +02:00
Features.ts (core) Customizable stripe plans. 2024-05-19 09:09:19 +02:00
FilterState.ts (core) New date filter with a calendar view 2022-12-20 09:58:42 +01:00
Forms.ts (core) Refactor forms implementation 2024-02-22 08:44:25 -05:00
Formula.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
getCurrentTime.ts (core) Adds dots menu to access rules page item 2023-01-12 09:40:45 +01:00
GranularAccessClause.ts (core) Support user variable in dropdown conditions 2024-06-04 06:56:55 -07:00
GristServerAPI.ts (core) Remove a bunch of dead code 2021-07-01 18:38:21 +02:00
gristTypes.ts (core) Forms Improvements 2024-03-21 13:01:25 -04:00
gristUrls.ts (core) updates from grist-core 2024-05-23 13:27:59 -04:00
gutil.ts (core) New Grist Forms styling and field options 2024-04-11 08:17:42 -07:00
InactivityTimer.ts (core) Speed up and upgrade build. 2022-06-27 16:10:10 -04:00
Install.ts (core) Add Support Grist page and nudge 2023-07-04 17:36:59 -04:00
InstallAPI.ts reconcile boot and admin pages further (#963) 2024-05-23 16:40:31 -04:00
Interval.ts (core) Fix bugs with intervals 2022-08-25 12:38:36 -07:00
isHiddenTable.ts (core) Cursor in custom widgets 2023-08-29 09:19:52 +02:00
KeyedMutex.ts (core) fix sync to s3 when doc is marked as dirty but proves to be clean 2020-11-10 08:12:31 -05:00
KeyedOps.ts (core) limit retries of uploads to external store in tests 2022-06-06 16:19:41 -04:00
LocaleCodes.ts (core) Extending default locale list 2021-09-24 15:10:13 +02:00
Locales.ts Adding new flags for supported locales (#420) 2023-02-03 18:56:24 -05:00
LoginSessionAPI.ts (core) When reporting email in log metadata, use normalized email. 2024-02-15 10:49:01 -05:00
marshal.ts support other SQLite wrappers, and various hooks needed by grist-static (#516) 2023-05-23 15:17:28 -04:00
MemBuffer.js (core) move home server into core 2020-07-21 20:39:10 -04:00
NumberFormat.ts (core) Multi-column configuration 2022-10-17 09:51:19 +02:00
NumberParse.ts (core) Fix a bug with editing numbers in some locales. 2024-02-02 22:48:05 -05:00
orgNameUtils.ts Move phab docs to /documentation (#882) 2024-03-05 08:35:48 -05:00
parseDate.ts (core) Converting big number (9 digits or more) to date directly 2023-10-05 16:58:25 +02:00
plugin.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
PluginInstance.ts Correct spelling mistakes 2022-02-19 09:46:49 +00:00
PredicateFormula.ts (core) Support user variable in dropdown conditions 2024-06-04 06:56:55 -07:00
Prefs.ts (core) Remove forms popup 2024-04-12 16:10:44 -07:00
RecentItems.js (core) Moving client and common tests to core 2022-08-23 19:20:10 +02:00
RecordView.ts (core) Support user variable in dropdown conditions 2024-06-04 06:56:55 -07:00
RefCountMap.ts (core) Fix an insidious bug in RefCountMap, manifesting as JS errors some time after import. 2020-11-06 09:24:56 -05:00
RelativeDates.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
resetOrg.ts (core) Show usage banners in doc menu of free team sites 2022-05-26 15:01:35 -07:00
roles.ts (core) Add tip for "Add New" button 2023-01-16 16:50:42 -08:00
RowFilterFunc.ts (core) Filter rows based on linked widgets when exporting view 2023-07-26 21:49:52 +02:00
SandboxInfo.ts (core) add a sandbox check to admin panel, and start reconciling boot and admin pages 2024-04-29 20:52:39 -04:00
schema.ts Webhook trigger update by column (#832) 2024-04-12 16:04:37 -04:00
ShareAnnotator.ts (core) Customizable stripe plans. 2024-05-19 09:09:19 +02:00
ShareOptions.ts (core) add initial support for special shares 2024-01-04 05:57:38 -05:00
sharing.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
SortFunc.ts (core) Endpoint to report on the latest version of stable grist-core image 2024-04-09 17:03:49 +02:00
SortSpec.ts (core) Adding UI for timing API 2024-05-22 14:56:53 +02:00
StringUnion.ts (core) Allow configuring (mostly hiding) various little bits of UI 2022-05-27 14:32:05 +02:00
TableData.ts (core) Cursor in custom widgets 2023-08-29 09:19:52 +02:00
TabularDiff.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
tagManager.ts (core) Record new user sign-ups 2022-03-12 14:34:46 -08:00
tbind.ts (core) Configure more comprehensive eslint rules for Typescript 2021-04-26 18:54:55 -04:00
Telemetry.ts (core) Renaming installationId metadata for checkUpdateAPI telemetry endpoint. 2024-06-12 16:01:45 +02:00
TestState.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
ThemePrefs-ti.ts (core) Polish forms 2024-01-24 02:18:03 -08:00
ThemePrefs.ts (core) Polish forms 2024-01-24 02:18:03 -08:00
Themes.ts (core) Add dark mode to user preferences 2022-09-05 19:17:32 -07:00
timeFormat.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
tpromisified.ts (core) Configure more comprehensive eslint rules for Typescript 2021-04-26 18:54:55 -04:00
Triggers-ti.ts Webhook trigger update by column (#832) 2024-04-12 16:04:37 -04:00
Triggers.ts Webhook trigger update by column (#832) 2024-04-12 16:04:37 -04:00
tsconfig.json (core) show package.json version when hovering on Grist icon in grist-core 2022-10-12 16:02:01 -04:00
tsvFormat.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
uploads.ts (core) Extending Google Drive integration scope 2021-10-01 10:47:12 +02:00
urlUtils.ts (core) remove metrics 2020-09-29 18:57:56 -04:00
User.ts (core) Support user variable in dropdown conditions 2024-06-04 06:56:55 -07:00
UserAPI.ts HomeDBManager refactoration: extract method related to Users management in its own module (#1049) 2024-06-18 10:57:06 -04:00
UserConfig.ts (core) Remove REPL code 2021-07-20 15:17:03 +02:00
ValueConverter.ts (core) Implement exported functions without relying on ActiveDoc.docData 2023-06-07 22:30:01 +02:00
ValueFormatter.ts (core) Fix imports into reference columns, and support two ways to import Numeric as a reference. 2023-05-02 10:28:14 -04:00
ValueGuesser.ts (core) Fix a bug with editing numbers in some locales. 2024-02-02 22:48:05 -05:00
ValueParser.ts (core) Fix imports into reference columns, and support two ways to import Numeric as a reference. 2023-05-02 10:28:14 -04:00
WidgetOptions.ts Export table schema (#459) 2023-03-16 17:37:24 -04:00
widgetTypes.ts (core) Forms improvements 2024-01-19 10:34:03 +01:00